Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    Firefox Targeting Competing VPN Sites With ProtonVPN Offer in New Test

Featured Deal: Get 95% Off the Certified Information Systems Security Professional Training Course

Photo

I believe it is AntiVirus 2009

Started by Deadsmelly , Jan 22 2009 02:19 PM

  • Please log in to reply
4 replies to this topic

#1 Deadsmelly

Deadsmelly

  • Members
  • 6 posts
  • OFFLINE
    •  
  • Local time:01:32 PM

Posted 22 January 2009 - 02:19 PM

Here is the DDS log.


DDS (Ver_09-01-19.01) - NTFSx86
Run by Deborah at 9:54:38.37 on Thu 01/22/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.766.355 [GMT -7:00]

AV: AVG 7.5.476 *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Deborah\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.msn.com
mStart Page = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;127.0.0.1;*.local
mSearchAssistant = hxxp://www.google.com/ie
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
BHO: NoExplorer - No File
BHO: {4339d995-436b-0da8-0204-2f4e0c68fd87}: {78df86c0-e4f2-4020-8ad0-b634599d9334} - c:\windows\system32\yupogt.dll
BHO: {83d505c2-cab9-4500-9aab-3f93e940f5e8} - c:\windows\system32\advapi3.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: ST: {9394ede7-c8b5-483e-8773-474bf36af6e4} - c:\program files\msn apps\st\01.03.0000.1005\en-xu\stmain.dll
BHO: Viewpoint Toolbar BHO: {a7327c09-b521-4edb-8509-7d2660c9ec98} - c:\program files\viewpoint\viewpoint toolbar\3.8.0\ViewBarBHO.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.0.1225.9868\swg.dll
BHO: MSNToolBandBHO: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\en-us\msntb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn0\yt.dll
TB: MSN: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn apps\msn toolbar\msn toolbar\01.02.5000.1021\en-us\msntb.dll
TB: {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
DPF: ChatSpace Full Java Client 4.0.0.301 - hxxp://www.ldschat.com:8569/Java/cfs40301.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: Yahoo! Chat - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
DPF: Yahoo! Fleet - hxxp://download.games.yahoo.com/games/clients/y/fltt3_x.cab
DPF: Yahoo! Literati - hxxp://download.games.yahoo.com/games/clients/y/tt1_x.cab
DPF: Yahoo! MahJong Solitaire - hxxp://download.games.yahoo.com/games/clients/y/mjst4_x.cab
DPF: Yahoo! Poker - hxxp://download.games.yahoo.com/games/clients/y/pt3_x.cab
DPF: Yahoo! Pool 2 - hxxp://download2.games.yahoo.com/games/clients/y/poti_x.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - hxxp://www.kungfuchess.com/activex/web665.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37614.9391898148
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/toolbar/my/yiebio5_0_2_7.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\deborah\applic~1\mozilla\firefox\profiles\4mbwwpvd.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {B120FE16-4705-4598-872C-3890DC5A9A82} - c:\windows\system32\config\systemprofile\local settings\application data\{b120fe16-

4705-4598-872c-3890dc5a9a82}\
FF - HiddenExtension: XUL Cache: {C5560414-9EFE-41B0-8C97-1EC2BC701427} - c:\documents and settings\deborah\local settings\application data\{C5560414-9EFE-

41B0-8C97-1EC2BC701427}

============= SERVICES / DRIVERS ===============

R0 cdngfeml;cdngfeml;c:\windows\system32\drivers\ckebptsn.dat --> c:\windows\system32\drivers\ckebptsn.dat [?]
R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-9-15 40840]
R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2007-6-24 820928]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2007-6-24 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2007-6-24 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-6-24 3968]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-9-15 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-9-15 81288]
R1 mchInjDrv;madCodeHook DLL injection driver;c:\windows\system32\drivers\mchInjDrv.sys [2007-10-5 2560]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2007-8-24 21920]
R4 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2007-6-24 4960]
S0 stwlfbus;stwlfbus;c:\windows\system32\drivers\stwlfbus.sys [2003-4-27 8704]
S3 PsSdk30;PsSdk30;\??\c:\windows\system32\drivers\pssdk30.drv --> c:\windows\system32\drivers\PsSdk30.drv [?]
S3 st3wolf;st3wolf;c:\windows\system32\drivers\st3wolf.sys [2003-4-27 99360]
S3 xbreader;MaxDrive XBox Driver (xbreader.sys);c:\windows\system32\drivers\xbreader.sys [2001-1-2 19677]
S4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
S4 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2007-6-24 353280]
S4 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2007-6-24 49664]
S4 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2007-6-24 352768]
S4 mrtRate;mrtRate; [x]
S4 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-9-15 356920]
S4 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-9-15 1077640]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-4-26 24652]

=============== Created Last 30 ================

2009-01-19 11:28 54,156 a---h--- c:\windows\QTFont.qfn
2009-01-19 11:28 1,409 a------- c:\windows\QTFont.for
2009-01-16 04:57 135,168 a------- c:\windows\avanerokowucafo.dll
2009-01-16 04:45 41,984 a------- c:\windows\Dxevodowur.dll
2009-01-16 04:45 41,984 a------- c:\windows\system32\chert5-998.exe
2009-01-15 10:46 1 a------- c:\windows\system32\uniq.tll
2009-01-14 22:21 125,440 a------- c:\windows\system32\znabtw.dll
2009-01-14 22:21 125,440 a------- c:\windows\system32\wsmypvdl.dll
2009-01-14 16:42 125,440 a------- c:\windows\system32\bszyer.dll
2009-01-14 16:42 125,440 a------- c:\windows\system32\uxmnxgno.dll
2009-01-14 16:42 1,372,550 a--sh--- c:\windows\system32\ysbjuwvm.ini
2009-01-13 16:42 123,904 a------- c:\windows\system32\tekvrl.dll
2009-01-13 16:42 123,904 a------- c:\windows\system32\ogqnxoon.dll
2009-01-13 16:42 1,352,104 a--sh--- c:\windows\system32\opmrieer.ini
2009-01-12 16:41 124,928 a------- c:\windows\system32\jgypuc.dll
2009-01-12 16:41 1,266,872 a--sh--- c:\windows\system32\nflgxbem.ini
2009-01-12 16:41 124,928 a------- c:\windows\system32\qxycfojc.dll
2009-01-12 11:52 125,440 a------- c:\windows\system32\ntdll64.exe
2009-01-12 11:22 1,347 a------- c:\windows\system32\ahtn.htm
2009-01-12 11:22 4,785 a------- c:\windows\system32\warning.gif
2009-01-12 11:22 491 a------- c:\windows\system32\win32hlp.cnf
2009-01-12 11:21 111,616 ac------ c:\windows\system32\dllcache\userinit.exe
2009-01-12 11:20 1 a------- c:\windows\system32\test.ttt
2009-01-12 11:20 31,232 a------- c:\windows\system32\frmwrk32.exe
2009-01-12 11:20 31,232 a------- c:\windows\system32\pcload.exe
2009-01-12 00:21 <DIR> --d----- c:\program files\Trend Micro
2009-01-11 16:39 123,392 a------- c:\windows\system32\yupogt.dll
2009-01-11 16:39 123,392 a------- c:\windows\system32\ecollldy.dll
2009-01-10 20:30 1,256,329 a--sh--- c:\windows\system32\hwyimjup.ini
2009-01-10 20:27 124,928 a------- c:\windows\system32\unxszu.dll
2009-01-10 20:27 124,928 a------- c:\windows\system32\ampncpno.dll
2009-01-09 15:50 388,640 a------- C:\temp3131.tmp
2009-01-09 12:06 133,120 a------- c:\windows\system32\mlzmfm.dll
2009-01-09 12:06 133,120 a------- c:\windows\system32\awmgngmd.dll
2009-01-08 12:05 139,264 a------- c:\windows\system32\ocprsx.dll
2009-01-08 12:04 139,264 a------- c:\windows\system32\iklpnbdf.dll
2009-01-07 12:04 129,536 a------- c:\windows\system32\urnzqz.dll
2009-01-07 12:04 129,536 a------- c:\windows\system32\ptmlbjma.dll
2009-01-07 12:01 1,326,815 a--sh--- c:\windows\system32\etpkcnmm.ini
2009-01-07 09:34 73,216 a------- c:\windows\system32\ffkuz.dll
2009-01-06 14:49 31 a------- c:\windows\system32\k9261108.exe
2009-01-06 12:06 137,728 a------- c:\windows\system32\sxnjjr.dll
2009-01-06 12:06 137,728 a------- c:\windows\system32\jlrxrwhe.dll
2009-01-05 11:59 1,321,922 a--sh--- c:\windows\system32\dwobrwia.ini
2009-01-05 11:59 126,976 a------- c:\windows\system32\auhmvguy.dll
2009-01-05 11:50 50,176 a------- c:\windows\system32\jkkHBSJA.dll
2009-01-05 11:34 114,688 a------- c:\windows\system32\prunnet.exe
2009-01-02 16:42 388,640 a------- C:\temp8876.tmp
2008-12-31 18:27 388,640 a------- C:\temp9878.tmp
2008-12-30 17:03 388,640 a------- C:\temp6020.tmp
2008-12-30 17:03 388,640 a------- C:\temp2547.tmp
2008-12-30 17:03 388,640 a------- C:\temp8278.tmp

==================== Find3M ====================

2009-01-21 21:01 2,560 a------- c:\windows\system32\drivers\mchInjDrv.sys
2009-01-18 13:58 303,104 a------- c:\windows\help\TIBIA MULTI-IP CHANGER.EXE
2009-01-15 16:43 96,256 a------- c:\windows\system32\drivers\sptd0349.sys
2009-01-12 11:21 111,616 a------- c:\windows\system32\userinit.exe
2008-11-14 09:25 116,480 a------- c:\windows\system32\advapi3.dll
2008-09-23 19:38 16,380 a------- c:\program files\D&D - Warriors of the Eternal Sun (U) [!].srm
2008-03-16 07:23 67,840 a------- c:\docume~1\deborah\applic~1\GDIPFONTCACHEV1.DAT
2007-07-04 10:26 9 a------- c:\program files\install_log.dat
2007-04-03 15:42 10,993,720 a------- c:\program files\BackCompat_01-2007.zip
2007-03-25 14:39 114 a------- c:\documents and settings\deborah\hhjj.bat
2007-03-25 14:39 41,792 a------- c:\documents and settings\deborah\nek.exe
2007-03-23 12:30 201 a------- c:\documents and settings\deborah\q.bat
2001-04-04 17:11 184 a---hr-- c:\program files\AUTORUN.INF
2007-12-08 08:02 458,637 a--sh--- c:\windows\system32\qqtss.ini2
2005-08-28 18:02 216 a--sh--- c:\windows\system32\pkixwkk\csrss.dat

============= FINISH: 9:56:50.87 ===============

Attachment text is attached.

I am very thankful for any help you can provide on this problem! Thank you very much!

Attached Files


BC AdBot (Login to Remove)

 

#2 Deadsmelly

Deadsmelly
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
    •  
  • Local time:01:32 PM

Posted 22 January 2009 - 06:11 PM

Kaspersky Virus scan report

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, January 22, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, January 22, 2009 16:10:06
Records in database: 1667968
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Critical Areas:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\Deborah\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS

Scan statistics:
Files scanned: 81000
Threat name: 36
Infected objects: 57
Suspicious objects: 0
Duration of the scan: 04:53:42


File name / Threat name / Threats count
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 1
C:\Program Files\Need2Find\bar\1.bin\N2PLUGIN.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.l 1
C:\Program Files\Need2Find\bar\1.bin\NPND2FN.DLL Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.o 1
C:\WINDOWS\avanerokowucafo.dll Infected: Trojan.Win32.Agent2.js 1
C:\WINDOWS\Dxevodowur.dll Infected: Trojan-Downloader.Win32.Agent.bdlh 1
C:\WINDOWS\Fonts\a.zip Infected: Trojan.Win32.Agent.cmn 1
C:\WINDOWS\system32\advapi3.dll Infected: Rootkit.Win32.Podnuha.bhk 1
C:\WINDOWS\system32\Agent.dll Infected: not-a-virus:AdWare.Win32.Sahat.g 1
C:\WINDOWS\system32\ampncpno.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.gad 1
C:\WINDOWS\system32\ast_.dll Infected: Trojan-Downloader.Win32.VB.ah 1
C:\WINDOWS\system32\awmgngmd.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.fzm 1
C:\WINDOWS\system32\bszyer.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.gcf 1
C:\WINDOWS\system32\chert5-998.exe Infected: Trojan-Downloader.Win32.Agent.bdlh 1
C:\WINDOWS\system32\CometTB.exe Infected: not-a-virus:AdWare.Win32.Comet.ad 1
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\E2NWK7GB\lsp[1].exe Infected: Trojan.Win32.Agent.bgwt 1
C:\WINDOWS\system32\ctbv2.dll Infected: not-a-virus:AdWare.Win32.Sahat.g 1
C:\WINDOWS\system32\dllcache\userinit.exe Infected: Trojan.Win32.Agent.bgwt 1
C:\WINDOWS\system32\dp_o13m09.dll Infected: Trojan-Downloader.Win32.Agent.ac 1
C:\WINDOWS\system32\ecollldy.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.gbe 1
C:\WINDOWS\system32\ffkuz.dll Infected: Trojan-Downloader.Win32.Murlo.vn 1
C:\WINDOWS\system32\frmwrk32.exe Infected: Trojan-Downloader.Win32.Agent.bcst 1
C:\WINDOWS\system32\iCode501.dll Infected: Trojan-Downloader.Win32.VB.kr 1
C:\WINDOWS\system32\iklpnbdf.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.fys 1
C:\WINDOWS\system32\jgypuc.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.gbc 1
C:\WINDOWS\system32\jkkHBSJA.dll Infected: Packed.Win32.PolyCrypt.d 1
C:\WINDOWS\system32\jlrxrwhe.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.fxa 1
C:\WINDOWS\system32\KVI_111.dll Infected: not-a-virus:AdWare.Win32.Sahat.g 1
C:\WINDOWS\system32\MadCHook.dll Infected: not-a-virus:RiskTool.Win32.Hooker.a 1
C:\WINDOWS\system32\mlzmfm.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.fzm 1
C:\WINDOWS\system32\NLNP131.dll Infected: not-a-virus:AdWare.Win32.IGetNet.a 1
C:\WINDOWS\system32\nsx448.dll Infected: not-a-virus:AdWare.Win32.BHO.aad 1
C:\WINDOWS\system32\o Infected: Trojan-Downloader.BAT.Ftp.ag 1
C:\WINDOWS\system32\ocprsx.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.fys 1
C:\WINDOWS\system32\ogqnxoon.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.gbs 1
C:\WINDOWS\system32\pcload.exe Infected: Trojan-Downloader.Win32.Agent.bcst 1
C:\WINDOWS\system32\pr1ze5.dll Infected: Trojan.Win32.RCSync 1
C:\WINDOWS\system32\prunnet.exe Infected: Trojan.Win32.Agent.bcbh 1
C:\WINDOWS\system32\ptmlbjma.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.fxt 1
C:\WINDOWS\system32\qxycfojc.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.gbc 1
C:\WINDOWS\system32\rlvknlg.exe Infected: not-a-virus:AdWare.Win32.RK.q 1
C:\WINDOWS\system32\sahagent1001.exe Infected: not-a-virus:AdWare.Win32.Sahat.g 1
C:\WINDOWS\system32\sahagent1003.exe Infected: not-a-virus:AdWare.Win32.Sahat.g 1
C:\WINDOWS\system32\SHAgent.dll Infected: not-a-virus:AdWare.Win32.Sahat.g 1
C:\WINDOWS\system32\SHAgent1007.dll Infected: not-a-virus:AdWare.Win32.Sahat.b 1
C:\WINDOWS\system32\SurfScanUpdate.exe Infected: not-a-virus:AdWare.Win32.Look2Me.q 1
C:\WINDOWS\system32\sxnjjr.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.fxa 1
C:\WINDOWS\system32\tekvrl.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.gbs 1
C:\WINDOWS\system32\unxszu.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.gad 1
C:\WINDOWS\system32\urnzqz.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.fxt 1
C:\WINDOWS\system32\userinit.exe Infected: Trojan.Win32.Agent.bgwt 1
C:\WINDOWS\system32\uxmnxgno.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.gcf 1
C:\WINDOWS\system32\Web1nstal.dll Infected: not-a-virus:AdWare.Win32.DownloadWare.j 1
C:\WINDOWS\system32\Web1nstall.dll Infected: not-a-virus:AdWare.Win32.DownloadWare.j 1
C:\WINDOWS\system32\wsmypvdl.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.gcf 1
C:\WINDOWS\system32\Xcite.exe Infected: not-a-virus:AdWare.Win32.BrowsePal.b 1
C:\WINDOWS\system32\yupogt.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.gbe 1
C:\WINDOWS\system32\znabtw.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.gcf 1

The selected area was scanned.

#3 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:32 PM

Posted 26 January 2009 - 09:52 AM

Hello Deadsmelly and welcome to Bleeping Computer,

1. Please download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter.
  • Make sure all instances of Firefox are closed at this point.
  • Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: If you receive a message saying that GooredFix needs your system to be restarted, please close all applications and reboot your system. Please also allow any registry changes that may be prompted by any of your security programs.

2. Please read this tutorial carefully to download ComboFix from one of the locations specified, and save it to your Desktop.
Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbup2:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#4 Deadsmelly

Deadsmelly
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
    •  
  • Local time:01:32 PM

Posted 30 January 2009 - 12:30 PM

Followed instructions. Here are the logs!

GooredFix v1.83 by jpshortstuff
Log created at 17:26 on 29/01/2009 running Option #2 (Deborah)
Firefox version 3.0.5 (en-US)

=====Goored Deletions=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{C5560414-9EFE-41B0-8C97-1EC2BC701427}"="C:\Documents and Settings\Deborah\Local Settings\Application Data\{C5560414-9EFE-41B0-8C97-1EC2BC701427}"
->Backing up value... Done.
->Deleting value... Done.

C:\Documents and Settings\Deborah\Local Settings\Application Data\{C5560414-9EFE-41B0-8C97-1EC2BC701427}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{B120FE16-4705-4598-872C-3890DC5A9A82}"="C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{B120FE16-4705-4598-872C-3890DC5A9A82}\"
->Backing up value... Done.
->Deleting value... Done.

C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\{B120FE16-4705-4598-872C-3890DC5A9A82}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.5\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"


Here is combofix

ComboFix 09-01-21.04 - Deborah 2009-01-30 9:29:38.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.766.520 [GMT -7:00]
Running from: c:\documents and settings\Deborah\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Deborah\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
AV: AVG 7.5.476 *On-access scanning enabled* (Outdated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\documents\setup.exe
c:\documents and settings\Deborah\Application Data\PPPATC~1
c:\documents and settings\Deborah\Favorites\Online Security Guide.lnk
c:\documents and settings\Deborah\Local Settings\Temporary Internet Files\Dxc.log
c:\documents and settings\NetworkService\Local Settings\Temporary Internet Files\Dxc.log
c:\program files\autorun.inf
c:\program files\Common Files\{E435B~1
c:\program files\Common Files\scurit~1
c:\program files\Need2Find
c:\program files\Need2Find\bar\1.bin\N2FFXTBR.JAR
c:\program files\Need2Find\bar\1.bin\N2NTSTBR.JAR
c:\program files\Need2Find\bar\1.bin\N2PLUGIN.DLL
c:\program files\Need2Find\bar\1.bin\NPND2FN.DLL
c:\program files\Need2Find\bar\1.bin\PARTNER.DAT
c:\program files\Need2Find\bar\Cache\000B88C2
c:\program files\Need2Find\bar\Cache\0FA5D51A
c:\program files\Need2Find\bar\Cache\files.ini
c:\program files\Need2Find\bar\History\search
c:\program files\Need2Find\bar\Settings\prevcfg.htm
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\temp\bkR11
c:\temp\bkR11\ftCa.log
c:\temp\tn3
c:\windows\Downloaded Program Files\temp
c:\windows\Fonts\a.zip
c:\windows\IE4 Error Log.txt
c:\windows\qmdispatch.dll
c:\windows\racle~1
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\ahtn.htm
c:\windows\system32\ampncpno.dll
c:\windows\system32\ATHPRXY(2).DLL
c:\windows\system32\awmgngmd.dll
c:\windows\system32\BBGl0.dlltmp
c:\windows\system32\bszyer.dll
c:\windows\system32\bund1
c:\windows\system32\bund1\temp.txt
c:\windows\system32\chert5-998.exe
c:\windows\system32\ctbv2.dll
c:\windows\system32\drivers\core.cache(2).dsk
c:\windows\system32\drivers\core.cache(3).dsk
c:\windows\system32\drivers\core.cache(4).dsk
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\drivers\senekabwwostid.sys
c:\windows\system32\dwobrwia.ini
c:\windows\system32\ecollldy.dll
c:\windows\system32\etpkcnmm.ini
c:\windows\system32\frmwrk32.exe
c:\windows\system32\hwyimjup.ini
c:\windows\system32\iklpnbdf.dll
c:\windows\system32\jgypuc.dll
c:\windows\system32\jkkHBSJA.dll
c:\windows\system32\jlrxrwhe.dll
c:\windows\system32\k9261108.exe
c:\windows\system32\KVI_111.dll
c:\windows\system32\mlzmfm.dll
c:\windows\system32\nflgxbem.ini
c:\windows\system32\ntdll64.exe
c:\windows\system32\ocprsx.dll
c:\windows\system32\ogqnxoon.dll
c:\windows\system32\opmrieer.ini
c:\windows\system32\prunnet.exe
c:\windows\system32\ptmlbjma.dll
c:\windows\system32\qqtss.ini2
c:\windows\system32\qxycfojc.dll
c:\windows\system32\rlvknlg.exe
c:\windows\system32\sahagent1001.exe
c:\windows\system32\sahagent1003.exe
c:\windows\system32\sembly~1
c:\windows\system32\senekadf.dat
c:\windows\system32\senekaieexoqhg.dll
c:\windows\system32\senekalog.dat
c:\windows\system32\senekansviuthw.dll
c:\windows\system32\senekaqqfaaesd.dat
c:\windows\system32\SHAgent.dll
c:\windows\system32\sstem3~1
c:\windows\system32\sxnjjr.dll
c:\windows\system32\taskkill.exe
c:\windows\system32\tekvrl.dll
c:\windows\system32\test.ttt
c:\windows\system32\uniq.tll
c:\windows\system32\unxszu.dll
c:\windows\system32\urnzqz.dll
c:\windows\system32\uxmnxgno.dll
c:\windows\system32\warning.gif
c:\windows\system32\win32hlp.cnf
c:\windows\system32\winhlpp32.exe
c:\windows\system32\wsmypvdl.dll
c:\windows\system32\Xcite.exe
c:\windows\system32\ysbjuwvm.ini
c:\windows\system32\yupogt.dll
c:\windows\system32\znabtw.dll
c:\windows\system32\advapi3.dll . . . . failed to delete

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SENEKA
-------\Legacy_CLIENT_IP-IPX
-------\Legacy_ISODRIVE
-------\Service_ISODrive


((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-30 )))))))))))))))))))))))))))))))
.

2009-01-30 09:54 . 2009-01-30 09:56 <DIR> d-------- C:\466cfef5daf6c3d2c9f2f58f12826f
2009-01-17 16:06 . 2009-01-17 16:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-16 04:57 . 2009-01-16 04:57 135,168 --a------ c:\windows\avanerokowucafo.dll
2009-01-16 04:45 . 2009-01-16 04:45 41,984 --a------ c:\windows\Dxevodowur.dll
2009-01-12 11:20 . 2009-01-12 11:20 31,232 --a------ c:\windows\system32\pcload.exe
2009-01-12 00:21 . 2009-01-12 00:21 <DIR> d-------- c:\program files\Trend Micro
2009-01-10 11:38 . 2009-01-10 11:39 <DIR> d-------- c:\documents and settings\Administrator
2009-01-09 15:50 . 2008-12-29 15:57 388,640 --a------ C:\temp3131.tmp
2009-01-07 09:34 . 2009-01-07 09:34 73,216 --a------ c:\windows\system32\ffkuz.dll
2009-01-05 11:59 . 2009-01-05 11:59 126,976 --a------ c:\windows\system32\auhmvguy.dll
2009-01-02 16:42 . 2008-12-29 15:57 388,640 --a------ C:\temp8876.tmp
2008-12-31 18:27 . 2008-12-29 15:57 388,640 --a------ C:\temp9878.tmp
2008-12-30 17:03 . 2008-12-29 15:57 388,640 --a------ C:\temp8278.tmp
2008-12-30 17:03 . 2008-12-29 15:57 388,640 --a------ C:\temp6020.tmp
2008-12-30 17:03 . 2008-12-29 15:57 388,640 --a------ C:\temp2547.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-30 15:59 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2009-01-29 23:04 --------- d-----w c:\documents and settings\Deborah\Application Data\MSN6
2009-01-24 23:56 303,104 ----a-w c:\windows\Help\TIBIA MULTI-IP CHANGER.EXE
2009-01-22 16:19 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-22 04:01 2,560 ----a-w c:\windows\system32\drivers\mchInjDrv.sys
2009-01-20 05:15 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
2009-01-17 23:06 --------- d-----w c:\program files\Lavasoft
2009-01-17 23:04 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-17 21:42 --------- d-----w c:\program files\Spyware Doctor
2009-01-16 20:12 --------- d-----w c:\program files\FrostWire
2009-01-15 23:43 96,256 ----a-w c:\windows\system32\drivers\sptd0349.sys
2009-01-15 18:35 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-12 06:50 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-11 08:17 --------- d-----w c:\documents and settings\Deborah\Application Data\AVG7
2009-01-05 19:02 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-01-03 00:03 --------- d-----w c:\documents and settings\Deborah\Application Data\Tibia
2008-12-16 23:59 --------- d-----w c:\program files\Cheat Engine
2008-12-08 03:57 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-09-24 02:38 16,380 ----a-w c:\program files\D&D - Warriors of the Eternal Sun (U) [!].srm
2008-03-16 14:23 67,840 ----a-w c:\documents and settings\Deborah\Application Data\GDIPFONTCACHEV1.DAT
2007-07-04 17:26 9 ----a-w c:\program files\install_log.dat
2007-04-03 22:42 10,993,720 ----a-w c:\program files\BackCompat_01-2007.zip
2007-03-25 21:39 41,792 ----a-w c:\documents and settings\Deborah\nek.exe
2007-03-25 21:39 114 ----a-w c:\documents and settings\Deborah\hhjj.bat
2007-03-23 19:30 201 ----a-w c:\documents and settings\Deborah\q.bat
2005-08-27 20:30 5,065 ----a-w c:\windows\inf\SET6FE.tmp
2005-08-27 20:30 5,065 ----a-w c:\windows\inf\SET6F3.tmp
2005-08-27 20:30 5,065 ----a-w c:\windows\inf\SET6E7.tmp
2005-08-29 01:02 216 --sha-w c:\windows\system32\pkixwkk\csrss.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83D505C2-CAB9-4500-9AAB-3F93E940F5E8}]
2008-11-14 09:25 116480 --a------ c:\windows\system32\advapi3.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.enc"= ITIG726.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Deborah^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Deborah\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AStart]
c:\windows\AStart [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
NvQTwk [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-03-25 13:21 50528 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CamMonitor]
--a------ 2002-06-17 23:11 69632 c:\program files\Hewlett-Packard\Digital Imaging\Unload\HpqCmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2004-11-02 07:59 126976 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
--a------ 2002-06-17 05:41 188416 c:\windows\system32\spool\drivers\w32x86\3\hpztsb05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--a------ 1998-05-07 16:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2004-11-02 08:03 155648 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
--a------ 2008-08-25 10:36 1168264 c:\program files\Spyware Doctor\pctsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 09:36 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechGalleryRepair]
--a------ 2004-02-12 15:57 188416 c:\program files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
--a------ 2004-02-12 15:57 188416 c:\program files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
--a------ 2004-02-12 15:59 77824 c:\program files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2003-09-13 20:36 50688 c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
--a------ 2008-04-17 16:27 9117696 c:\program files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 22:37 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
--a------ 2003-06-15 15:19 26112 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2001-12-18 23:39 212992 c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\REGSHAVE]
--a------ 2002-02-04 22:32 53248 c:\program files\REGSHAVE\Regshave.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2008-04-23 16:45 22058792 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
--a------ 2002-05-09 08:01 155648 c:\program files\VERITAS Software\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-03-30 13:19 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
-ra------ 2005-06-21 10:05 1851392 c:\program files\Support.com\bin\tgcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--a------ 2006-10-18 19:05 204288 c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 16:43 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 12:47 57344 c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)
"SymWSC"=2 (0x2)
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)
"iPod Service"=3 (0x3)
"gusvc"=2 (0x2)
"AOL ACS"=2 (0x2)
"WMPNetworkSvc"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"Ventrilo"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Bonjour Service"=2 (0x2)
"NVSvc"=2 (0x2)
"WUSB54GCSVC"=2 (0x2)
"usnjsvc"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"aawservice"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\JavaSoft\\JRE1.4\\1.4.1\\bin\\javaw.exe"=
"c:\\Program Files\\MSN\\MSNCoreFiles\\msn.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\XLink Kai Evolution VII\\kaiLaunch.exe"=
"c:\\Program Files\\XLink Kai Evolution VII\\kaiEngine.exe"=
"\\\\CRUSHINATOR\\SHAREDDOCS\\warcraft iii\\war3.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\WINDOWS\\system32\\ftp.exe"=
"c:\\Program Files\\FileZilla Client\\filezilla.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"15164:UDP"= 15164:UDP:AM Agent

R0 cdngfeml;cdngfeml;c:\windows\system32\drivers\ckebptsn.dat --> c:\windows\system32\drivers\ckebptsn.dat [?]
R1 mchInjDrv;madCodeHook DLL injection driver;c:\windows\system32\drivers\mchInjDrv.sys [2007-10-05 2560]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2007-08-24 21920]
S0 stwlfbus;stwlfbus;c:\windows\system32\drivers\stwlfbus.sys [2003-04-27 8704]
S3 PsSdk30;PsSdk30;\??\c:\windows\system32\Drivers\PsSdk30.drv --> c:\windows\system32\Drivers\PsSdk30.drv [?]
S3 st3wolf;st3wolf;c:\windows\system32\drivers\st3wolf.sys [2003-04-27 99360]
S3 xbreader;MaxDrive XBox Driver (xbreader.sys);c:\windows\system32\drivers\xbreader.sys [2001-01-02 19677]
S4 mrtRate;mrtRate; [x]
S4 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-09-15 356920]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-04-26 24652]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\Installer.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{23b6ab9d-4330-11dc-b40b-00038a000015}]
\Shell\AutoRun\command - f:\portableapps\PortableAppsMenu\PortableAppsMenu.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-26 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

2009-01-29 c:\windows\Tasks\FRU Task #Hewlett-Packard#Deskjet#3320.job
- c:\program files\Hewlett-Packard\upapp\hpqfruv.exe [2002-05-31 09:38]

2009-01-30 c:\windows\Tasks\gskjnapc.job
- c:\windows\system32\fccbArOI.dll []

2009-01-30 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (SHATTOFAMILY-Owner).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe []

2009-01-30 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe []

2009-01-29 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe []

2009-01-28 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-07-07 09:42]
.
- - - - ORPHANS REMOVED - - - -

BHO-{78df86c0-e4f2-4020-8ad0-b634599d9334} - c:\windows\system32\yupogt.dll
WebBrowser-{4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - (no file)
MSConfigStartUp-BitDownload - c:\program files\BitDownload\BitDownload.exe
MSConfigStartUp-BitTorrent DNA - c:\program files\DNA\btdna.exe
MSConfigStartUp-checktime - c:\program files\HPSelect\Frontend\ct.exe
MSConfigStartUp-DAEMON Tools-1033 - c:\program files\D-Tools\daemon.exe
MSConfigStartUp-dla - c:\windows\system32\dla\tfswctrl.exe
MSConfigStartUp-DW4 - c:\program files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
MSConfigStartUp-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
MSConfigStartUp-FMSZCJP - c:\windows\FMSZCJP.exe
MSConfigStartUp-LCWG - c:\windows\LCWG.exe
MSConfigStartUp-Microsoft Tray - c:\my downloads\sims no cd(All Versions).exe
MSConfigStartUp-PLEODYTFD - c:\windows\PLEODYTFD.exe
MSConfigStartUp-PS2 - c:\windows\system32\ps2.exe
MSConfigStartUp-QAGENT - c:\program files\QUICKENW\QAGENT.EXE
MSConfigStartUp-SDTray - c:\program files\Spyware Doctor\SDTrayApp.exe
MSConfigStartUp-Uniblue SpeedUpMyPC - c:\program files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe
MSConfigStartUp-Microsoft Driver - xbbtaox.exe
MSConfigStartUp-nwiz - nwiz.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
mStart Page = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;127.0.0.1;*.local
DPF: ChatSpace Full Java Client 4.0.0.301 - hxxp://www.ldschat.com:8569/Java/cfs40301.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: Yahoo! Chat - hxxp://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - hxxp://www.kungfuchess.com/activex/web665.cab
FF - ProfilePath - c:\documents and settings\Deborah\Application Data\Mozilla\Firefox\Profiles\4mbwwpvd.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?btnI=I%27m+Feeling+Lucky&ie=UTF-8&oe=UTF-8&q=
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npracplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-30 09:56:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\cdngfeml]
"ImagePath"="system32\drivers\ckebptsn.dat"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PSSdk21]
"ImagePath"="\??\c:\windows\system32\Drivers\HNPsSdk.drv"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\PsSdk30]
"ImagePath"="\??\c:\windows\system32\Drivers\PsSdk30.drv"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•A~*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"=""
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\cisvc.exe
c:\windows\system32\cidaemon.exe
c:\windows\system32\rundll32.exe
c:\windows\SoftwareDistribution\Download\ab02de9444a68e46b9d94dbc7903bc14\update\update.exe
.
**************************************************************************
.
Completion time: 2009-01-30 10:21:21 - machine was rebooted [Deborah]
ComboFix-quarantined-files.txt 2009-01-30 17:19:58

Pre-Run: 5,065,719,808 bytes free
Post-Run: 5,083,430,912 bytes free

403 --- E O F --- 2008-12-18 10:03:28

Combo fixed deleted a lot! I was very impressed. Thank you again for everything you've helped me with so far! You guys rock. Hate viruses and spyware so much!

#5 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:Belgium
  • Local time:10:32 PM

Posted 31 January 2009 - 07:09 PM

Hello Deadsmelly,

Let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:http://www.bleepingcomputer.com/forums/t/197290/i-believe-it-is-antivirus-2009/
Collect::
c:\windows\avanerokowucafo.dll
c:\windows\Dxevodowur.dll
c:\windows\system32\pcload.exe
C:\temp3131.tmp
c:\windows\system32\ffkuz.dll
c:\windows\system32\auhmvguy.dll
c:\windows\system32\advapi3.dll
c:\windows\system32\drivers\ckebptsn.dat
c:\windows\system32\Drivers\HNPsSdk.drv
c:\windows\system32\Drivers\PsSdk30.drv
File::
C:\temp8876.tmp
C:\temp9878.tmp
C:\temp8278.tmp
C:\temp6020.tmp
C:\temp2547.tmp
F:\Installer.exe
c:\windows\Tasks\gskjnapc.job
Folder::
c:\windows\system32\pkixwkk
Driver::
cdngfeml
RegNull::
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•A~*]
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{83D505C2-CAB9-4500-9AAB-3F93E940F5E8}]
Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh DDS log.

ComboFix wil generate a zipped file, similar to C:\Qoobox\Quarantine\[9]Submit@Date_Time.zip.
Upon reboot, and if an active connection is available, it will attempt to automatically upload the malware sample for further investigation. Please allow this if one of your security programs pops up a warning.
In the event the upload fails, the sample can still be uploaded by double clicking the C:\CF-Submit.htm file (opens browser window) and click OK to start the upload. :thumbup2:

Still having problems ?

Greetings,
Thunder

Edited by Thunder, 31 January 2009 - 07:10 PM.

Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference
Back to Virus, Trojan, Spyware, and Malware Removal Help


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Help
  4. Privacy Policy
  5. Rules ·