Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MS virus, vundo, generic.pup....


  • This topic is locked This topic is locked
14 replies to this topic

#1 myPRONEpc

myPRONEpc

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:11:23 PM

Posted 26 January 2009 - 10:27 PM

So everything was fine on my PC for years, I get a java alert to update back around Christmas time and thats when it all began. Was using Norton form att dsl service and it alerted me to the vundoH virus. Took a few days and I thought I had managed to get rid of it, but my pc still acted weird. During that fix, I had to move over to McAfee anti-virus cause that was what now was available from my ISP. But like I said, it still acted weird, It would, I guess, do memory dumps (3 so far) on the 3rd one is when I got that MS Antivirus 2009 message come up. I know it's bogus from the research I didi when I tried to get rid of Vundo, so I figured I come to the experts and ask for help.
I used spybot, vundo fixit tool and ad-ware before the latest batch of mishaps.

Here's the DDS.txt.


DDS (Ver_09-01-19.01) - NTFSx86
Run by Gabe at 17:43:58.92 on Mon 01/26/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.606 [GMT -8:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\java.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp3\winamp3.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\Acrobat.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Runtime Software\DriveImage XML\dixml.exe
C:\WINDOWS\System32\dllhost.exe
C:\Documents and Settings\Gabe\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://att.yahoo.com/
uSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uSEARCH PAGE = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: {aff69651-6ede-84b8-dd44-bbb1dce04083}: {38040ecd-1bbb-44dd-8b48-ede615696ffa} - c:\windows\system32\dxtldx.dll
BHO: {56e72bdc-08ed-4788-9364-7fc15f46a05b} - c:\windows\system32\hgGxYqOF.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\cbXNHYoN.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [RealPlayer] "c:\program files\real\realone player\realplay.exe" /RunUPGToolCommandReBoot
uRun: [Yahoo! Pager] "c:\progra~1\yahoo!\messen~1\YAHOOM~1.EXE" -quiet
uRun: [Uniblue RegistryBooster 2] c:\program files\uniblue\registrybooster 2\RegistryBooster.exe /S
uRun: [updateMgr] "c:\program files\adobe\adobe acrobat 7.0\acrobat\AdobeUpdateManager.exe" AcPro7_0_9 -reboot 1
uRun: [autochk] rundll32.exe c:\docume~1\networ~1\protect.dll,_IWMPEvents@16
uRun: [MS AntiSpyware 2009] "c:\documents and settings\all users\application data\crucialsoft ltd\ms antispyware 2009\msas2009.exe" /autorun
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [LiveMonitor] c:\program files\msi\live update 3\LMonitor.exe
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Adobe Version Cue CS2] "c:\program files\adobe\adobe version cue cs2\controlpanel\VersionCueCS2Tray.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\adobe acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [YBrowser] c:\progra~1\yahoo!\browser\ybrwicon.exe
mRun: [Motive SmartBridge] c:\progra~1\sbcsel~1\smartb~1\MotiveSB.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [autochk] rundll32.exe c:\windows\system32\autochk.dll,_IWMPEvents@16
mRun: [10b92a33] rundll32.exe "c:\windows\system32\ybgjyhwx.dll",b
StartupFolder: c:\docume~1\gabe\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\documents and settings\gabe\start menu\programs\startup\ChkDisk.dll
StartupFolder: c:\docume~1\gabe\startm~1\programs\startup\chkdisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~2.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\sbcsel~1.lnk - c:\program files\sbc self support tool\bin\matcli.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tabuse~1.lnk - c:\windows\system32\wtablet\TabUserW.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ymetray.lnk - c:\program files\yahoo!\yahoo! music jukebox\ymetray.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: Backward &Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\adobe acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Si&milar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
Trusted Zone: antimalwareguard.com
Trusted Zone: antispyexpert.com
Trusted Zone: att.net
Trusted Zone: avsystemcare.com
Trusted Zone: gomyhit.com
Trusted Zone: imageservr.com
Trusted Zone: imagesrvr.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: sbcglobal.net
Trusted Zone: spyguardpro.com
Trusted Zone: storageguardsoft.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusremover2008.com
Trusted Zone: virusschlacht.com
Trusted Zone: yahoo.com
Trusted Zone: antimalwareguard.com
Trusted Zone: antispyexpert.com
Trusted Zone: avsystemcare.com
Trusted Zone: gomyhit.com
Trusted Zone: imageservr.com
Trusted Zone: imagesrvr.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: spyguardpro.com
Trusted Zone: storageguardsoft.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusremover2008.com
Trusted Zone: virusschlacht.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: Tegrity-WebLearner-2317 - hxxp://tegrity.taftcollege.edu/tegrity/jmartinez/Bienvenidos%20a%20Espa%20ol%201!/class/TWebS.CAB
DPF: {00000075-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxmsdec.CAB
DPF: {00000161-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/msaudio.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dll
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://appldnld.m7z.net/qtinstall.info.apple.com/tramper/us/win/QuickTimeInstaller.exe
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {4E330863-6A11-11D0-BFD8-006097237877} - hxxp://tw.msi.com.tw/autobios/client/iftwclix.cab
DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - hxxp://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203061211218
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1203061178406
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} - hxxp://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37915.4758680556
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.0/installer.exe
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} - hxxp://www.live365.com/players/play365.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: cbXNHYoN - cbXNHYoN.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: wigkwy.dll dxtldx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} - c:\windows\system32\cbXNHYoN.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\hgGxYqOF

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gabe\applic~1\mozilla\firefox\profiles\b4bojf4q.default\
FF - prefs.js: browser.search.selectedEngine - eBay
FF - prefs.js: browser.startup.homepage - hxxp://us.f378.mail.yahoo.com/ym/login?.rand=ejl5s4hid7f9i
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-1-9 201320]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-1-9 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-1-9 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-1-9 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-1-9 40488]
R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-1-9 203280]
R4 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-1-9 359248]
R4 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-1-9 144704]
R4 mple7docserver;Maya 7 PLE Documentation Server;c:\program files\alias\maya 7.0 personal learning edition\docs\wrapper.exe [2004-7-16 126976]
S3 DCamUSBSvis;Sound Vision Stream Driver;c:\windows\system32\drivers\SvStream.sys [2003-12-4 91480]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-1-9 33832]

=============== Created Last 30 ================

2009-01-25 21:51 <DIR> --d----- c:\program files\Runtime Software
2009-01-25 21:41 129,024 a------- c:\windows\system32\dxtldx.dll
2009-01-25 21:41 129,024 a------- c:\windows\system32\aecxouxq.dll
2009-01-25 21:38 72,704 a------- c:\windows\system32\ybgjyhwx.dll
2009-01-25 21:38 414,277 a--sh--- c:\windows\system32\FOqYxGgh.ini
2009-01-25 21:38 413,839 a--sh--- c:\windows\system32\FOqYxGgh.ini2
2009-01-25 21:38 315,904 a------- c:\windows\system32\hgGxYqOF.dll
2009-01-25 21:33 21,504 a--sh--- c:\documents and settings\gabe\protect.dll
2009-01-25 21:33 21,504 a--sh--- c:\windows\system32\autochk.dll
2009-01-25 21:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\CrucialSoft Ltd
2009-01-25 21:32 36,352 a------- c:\windows\system32\cbXNHYoN.dll
2009-01-25 21:32 20,480 a------- c:\windows\system32\~.exe
2009-01-09 00:04 9,417 a------- c:\windows\system32\Config.MPF
2009-01-09 00:00 33,832 a------- c:\windows\system32\drivers\mferkdk.sys
2009-01-09 00:00 201,320 a------- c:\windows\system32\drivers\mfehidk.sys
2009-01-09 00:00 79,304 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-01-09 00:00 40,488 a------- c:\windows\system32\drivers\mfesmfk.sys
2009-01-09 00:00 35,240 a------- c:\windows\system32\drivers\mfebopk.sys
2009-01-09 00:00 113,952 a------- c:\windows\system32\drivers\Mpfp.sys
2009-01-08 23:59 <DIR> --d----- c:\program files\McAfee.com
2009-01-08 23:59 <DIR> --d----- c:\program files\common files\McAfee
2009-01-08 23:58 <DIR> --d----- c:\program files\McAfee
2009-01-03 17:23 1,085,440 a------- c:\windows\system32\rn.tmp

==================== Find3M ====================

2009-01-25 18:53 25,297 a------- c:\windows\system32\tablet.dat
2008-12-26 20:01 24,576 a------- c:\windows\system32\VundoFixSVC.exe
2008-12-11 02:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-03 19:59 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 19:59 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-11-30 12:44 3,766 a------- c:\windows\mozver.dat
2007-12-13 23:51 94,080 a------- c:\docume~1\gabe\applic~1\ezplay.sys
2007-12-13 23:51 81,920 a------- c:\docume~1\gabe\applic~1\ezpinst.exe
2007-12-13 23:51 47,360 a------- c:\docume~1\gabe\applic~1\pcouffin.sys
2009-01-26 17:45 21,504 a--sh--- c:\windows\system32\autochk.dll
2007-06-07 22:21 2,568 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-06-13 00:23 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008061320080614\index.dat

============= FINISH: 17:46:05.50 ===============


Thanks for the help it's really appreciated.

Gabe

Attached Files



BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:23 AM

Posted 27 January 2009 - 04:18 AM

Hi,

Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

As instructed on above page, they recommend to disable your Antivirus, in your case McAfee. For McAfee, I rather recommend to temporary uninstall it, because Mcafee causes a lot of problems with Combofix after reboot, this because McAfee enables again after reboot. So please temporary uninstall McAfee first, then reboot and then scan with Combofix.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 myPRONEpc

myPRONEpc
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:11:23 PM

Posted 27 January 2009 - 09:51 PM

Thanks for the help Miekiemoes. Here's the Log...

ComboFix 09-01-21.04 - Gabe 2009-01-27 18:21:12.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1161 [GMT -8:00]
Running from: c:\documents and settings\Gabe\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\CrucialSoft Ltd
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090125213349937.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\LOG\20090127180555359.log
c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe
c:\windows\system32\~.exe
c:\windows\system32\aecxouxq.dll
c:\windows\system32\autochk.dll
c:\windows\system32\cbXNHYoN.dll
c:\windows\system32\dxtldx.dll
c:\windows\system32\FOqYxGgh.ini
c:\windows\system32\FOqYxGgh.ini2
c:\windows\system32\hgGxYqOF.dll
c:\windows\system32\icnfe.dll
c:\windows\system32\noogjlmb.dll
c:\windows\system32\nthst32.dll
c:\windows\system32\open.ico
c:\windows\system32\sezaak.dll
c:\windows\system32\xlidsmkc.dll
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-28 )))))))))))))))))))))))))))))))
.

2009-01-26 06:54 . 2009-01-26 06:54 21,504 --ahs---- c:\documents and settings\NetworkService\protect.dll
2009-01-25 21:51 . 2009-01-25 21:51 <DIR> d-------- c:\program files\Runtime Software
2009-01-25 21:33 . 2009-01-25 21:33 21,504 --ahs---- c:\documents and settings\Gabe\protect.dll
2009-01-09 00:10 . 2009-01-09 00:10 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore
2009-01-09 00:04 . 2009-01-09 00:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-01-08 23:39 . 2009-01-27 18:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-01-03 17:23 . 2009-01-03 17:23 1,085,440 --a------ c:\windows\system32\rn.tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-23 15:15 --------- d-----w c:\documents and settings\Gabe\Application Data\Azureus
2009-01-13 03:34 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2009-01-09 07:57 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-09 07:54 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-09 07:54 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-09 07:53 --------- d-----w c:\program files\Symantec
2009-01-09 07:48 --------- d-----w c:\program files\Yahoo!
2008-12-27 04:28 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-27 04:28 --------- d-----w c:\documents and settings\Gabe\Application Data\Malwarebytes
2008-12-27 04:28 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-25 02:04 --------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-12-25 02:04 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-25 02:03 --------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy)
2008-12-25 02:03 --------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-25 02:03 --------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-04 03:59 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 03:59 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2007-12-14 07:51 94,080 ----a-w c:\documents and settings\Gabe\Application Data\ezplay.sys
2007-12-14 07:51 81,920 ----a-w c:\documents and settings\Gabe\Application Data\ezpinst.exe
2007-12-14 07:51 47,360 ----a-w c:\documents and settings\Gabe\Application Data\pcouffin.sys
2008-12-20 01:54 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-20 01:54 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-20 01:54 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-20 01:54 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-20 01:54 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2007-06-08 06:21 2,568 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-06-13 08:23 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008061320080614\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealPlayer"="c:\program files\Real\RealOne Player\realplay.exe" [2007-01-27 1003520]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-06-07 4670968]
"updateMgr"="c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 313472]
"autochk"="c:\docume~1\NETWOR~1\protect.dll" [2009-01-26 21504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-11-08 151597]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-07-15 4112384]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"LiveMonitor"="c:\program files\MSI\Live Update 3\LMonitor.exe" [2006-07-31 484864]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2004-07-15 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 856064]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 483328]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"autochk"="c:\windows\system32\autochk.dll" [2009-01-27 21504]
"nwiz"="nwiz.exe" [2004-07-15 c:\windows\system32\nwiz.exe]

c:\documents and settings\Gabe\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2001-10-21 110592]
ChkDisk.dll [2009-01-25 21504]
ChkDisk.lnk - c:\windows\system32\rundll32.exe [2001-08-23 33280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-03-23 25214]
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2001-10-21 110592]
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2001-10-21 110592]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
SBC Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2007-08-06 217088]
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2006-08-26 114688]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2006-10-03 54776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.D263"= xl_x263dec.dll
"VIDC.YV12"= xl_yv12.dll
"VIDC.XJPG"= camfc.dll
"SENTINEL"= snti386.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
--------- 2003-06-18 00:00 45056 c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
--------- 2003-07-02 09:03 57344 c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2003-11-08 19:21 151597 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2003-06-19 19:55 24576 c:\windows\system32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\DVD Shrink\\DVD Shrink 3.2.exe"=
"c:\\Program Files\\Real\\RealOne Player\\trueplay.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\FRONTPG.EXE"=
"c:\\Program Files\\Autodesk\\Maya 8.5 Personal Learning Edition\\bin\\maya.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=

R4 mple7docserver;Maya 7 PLE Documentation Server;c:\program files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe [2004-07-16 126976]
S3 DCamUSBSvis;Sound Vision Stream Driver;c:\windows\system32\drivers\SvStream.sys [2003-12-04 91480]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon
.
- - - - ORPHANS REMOVED - - - -

BHO-{4cfb291f-dce6-4e7b-88ef-eca6398a9b26} - c:\windows\system32\sezaak.dll
BHO-{EA0298BA-FC01-4F50-9179-0137B0C4AAF0} - c:\windows\system32\hgGxYqOF.dll
HKCU-Run-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe
HKCU-Run-MS AntiSpyware 2009 - c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe
MSConfigStartUp-Yahoo! Pager - c:\progra~1\Yahoo!\MESSEN~1\ypager.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: Backward &Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Si&milar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
Trusted Zone: antimalwareguard.com
Trusted Zone: antispyexpert.com
Trusted Zone: att.net
Trusted Zone: avsystemcare.com
Trusted Zone: gomyhit.com
Trusted Zone: imageservr.com
Trusted Zone: imagesrvr.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: sbcglobal.net
Trusted Zone: spyguardpro.com
Trusted Zone: storageguardsoft.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusremover2008.com
Trusted Zone: virusschlacht.com
Trusted Zone: yahoo.com
Trusted Zone: antimalwareguard.com
Trusted Zone: antispyexpert.com
Trusted Zone: avsystemcare.com
Trusted Zone: gomyhit.com
Trusted Zone: imageservr.com
Trusted Zone: imagesrvr.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: spyguardpro.com
Trusted Zone: storageguardsoft.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusremover2008.com
Trusted Zone: virusschlacht.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: Tegrity-WebLearner-2317 - hxxp://tegrity.taftcollege.edu/tegrity/jmartinez/Bienvenidos%20a%20Espa%20ol%201!/class/TWebS.CAB
FF - ProfilePath - c:\documents and settings\Gabe\Application Data\Mozilla\Firefox\Profiles\b4bojf4q.default\
FF - prefs.js: browser.search.selectedEngine - eBay
FF - prefs.js: browser.startup.homepage - hxxp://us.f378.mail.yahoo.com/ym/login?.rand=ejl5s4hid7f9i
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-27 18:27:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\cw*]
"91A14B995DF7C0B42ABAA16065968F3A"="c:\\Program Files\\Alias\\Maya7.0\\presets\\Ashli\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\windows\System32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\pctspk.exe
c:\windows\system32\PSIService.exe
c:\program files\Alias\Maya 7.0 Personal Learning Edition\docs\jre\bin\java.exe
c:\windows\system32\Tablet.exe
c:\windows\system32\UAService7.exe
c:\windows\system32\MsPMSPSv.exe
c:\combofix\hidec.exe
c:\program files\Yahoo!\browser\ybrwicon.exe
c:\program files\SBC Self Support Tool\SmartBridge\MotiveSB.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\combofix\Catchme.tmp
.
**************************************************************************
.
Completion time: 2009-01-27 18:35:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-28 02:33:59

Pre-Run: 54,189,592,576 bytes free
Post-Run: 54,327,537,664 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

Current=2 Default=2 Failed=1 LastKnownGood=3 Sets=1,2,3,4
276 --- E O F --- 2009-01-14 23:22:24

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:23 AM

Posted 28 January 2009 - 04:56 AM

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\documents and settings\Gabe\Start Menu\Programs\Startup\ChkDisk.lnk
c:\documents and settings\Gabe\Start Menu\Programs\Startup\ChkDisk.dll
c:\windows\system32\autochk.dll
c:\windows\system32\rn.tmp
c:\documents and settings\NetworkService\protect.dll
c:\documents and settings\Gabe\protect.dll
DDS::
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
Domains::
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"autochk"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"autochk"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 myPRONEpc

myPRONEpc
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:11:23 PM

Posted 28 January 2009 - 09:25 AM

Hi, here's the new log...

ComboFix 09-01-21.04 - Gabe 2009-01-28 6:12:48.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1161 [GMT -8:00]
Running from: c:\documents and settings\Gabe\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Gabe\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\documents and settings\Gabe\protect.dll
c:\documents and settings\Gabe\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\Gabe\Start Menu\Programs\Startup\ChkDisk.lnk
c:\documents and settings\NetworkService\protect.dll
c:\windows\system32\autochk.dll
c:\windows\system32\rn.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Gabe\protect.dll
c:\documents and settings\Gabe\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\Gabe\Start Menu\Programs\Startup\ChkDisk.lnk
c:\documents and settings\NetworkService\protect.dll
c:\windows\system32\autochk.dll
c:\windows\system32\rn.tmp

.
((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-28 )))))))))))))))))))))))))))))))
.

2009-01-25 21:51 . 2009-01-25 21:51 <DIR> d-------- c:\program files\Runtime Software
2009-01-09 00:10 . 2009-01-09 00:10 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore
2009-01-09 00:04 . 2009-01-09 00:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-01-08 23:39 . 2009-01-27 18:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-23 15:15 --------- d-----w c:\documents and settings\Gabe\Application Data\Azureus
2009-01-13 03:34 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2009-01-09 07:57 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-09 07:54 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-09 07:54 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-09 07:53 --------- d-----w c:\program files\Symantec
2009-01-09 07:48 --------- d-----w c:\program files\Yahoo!
2008-12-27 04:28 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-12-27 04:28 --------- d-----w c:\documents and settings\Gabe\Application Data\Malwarebytes
2008-12-27 04:28 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-27 04:01 24,576 ----a-w c:\windows\system32\VundoFixSVC.exe
2008-12-25 02:04 --------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-12-25 02:04 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-25 02:03 --------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy)
2008-12-25 02:03 --------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-25 02:03 --------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-04 03:59 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 03:59 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2007-12-14 07:51 94,080 ----a-w c:\documents and settings\Gabe\Application Data\ezplay.sys
2007-12-14 07:51 81,920 ----a-w c:\documents and settings\Gabe\Application Data\ezpinst.exe
2007-12-14 07:51 47,360 ----a-w c:\documents and settings\Gabe\Application Data\pcouffin.sys
2008-12-20 01:54 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-20 01:54 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-20 01:54 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-20 01:54 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-20 01:54 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2007-06-08 06:21 2,568 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-06-13 08:23 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008061320080614\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-27_18.33.17.68 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-28 02:27:45 25,297 ----a-w c:\windows\system32\tablet.dat
+ 2009-01-28 02:48:16 25,297 ----a-w c:\windows\system32\tablet.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealPlayer"="c:\program files\Real\RealOne Player\realplay.exe" [2007-01-27 1003520]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-06-07 4670968]
"updateMgr"="c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-11-08 151597]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-07-15 4112384]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"LiveMonitor"="c:\program files\MSI\Live Update 3\LMonitor.exe" [2006-07-31 484864]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2004-07-15 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 856064]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 483328]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"nwiz"="nwiz.exe" [2004-07-15 c:\windows\system32\nwiz.exe]

c:\documents and settings\Gabe\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2001-10-21 110592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-03-23 25214]
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2001-10-21 110592]
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2001-10-21 110592]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
SBC Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2007-08-06 217088]
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2006-08-26 114688]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2006-10-03 54776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.D263"= xl_x263dec.dll
"VIDC.YV12"= xl_yv12.dll
"VIDC.XJPG"= camfc.dll
"SENTINEL"= snti386.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
--------- 2003-06-18 00:00 45056 c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
--------- 2003-07-02 09:03 57344 c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2003-11-08 19:21 151597 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2003-06-19 19:55 24576 c:\windows\system32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\DVD Shrink\\DVD Shrink 3.2.exe"=
"c:\\Program Files\\Real\\RealOne Player\\trueplay.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\FRONTPG.EXE"=
"c:\\Program Files\\Autodesk\\Maya 8.5 Personal Learning Edition\\bin\\maya.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=

R4 mple7docserver;Maya 7 PLE Documentation Server;c:\program files\Alias\Maya 7.0 Personal Learning Edition\docs\wrapper.exe [2004-07-16 126976]
S3 DCamUSBSvis;Sound Vision Stream Driver;c:\windows\system32\drivers\SvStream.sys [2003-12-04 91480]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: Backward &Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Si&milar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: Tegrity-WebLearner-2317 - hxxp://tegrity.taftcollege.edu/tegrity/jmartinez/Bienvenidos%20a%20Espa%20ol%201!/class/TWebS.CAB
FF - ProfilePath - c:\documents and settings\Gabe\Application Data\Mozilla\Firefox\Profiles\b4bojf4q.default\
FF - prefs.js: browser.search.selectedEngine - eBay
FF - prefs.js: browser.startup.homepage - hxxp://us.f378.mail.yahoo.com/ym/login?.rand=ejl5s4hid7f9i
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-28 06:16:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\cw*]
"91A14B995DF7C0B42ABAA16065968F3A"="c:\\Program Files\\Alias\\Maya7.0\\presets\\Ashli\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)
c:\windows\System32\NavLogon.dll
.
Completion time: 2009-01-28 6:22:58
ComboFix-quarantined-files.txt 2009-01-28 14:22:31
ComboFix2.txt 2009-01-28 02:35:19

Pre-Run: 54,317,137,920 bytes free
Post-Run: 54,299,176,960 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=3 Sets=1,2,3,4
210 --- E O F --- 2009-01-14 23:22:24

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:23 AM

Posted 28 January 2009 - 10:43 AM

Hi,

This looks OK again.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 11.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 11".
  • Click the "Download" button to the right.
  • For Platform, select "Windows"
  • For language, select your language
  • Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • Java™ 6 Update 5
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.
Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 myPRONEpc

myPRONEpc
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:11:23 PM

Posted 29 January 2009 - 12:44 AM

Hi miekiemoes, thanks very much for the help. Everything seems to be back to normal here but I'll give it a few days and repost an all clear. Thanks

Gabe

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:23 AM

Posted 29 January 2009 - 03:49 AM

Glad I could help. :thumbup2:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:23 AM

Posted 05 February 2009 - 06:56 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:23 AM

Posted 21 February 2009 - 03:05 AM

Reopened:

Hi Miekiemoes, seems that the problem is back. I'd like to give it another shot If you'd help me. I was busy at work so wasn't running the home pc as frequently, but saw that It had gone back to its old Hijacking ways a couple of days ago.

I'm sure you got reinfected again, because an infection doesn't come back after almost a month. :thumbup2:
Normally we don't reopen threads if people get reinfected and ask to start a new thread instead - otherwise this would be unfair for the ones who have never posted here and are waiting for help.
Anyway, this time I made an exception, so redownload Combofix again from the link I posted previously, run it and then post the log in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 myPRONEpc

myPRONEpc
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:11:23 PM

Posted 21 February 2009 - 04:05 AM

Thanks Miekeimoes. I had figured that there was something still wrong about 2 weekends ago. The PC had gone through a memory dump again, but like I said, it got aggressive two days ago, but thanks very much nonethelss :thumbup2:
here's the combofix log.....

ComboFix 09-02-19.01 - Gabe 2009-02-21 0:39:43.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1156 [GMT -8:00]
Running from: c:\documents and settings\Gabe\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\patch.exe
c:\windows\system32\~.exe
c:\windows\system32\bxugdh.dll
c:\windows\system32\ctuiiq.dll
c:\windows\system32\dusatalo.dll
c:\windows\system32\eedtaw.dll
c:\windows\system32\fasapako.dll
c:\windows\system32\fidezifa.dll
c:\windows\system32\fiwevoga.dll
c:\windows\system32\gorumiba.dll
c:\windows\system32\hagatogo.dll
c:\windows\system32\jekehafe.dll
c:\windows\system32\jggibr.dll
c:\windows\system32\jikurina.dll
c:\windows\system32\juhpmt.dll
c:\windows\system32\kahowuhi.dll
c:\windows\system32\kigisuro.dll
c:\windows\system32\ladasazo.dll
c:\windows\system32\lokoyimi.dll
c:\windows\system32\mohunebo.dll
c:\windows\system32\nuwemuno.dll
c:\windows\system32\patusuyi.dll
c:\windows\system32\pikiduwe.dll
c:\windows\system32\rijiraza.dll
c:\windows\system32\tovituta.dll
c:\windows\system32\uvabiwaz.ini
c:\windows\system32\varofeje.dll
c:\windows\system32\wetuyoje.dll
c:\windows\system32\yyzmoj.dll
c:\windows\system32\zawibavu.dll

.
((((((((((((((((((((((((( Files Created from 2009-01-21 to 2009-02-21 )))))))))))))))))))))))))))))))
.

2009-02-04 02:28 . 2009-02-04 02:28 <DIR> d-------- c:\windows\system32\XPSViewer
2009-02-04 02:28 . 2009-02-04 02:28 <DIR> d-------- c:\program files\Reference Assemblies
2009-02-04 02:28 . 2009-02-04 02:28 <DIR> d-------- c:\program files\MSBuild
2009-02-04 02:27 . 2008-07-06 04:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2009-02-04 02:27 . 2008-07-06 04:06 1,676,288 -----c--- c:\windows\system32\dllcache\xpssvcs.dll
2009-02-04 02:27 . 2008-07-06 02:50 597,504 -----c--- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-02-04 02:27 . 2008-07-06 04:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2009-02-04 02:27 . 2008-07-06 04:06 575,488 -----c--- c:\windows\system32\dllcache\xpsshhdr.dll
2009-02-04 02:27 . 2008-07-06 04:06 117,760 --------- c:\windows\system32\prntvpt.dll
2009-02-04 02:27 . 2008-07-06 04:06 89,088 -----c--- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-02-04 02:26 . 2009-02-04 06:53 <DIR> d-------- c:\windows\SxsCaPendDel
2009-01-28 21:36 . 2009-01-28 21:36 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-28 21:36 . 2009-01-28 21:36 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-25 21:51 . 2009-01-25 21:51 <DIR> d-------- c:\program files\Runtime Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-21 08:29 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-02-21 03:13 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-02-19 08:54 --------- d-----w c:\program files\Azureus
2009-02-18 08:10 --------- d-----w c:\documents and settings\Gabe\Application Data\Azureus
2009-01-29 05:36 --------- d-----w c:\program files\Java
2009-01-29 03:47 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-29 03:47 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-13 03:34 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2009-01-09 08:04 --------- d-----w c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-01-09 07:57 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-09 07:53 --------- d-----w c:\program files\Symantec
2009-01-09 07:48 --------- d-----w c:\program files\Yahoo!
2008-12-27 04:28 --------- d-----w c:\documents and settings\Gabe\Application Data\Malwarebytes
2008-12-27 04:28 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-25 02:04 --------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2008-12-25 02:04 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-25 02:03 --------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy)
2008-12-25 02:03 --------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2008-12-25 02:03 --------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2007-12-14 07:51 94,080 ----a-w c:\documents and settings\Gabe\Application Data\ezplay.sys
2007-12-14 07:51 81,920 ----a-w c:\documents and settings\Gabe\Application Data\ezpinst.exe
2007-12-14 07:51 47,360 ----a-w c:\documents and settings\Gabe\Application Data\pcouffin.sys
2007-06-08 06:21 2,568 --sha-w c:\windows\system32\KGyGaAvL.sys
2008-06-13 08:23 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008061320080614\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RealPlayer"="c:\program files\Real\RealOne Player\realplay.exe" [2007-01-27 1003520]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-06-07 4670968]
"updateMgr"="c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2003-11-08 151597]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-07-15 4112384]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2006-02-23 278528]
"LiveMonitor"="c:\program files\MSI\Live Update 3\LMonitor.exe" [2006-07-31 484864]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2004-07-15 81920]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"Adobe Version Cue CS2"="c:\program files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 856064]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 483328]
"YBrowser"="c:\progra~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 129536]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-28 136600]
"nwiz"="nwiz.exe" [2004-07-15 c:\windows\system32\nwiz.exe]

c:\documents and settings\Gabe\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2001-10-21 110592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2007-03-23 25214]
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2001-10-21 110592]
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2001-10-21 110592]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
SBC Self Support Tool.lnk - c:\program files\SBC Self Support Tool\bin\matcli.exe [2007-08-06 217088]
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2006-08-26 114688]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2006-10-03 54776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.D263"= xl_x263dec.dll
"VIDC.YV12"= xl_yv12.dll
"VIDC.XJPG"= camfc.dll
"SENTINEL"= snti386.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
--------- 2003-06-18 00:00 45056 c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
--------- 2003-07-02 09:03 57344 c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2003-11-08 19:21 151597 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2003-06-19 19:55 24576 c:\windows\system32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\DVD Shrink\\DVD Shrink 3.2.exe"=
"c:\\Program Files\\Real\\RealOne Player\\trueplay.exe"=
"c:\\Program Files\\Microsoft Office\\OFFICE11\\FRONTPG.EXE"=
"c:\\Program Files\\Autodesk\\Maya 8.5 Personal Learning Edition\\bin\\maya.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=

S3 DCamUSBSvis;Sound Vision Stream Driver;c:\windows\system32\drivers\SvStream.sys [2003-12-04 91480]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon
.
- - - - ORPHANS REMOVED - - - -

BHO-{50f5d7e7-9c31-44c6-8a56-5bea4e2ecb30} - c:\windows\system32\ctuiiq.dll
BHO-{8ee62168-8112-4d66-95c7-1c341d251cc4} - c:\windows\system32\gorumiba.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
IE: Backward &Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Si&milar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: Tegrity-WebLearner-2317 - hxxp://tegrity.taftcollege.edu/tegrity/jmartinez/Bienvenidos%20a%20Espa%20ol%201!/class/TWebS.CAB
FF - ProfilePath - c:\documents and settings\Gabe\Application Data\Mozilla\Firefox\Profiles\b4bojf4q.default\
FF - prefs.js: browser.search.selectedEngine - eBay
FF - prefs.js: browser.startup.homepage - hxxp://us.f378.mail.yahoo.com/ym/login?.rand=ejl5s4hid7f9i
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmnqmp07010901.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-21 00:46:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\cw*]
"91A14B995DF7C0B42ABAA16065968F3A"="c:\\Program Files\\Alias\\Maya7.0\\presets\\Ashli\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\windows\System32\NavLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\pctspk.exe
c:\windows\system32\PSIService.exe
c:\windows\system32\Tablet.exe
c:\windows\system32\UAService7.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\progra~1\Yahoo!\browser\ycommon.exe
c:\program files\SBC Self Support Tool\bin\mpbtn.exe
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-02-21 0:55:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-21 08:55:10
ComboFix2.txt 2009-01-28 14:23:00

Pre-Run: 51,820,367,872 bytes free
Post-Run: 52,594,323,456 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=3 Sets=1,2,3,4
250 --- E O F --- 2009-02-11 09:04:01

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:23 AM

Posted 21 February 2009 - 04:10 AM

Hi,

I see Combofix already solved your problem.
In anyway, you got infected again, because this piece of malware is different than the previous malware you're dealinh with. I'm pretty sure that you got infected after downloading files/programs via P2P, because I see the folder Azureus being modified recently :thumbup2:
Also, the malware you're dealing with comes in 80% of the cases with P2P software.

So, I really hope you read my prevention page once again (I posted previously) to prevent this in the future.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 myPRONEpc

myPRONEpc
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:11:23 PM

Posted 23 February 2009 - 03:03 AM

Thanks Miekeimoes, everything seems to be back to normal.

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:23 AM

Posted 23 February 2009 - 05:04 AM

Glad I could help. :thumbup2:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:08:23 AM

Posted 24 February 2009 - 08:44 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users