Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Virtumonde and probably others


  • This topic is locked This topic is locked
9 replies to this topic

#1 Kevinnn

Kevinnn

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 22 January 2009 - 12:48 AM

Hello my name is Kevin and I'm desperately trying to clean my computer because I work from home on fridays and I deal with personal and private info.

Here is my log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:32:32 PM, on 1/21/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\PnkBstrA.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\Explorer.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\ALCXMNTR.EXE
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Documents and Settings\Owner\Application Data\Google\djvlg2072387.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\NoAds\NoAds.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {08AAF02D-3F90-2012-EAE1-31A67C2BCC9B} - C:\WINDOWS\System32\xiebtzok.dll (file missing)
O2 - BHO: (no name) - {3039A569-31F7-2055-A2AC-6443C06CF799} - C:\WINDOWS\System32\dkuch.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SelasI Class - {59F4F380-01A0-4083-9FA4-E3B827319F7E} - C:\WINDOWS\System32\vcbheqwc.dll (file missing)
O2 - BHO: SDWin32 Class - {6BFF2B24-6607-46B6-A587-3A6032181917} - C:\WINDOWS\System32\sjeud.dll (file missing)
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {79F1F83A-1526-4ED7-AF09-DD5A311E14E4} - C:\Program Files\CSBB\CSBB.dll (file missing)
O2 - BHO: SDWin32 Class - {8178D3EC-9606-462D-BB3F-58E4D756BACD} - C:\WINDOWS\System32\vupzf.dll (file missing)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll (file missing)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll (file missing)
O2 - BHO: (no name) - {A9C1428F-1D7A-4B10-920B-A779C5D6294D} - C:\WINDOWS\system32\vtUmNEwT.dll (file missing)
O2 - BHO: targetedbanner browser enhancer - {B76A1A77-F4A6-F3A9-324C-2B8E93233A8A} - C:\WINDOWS\system32\ruascsyetyw.dll (file missing)
O2 - BHO: (no name) - {BBB7A5C7-353D-4716-B861-01464F25BC58} - C:\WINDOWS\system32\byXNhfCu.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing)
O2 - BHO: (no name) - {C1ADAD39-6BDE-5B5B-8F2F-3FE679F10894} - C:\WINDOWS\System32\hjapv.dll (file missing)
O2 - BHO: (no name) - {C1ADAD48-6BD8-282C-8F29-3CE6048F0892} - C:\WINDOWS\System32\hjapv.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: AD Rotator - {EEC590D8-0A3C-4464-BB20-25A4747992F9} - C:\WINDOWS\System32\adrotate.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll (file missing)
O3 - Toolbar: (no name) - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - (no file)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdtl.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [Yantert] C:\WINDOWS\bruzmoh.exe
O4 - HKLM\..\Run: [wmv] C:\WINDOWS\System32\winmonv.exe
O4 - HKLM\..\Run: [caslc.exe] C:\WINDOWS\System32\caslc.exe
O4 - HKLM\..\Run: [iisver] C:\WINDOWS\System32\iisver.exe
O4 - HKLM\..\Run: [bzevatu] c:\windows\system32\rwupai.exe
O4 - HKLM\..\Run: [spoolsvc] C:\WINDOWS\System32\spoolsvc.exe
O4 - HKLM\..\Run: [rylvsnx] C:\WINDOWS\rylvsnx.exe
O4 - HKLM\..\Run: [iissrv] C:\WINDOWS\iissrv.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [tgphfa] C:\WINDOWS\System32\ugbcbs.exe r
O4 - HKLM\..\Run: [Default] "C:\WINDOWS\System32\regapi.exe" unknown
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [hcsystray] C:\Program Files\Kuma Games\hcsystray\hc_tray.exe
O4 - HKLM\..\Run: [wxypwub] C:\WINDOWS\wxypwub.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Chckup] C:\WINDOWS\System32\Netverchk.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [realtekg] "C:\Documents and Settings\Owner\Application Data\Google\djvlg2072387.exe" 2
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [caslc.exe] C:\WINDOWS\System32\caslc.exe
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - HKCU\..\Run: [CMMan] "C:\Program Files\CMMan\CMMan.exe"
O4 - HKCU\..\Run: [Notn] "C:\DOCUME~1\Owner\APPLIC~1\YSTEM~1\notepad.exe" -vt ndrv
O4 - HKCU\..\Run: [Mtr] C:\Program Files\?ssembly\?canregw.exe
O4 - HKCU\..\Run: [CMFibula] "C:\Program Files\CMFibula\CMFibula.exe"
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [Jduw] "C:\Program Files\Common Files\F?nts\?poolsv.exe"
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [Kwpd] C:\WINDOWS\system32\F?nts\w?nlogon.exe
O4 - HKCU\..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Spark] C:\Program Files\Spark\Spark.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [GetModule33] "C:\Program Files\GetModule\GetModule33.exe"
O4 - S-1-5-18 Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe (User 'Default user')
O4 - .DEFAULT User Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: America Online Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1169704346687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1169704336312
O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} - http://64.34.171.38/webnetcounterss/PopupSh.ocx
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll jitvqx.dll
O20 - Winlogon Notify: byXNgdef - byXNgdef.dll (file missing)
O20 - Winlogon Notify: spoolsvc - spoolsvc.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: MainSafe Service (MSFIE) - Unknown owner - C:\WINDOWS\System32\mainsafe.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\System32\PnkBstrA.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\rqzoypo.exe (file missing)

--
End of file - 14791 bytes

I hope y'all can help.
Thanks.

BC AdBot (Login to Remove)

 


#2 Kevinnn

Kevinnn
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 22 January 2009 - 12:58 AM

By the way I have Ad-Aware and AVG free edition. Keep running it daily but i keep getting things saying that i have some Win32 thing. I dunno if that helps.

#3 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:05 PM

Posted 22 January 2009 - 02:57 AM

Hi,

The first thing I could say is wow... really wow.
This because I see malware related leftovers in your log from more than 3 years old (even older).
This only means that your Antispywarescanners are way outdated, because it should also delete the registry leftovers.
But, on the other side, I see you have Ad-Aware with Ad-watch enabled. Ad-watch may put all these malicious entries back. THis because it doesn't know the difference between good and bad and blocks every registry modification.

In anyway, I suggest you temporary uninstall Ad-Aware first, this to make sure it doesn't interfere with the fixes.
Reboot after uninstalling.

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#4 Kevinnn

Kevinnn
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 22 January 2009 - 08:47 PM

Hey sorry I took so long to reply, had to work all day. Here's the combofix log.
Thanks!!!

ComboFix 09-01-21.02 - Owner 2009-01-22 7:16:20.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1512 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning disabled* (Outdated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Outdated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Mom\Application Data\{2CF0B992-5EEB-4143-99C0-5297EF71F444}
c:\documents and settings\Owner\Application Data\Google\djvlg2072387.exe
c:\documents and settings\Owner\Application Data\ICROSO~1
c:\documents and settings\Owner\Application Data\PPPATC~1
c:\documents and settings\Owner\Application Data\SKS~1
c:\documents and settings\Owner\Application Data\YSTEM~1
c:\documents and settings\Owner\Application Data\YSTEM~1\YSTEM~1\ctxad-552.0000
c:\documents and settings\Owner\Application Data\YSTEM~1\YSTEM~1\ctxad-552.0001
c:\documents and settings\Owner\Application Data\YSTEM~1\YSTEM~1\ctxad-552.0002
c:\documents and settings\Owner\Application Data\YSTEM~1\YSTEM~1\ctxad-552.0003
c:\documents and settings\Owner\Application Data\YSTEM~1\YSTEM~1\ctxad-552.0004
c:\documents and settings\Owner\Application Data\YSTEM~1\YSTEM~1\ctxad-552.0005
c:\documents and settings\Owner\Application Data\YSTEM~1\YSTEM~1\ctxad-552.0006
c:\documents and settings\Owner\Favorites\.url
c:\documents and settings\Owner\Start Menu\Programs\Outerinfo
c:\documents and settings\Owner\Start Menu\Programs\Outerinfo\Terms.lnk
c:\documents and settings\Owner\Start Menu\Programs\Outerinfo\Uninstall.lnk
c:\program files\cmapp
c:\program files\cmapp\Client\hf.txt
c:\program files\cmapp\Client\rf.txt
c:\program files\cmapp\Client\sf.txt
c:\program files\cmapp\Client\Uninstall.exe
c:\program files\Common Files\appatc~1
c:\program files\Common Files\sstem~1
c:\program files\Common Files\WinSoftware
c:\program files\CSBB
c:\program files\GetModule
c:\program files\iCheck
c:\program files\iCheck\Uninstall.exe
c:\windows\asembl~1
c:\windows\bundles
c:\windows\bundles\activeshopper.exe
c:\windows\bundles\AdSmartMedia_bundle.exe
c:\windows\bundles\adv0ltc0m.exe
c:\windows\bundles\ast_5_adsav.exe
c:\windows\bundles\b2s-162813.exe
c:\windows\bundles\Beryllium.exe
c:\windows\bundles\bs5-goodyr1.exe
c:\windows\bundles\bs5-tsrkqn.exe
c:\windows\bundles\Century.exe
c:\windows\bundles\cxt_big.exe
c:\windows\bundles\d_ic.exe
c:\windows\bundles\Decade.exe
c:\windows\bundles\e2g51.exe
c:\windows\bundles\icmedia2_56.exe
c:\windows\bundles\ICMMedia_1cmm3d1a.exe
c:\windows\bundles\iehost.exe
c:\windows\bundles\InvestorIntelligenceInstallWeb.exe
c:\windows\bundles\newmb.exe
c:\windows\bundles\optimizejames.exe
c:\windows\bundles\rop_marketing_1_168.exe
c:\windows\bundles\runsearch.exe
c:\windows\bundles\sahagent-dectest1001.exe
c:\windows\bundles\setup_silent_26221.exe
c:\windows\bundles\snackman.exe
c:\windows\bundles\stlb2_seed.exe
c:\windows\bundles\TrafficSpec8.exe
c:\windows\bundles\Verti1.exe
c:\windows\bundles\vl_ezstub.exe
c:\windows\bundles\winversion.exe
c:\windows\crosof~1
c:\windows\dobe~1
c:\windows\IE4 Error Log.txt
c:\windows\pppatc~1
c:\windows\sstem3~1
c:\windows\system32\AutoRun.inf
c:\windows\system32\bkokprls.dll
c:\windows\system32\Cache
c:\windows\system32\Cache\buts.bin
c:\windows\system32\Cache\chart 1.bmp
c:\windows\system32\Cache\ding.bmp
c:\windows\system32\Cache\disk 1.bmp
c:\windows\system32\Cache\document.bmp
c:\windows\system32\Cache\mail unreaded.bmp
c:\windows\system32\Cache\msg.bin
c:\windows\system32\Cache\peoples 1.bmp
c:\windows\system32\Cache\search find 2.bmp
c:\windows\system32\Cache\web app.bmp
c:\windows\system32\casino1.ico
c:\windows\system32\casino3.ico
c:\windows\system32\fnts~1
c:\windows\system32\fnts~2
c:\windows\system32\KVIF_11.dlltmp
c:\windows\system32\kxqlwmoy.ini
c:\windows\system32\lmdv.bin
c:\windows\system32\mbols~1
c:\windows\system32\pdlueyda.ini
c:\windows\system32\racle~1
c:\windows\system32\stem~1
c:\windows\system32\targetedbanner-uninst.exe
c:\windows\system32\TwENmUtv.ini
c:\windows\system32\uCfhNXyb.ini
c:\windows\system32\uCfhNXyb.ini2
c:\windows\system32\wapiicomsv32.exe
c:\windows\system32\wapisvsu.exe
c:\windows\system32\wnsxs~1
c:\windows\Tasks\xqnfogiv.job
c:\windows\wiaserviv.log
c:\windows\wnsxs~1
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SVCPROC
-------\Legacy_WINDOWS_OVERLAY_COMPONENTS
-------\Service_Windows Overlay Components


((((((((((((((((((((((((( Files Created from 2008-12-23 to 2009-01-23 )))))))))))))))))))))))))))))))
.

2009-01-22 07:09 . 2009-01-22 07:10 810 --ah-c--- C:\aaw7boot.cmd
2009-01-21 23:31 . 2009-01-21 23:31 <DIR> d-------- c:\program files\Trend Micro
2009-01-16 10:22 . 2009-01-16 10:22 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-14 03:07 . 2006-08-21 03:14 128,896 -----c--- c:\windows\system32\dllcache\fltmgr.sys
2009-01-14 03:07 . 2006-08-21 03:14 23,040 -----c--- c:\windows\system32\dllcache\fltmc.exe
2009-01-14 03:07 . 2006-08-21 06:21 16,896 -----c--- c:\windows\system32\dllcache\fltlib.dll
2009-01-13 10:18 . 2007-07-09 07:09 584,192 -----c--- c:\windows\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-23 01:22 --------- d-----w c:\program files\DNA
2009-01-23 01:22 --------- d-----w c:\documents and settings\Owner\Application Data\DNA
2009-01-22 13:11 --------- d-----w c:\program files\Lavasoft
2009-01-22 13:11 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-22 04:43 --------- d-----w c:\documents and settings\Owner\Application Data\.purple
2009-01-19 06:01 --------- d-----w c:\program files\NoAds
2009-01-16 16:22 --------- d-----w c:\program files\Java
2009-01-16 01:37 --------- d-----w c:\documents and settings\Owner\Application Data\BitTorrent
2009-01-15 09:10 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-15 04:41 --------- d-----w c:\documents and settings\Owner\Application Data\gtk-2.0
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-27 16:10 256 ----a-w c:\documents and settings\Owner\pool.bin
2008-11-26 23:54 --------- d-----w c:\program files\iTunes
2008-11-26 23:54 --------- d-----w c:\program files\iPod
2008-11-26 23:54 --------- d-----w c:\program files\Common Files\Apple
2008-11-26 23:54 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-26 23:51 --------- d-----w c:\program files\QuickTime
2008-11-11 02:38 86,528 ----a-w c:\windows\bnetunin.exe
2008-11-11 02:38 61,440 ----a-w c:\windows\diabunin.exe
2006-09-02 07:06 0 -c-ha-w c:\documents and settings\LocalService\hpothb07.dat
2004-02-23 23:47 30,423,000 -c--a-w c:\program files\rpg maker03.zip
2004-02-23 23:43 30,449,578 ----a-w c:\program files\rpg2003.zip
2003-12-17 00:33 0 -csha-w c:\windows\EXHEI.exe
2003-12-09 03:43 0 -csha-w c:\windows\GXEBY.exe
2004-09-12 23:12 0 -csha-w c:\windows\SMINST\HPCD.sys
2006-08-23 17:12 8,147 -csha-w c:\windows\system32\cvsloops.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mtr"="c:\program files\?ssembly\?canregw.exe" [?]
"Jduw"="c:\program files\Common Files\F?nts\?poolsv.exe" [?]
"Kwpd"="c:\windows\system32\F?nts\w?nlogon.exe" [?]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-04-02 389120]
"NoAds"="c:\program files\NoAds\NoAds.exe" [2003-11-26 122880]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-04-01 3587120]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-23 342848]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-03-11 114688]
"CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-10-06 90112]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-06-01 7618560]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-24 28672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-16 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-03-11 155648]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"nwiz"="nwiz.exe" [2006-06-01 c:\windows\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 c:\windows\system32\nvmctray.dll]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\ALCXMNTR.EXE]

c:\documents and settings\Owner\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2005-06-10 225280]
PowerReg Scheduler.exe [2007-09-16 256000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSFIE]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
--a------ 2003-02-13 09:01 155648 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AUtHorizedapplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-09 97928]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-09 231704]
S3 CIF USB CAMERA Service;CIF USB CAMERA;c:\windows\system32\drivers\pfc027.sys [2004-12-06 112380]
S3 MSFIEDrv1;MSFIEDrv1;\??\c:\windows\System32\mxdefdrv.sys --> c:\windows\System32\mxdefdrv.sys [?]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys --> c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [?]
S4 Cisvump;Cisvump; [x]
S4 MSFIE;MainSafe Service;c:\windows\System32\mainsafe.exe c:\windows\System32\mainsafe.empty.ini --> c:\windows\System32\mainsafe.exe c:\windows\System32\mainsafe.empty.ini [?]
.
Contents of the 'Scheduled Tasks' folder

2009-01-22 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-01-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-22 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1061245120.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-12-02 19:38]

2009-01-22 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-07-19 16:26]
.
- - - - ORPHANS REMOVED - - - -

BHO-{08AAF02D-3F90-2012-EAE1-31A67C2BCC9B} - c:\windows\System32\xiebtzok.dll
BHO-{3039A569-31F7-2055-A2AC-6443C06CF799} - c:\windows\System32\dkuch.dll
BHO-{6BFF2B24-6607-46B6-A587-3A6032181917} - c:\windows\System32\sjeud.dll
BHO-{79F1F83A-1526-4ED7-AF09-DD5A311E14E4} - c:\program files\CSBB\CSBB.dll
BHO-{8178D3EC-9606-462D-BB3F-58E4D756BACD} - c:\windows\System32\vupzf.dll
BHO-{A9C1428F-1D7A-4B10-920B-A779C5D6294D} - c:\windows\system32\vtUmNEwT.dll
BHO-{B76A1A77-F4A6-F3A9-324C-2B8E93233A8A} - c:\windows\system32\ruascsyetyw.dll
BHO-{BBB7A5C7-353D-4716-B861-01464F25BC58} - c:\windows\system32\byXNhfCu.dll
BHO-{C1ADAD39-6BDE-5B5B-8F2F-3FE679F10894} - c:\windows\System32\hjapv.dll
BHO-{C1ADAD48-6BD8-282C-8F29-3CE6048F0892} - c:\windows\System32\hjapv.dll
HKCU-Run-caslc.exe - c:\windows\System32\caslc.exe
HKCU-Run-CMAPP - c:\program files\CMAPP\Client\cmappclient.exe
HKCU-Run-Notn - c:\docume~1\Owner\APPLIC~1\YSTEM~1\notepad.exe
HKCU-Run-CurseClient - c:\program files\Curse\CurseClient.exe
HKCU-Run-Spark - c:\program files\Spark\Spark.exe
HKCU-Run-Yahoo! Pager - c:\program files\Yahoo!\Messenger\ypager.exe
HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe
HKCU-Run-GetModule33 - c:\program files\GetModule\GetModule33.exe
HKLM-Run-PS2 - c:\windows\system32\ps2.exe
HKLM-Run-winupdtl - c:\windows\System32\winupdtl.exe
HKLM-Run-VBouncer - c:\progra~1\VBouncer\VirtualBouncer.exe
HKLM-Run-Yantert - c:\windows\bruzmoh.exe
HKLM-Run-wmv - c:\windows\System32\winmonv.exe
HKLM-Run-caslc.exe - c:\windows\System32\caslc.exe
HKLM-Run-iisver - c:\windows\System32\iisver.exe
HKLM-Run-bzevatu - c:\windows\system32\rwupai.exe
HKLM-Run-spoolsvc - c:\windows\System32\spoolsvc.exe
HKLM-Run-rylvsnx - c:\windows\rylvsnx.exe
HKLM-Run-iissrv - c:\windows\iissrv.exe
HKLM-Run-tgphfa - c:\windows\System32\ugbcbs.exe
HKLM-Run-hcsystray - c:\program files\Kuma Games\hcsystray\hc_tray.exe
HKLM-Run-wxypwub - c:\windows\wxypwub.exe
HKLM-Run-Chckup - c:\windows\System32\Netverchk.exe
HKLM-Run-realtekg - c:\documents and settings\Owner\Application Data\Google\djvlg2072387.exe
Notify-byXNgdef - byXNgdef.dll
MSConfigStartUp-adstart - iexplore.exe


.
------- Supplementary Scan -------
.
mSearch Bar =
mWindow Title = IE3.01 - Internet Explorer
uInternet Settings,ProxyOverride = localhost
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.ysw\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://search.yahoo.com/firefox
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-22 19:22:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4194800274-1283992648-3574082320-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:26,48,fe,ae,d1,7c,1e,37,46,21,89,96,54,47,ee,f5,c4,03,43,ac,2c,63,a0,
f8,f8,e2,5e,de,fa,47,2f,77,3c,91,ac,bf,7e,d1,b8,36,00,d1,e0,6c,32,88,36,47,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\wanmpsvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
.
**************************************************************************
.
Completion time: 2009-01-22 19:34:35 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-23 01:33:55

Pre-Run: 11,356,479,488 bytes free
Post-Run: 16,085,958,656 bytes free

328 --- E O F --- 2009-01-22 03:26:16

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:05 PM

Posted 23 January 2009 - 02:32 AM

Hi,

I'm sure you already notice a difference...

But.. we're not finished yet..

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\System32\mxdefdrv.sys
C:\WINDOWS\System32\mainsafe.exe
c:\windows\System32\mainsafe.empty.ini
C:\Windows\system32\drivers\svchost.exe
c:\documents and settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler.exe
c:\documents and settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
c:\windows\bnetunin.exe
c:\windows\diabunin.exe
c:\windows\EXHEI.exe
c:\windows\GXEBY.exe
Driver::
MSFIEDrv1
MSFIE
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Mtr"=-
"Jduw"=-
"Kwpd"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"=-
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSFIE]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AUtHorizedapplications\List]
"%windir%\\system32\\drivers\\svchost.exe"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 Kevinnn

Kevinnn
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 23 January 2009 - 08:29 AM

Awesome! Yes I really have noticed a difference. When should I reinstall AD-AWARE?

ComboFix 09-01-21.04 - Owner 2009-01-23 7:04:25.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1428 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\My Documents\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning disabled* (Outdated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Outdated)
AV: Avira AntiVir PersonalEdition Classic *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\documents and settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
c:\documents and settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler.exe
c:\windows\bnetunin.exe
c:\windows\diabunin.exe
c:\windows\EXHEI.exe
c:\windows\GXEBY.exe
c:\windows\system32\drivers\svchost.exe
c:\windows\System32\mainsafe.empty.ini
c:\windows\System32\mainsafe.exe
c:\windows\System32\mxdefdrv.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
c:\documents and settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler.exe
c:\windows\bnetunin.exe
c:\windows\diabunin.exe
c:\windows\EXHEI.exe
c:\windows\GXEBY.exe
c:\windows\System32\mainsafe.empty.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSFIE
-------\Legacy_MSFIEDRV1
-------\Service_MSFIE
-------\Service_MSFIEDrv1


((((((((((((((((((((((((( Files Created from 2008-12-23 to 2009-01-23 )))))))))))))))))))))))))))))))
.

2009-01-22 07:09 . 2009-01-22 07:10 810 --ah-c--- C:\aaw7boot.cmd
2009-01-21 23:31 . 2009-01-21 23:31 <DIR> d-------- c:\program files\Trend Micro
2009-01-16 10:22 . 2009-01-16 10:22 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-14 03:07 . 2006-08-21 03:14 128,896 -----c--- c:\windows\system32\dllcache\fltmgr.sys
2009-01-14 03:07 . 2006-08-21 03:14 23,040 -----c--- c:\windows\system32\dllcache\fltmc.exe
2009-01-14 03:07 . 2006-08-21 06:21 16,896 -----c--- c:\windows\system32\dllcache\fltlib.dll
2009-01-13 10:18 . 2007-07-09 07:09 584,192 -----c--- c:\windows\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-23 13:13 --------- d-----w c:\program files\DNA
2009-01-23 13:13 --------- d-----w c:\documents and settings\Owner\Application Data\DNA
2009-01-23 12:56 --------- d-----w c:\documents and settings\Owner\Application Data\.purple
2009-01-22 13:11 --------- d-----w c:\program files\Lavasoft
2009-01-22 13:11 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-19 06:01 --------- d-----w c:\program files\NoAds
2009-01-16 16:22 --------- d-----w c:\program files\Java
2009-01-16 01:37 --------- d-----w c:\documents and settings\Owner\Application Data\BitTorrent
2009-01-15 09:10 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-15 04:41 --------- d-----w c:\documents and settings\Owner\Application Data\gtk-2.0
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-27 16:10 256 ----a-w c:\documents and settings\Owner\pool.bin
2008-11-26 23:54 --------- d-----w c:\program files\iTunes
2008-11-26 23:54 --------- d-----w c:\program files\iPod
2008-11-26 23:54 --------- d-----w c:\program files\Common Files\Apple
2008-11-26 23:54 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-26 23:51 --------- d-----w c:\program files\QuickTime
2006-09-02 07:06 0 -c-ha-w c:\documents and settings\LocalService\hpothb07.dat
2004-02-23 23:47 30,423,000 -c--a-w c:\program files\rpg maker03.zip
2004-02-23 23:43 30,449,578 ----a-w c:\program files\rpg2003.zip
2004-09-12 23:12 0 -csha-w c:\windows\SMINST\HPCD.sys
2006-08-23 17:12 8,147 -csha-w c:\windows\system32\cvsloops.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-22_19.32.09.89 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-23 13:12:03 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_5b4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-04-02 389120]
"NoAds"="c:\program files\NoAds\NoAds.exe" [2003-11-26 122880]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-04-01 3587120]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-23 342848]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2003-03-11 114688]
"CamMonitor"="c:\program files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-10-06 90112]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2006-06-01 7618560]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-24 28672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-16 136600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2003-03-11 155648]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"nwiz"="nwiz.exe" [2006-06-01 c:\windows\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 c:\windows\system32\nvmctray.dll]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
--a------ 2003-02-13 09:01 155648 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AUtHorizedapplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\msncall.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe"=
"c:\\Program Files\\Pidgin\\pidgin.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-09 97928]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-09 231704]
S3 CIF USB CAMERA Service;CIF USB CAMERA;c:\windows\system32\drivers\pfc027.sys [2004-12-06 112380]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys --> c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [?]
S4 Cisvump;Cisvump; [x]
.
Contents of the 'Scheduled Tasks' folder

2009-01-22 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-01-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-22 c:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1061245120.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-12-02 19:38]

2009-01-23 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-07-19 16:26]
.
.
------- Supplementary Scan -------
.
mSearch Bar =
mWindow Title = IE3.01 - Internet Explorer
uInternet Settings,ProxyOverride = localhost
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\default.ysw\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://search.yahoo.com/firefox
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=TB50TRFF;homepage=no;search=yesab&query=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-23 07:12:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-4194800274-1283992648-3574082320-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:26,48,fe,ae,d1,7c,1e,37,46,21,89,96,54,47,ee,f5,c4,03,43,ac,2c,63,a0,
f8,f8,e2,5e,de,fa,47,2f,77,3c,91,ac,bf,7e,d1,b8,36,00,d1,e0,6c,32,88,36,47,\
"??"=hex:5d,2e,bc,00,9b,07,bc,9c,34,34,87,88,c9,ab,ca,0d
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\wanmpsvc.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
.
**************************************************************************
.
Completion time: 2009-01-23 7:25:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-23 13:24:39
ComboFix2.txt 2009-01-23 01:34:38

Pre-Run: 16,136,433,664 bytes free
Post-Run: 16,134,688,768 bytes free

199 --- E O F --- 2009-01-22 03:26:16

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:05 PM

Posted 23 January 2009 - 08:36 AM

Hi,

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

When should I reinstall AD-AWARE?

You may reinstall it again now. Make sure it's the latest version and let it download all updates.
Then, perform a full scan with it again to get rid of the leftovers.

Then reboot once more.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 Kevinnn

Kevinnn
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:05 PM

Posted 23 January 2009 - 09:17 AM

Awesome, things are working great, I did a smart scan on Ad-Aware and all it picked up were some cookies, so I deleted those.

Now I'm working from home today, and I do so once a week, what should I do to actively stop this from ever happening again?

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:05 PM

Posted 23 January 2009 - 10:01 AM

Glad I could help. :thumbup2:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:05 PM

Posted 26 January 2009 - 06:45 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users