Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Vundo Trojan


  • This topic is locked This topic is locked
6 replies to this topic

#1 darkzero1986

darkzero1986

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 27 January 2009 - 03:46 PM

Hi,

I was infected with a variation of the vundo virus from an unknown source. A popup is generated every minute while browsing on Mozilla Firefox which contains 3 tabs - 2 of which explores the firefox folder in my system and 1 which is an google search error message. I have tried running anti-malware scans such as Malwarebyte's Anti-Malware, Spyboy S&D and VundoFix but with no success of complete removal of the virus. Attached are my log files. Thank you for your time and kind attention


DDS (Ver_09-01-19.01) - NTFSx86
Run by Paul's at 20:34:31.12 on Tue 01/27/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.592 [GMT 0:00]

FW: Norton Internet Worm Protection *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Paul's\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_SG&c=64&bd=presario&pf=laptop
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_SG&c=64&bd=presario&pf=laptop
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO.dll
BHO: {3f5e1592-b17b-4026-9cda-cc2453c2b56c} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: &Clean Traces - c:\program files\dap\privacy package\dapcleanerie.htm
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\npjpi160_11.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B46FA8BD-AE41-4821-AFF4-D4FFE4F3D390} - hxxp://presentur.ntu.edu.sg/aculearn-idm/dlls/acuviewer.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll
Notify: wvUoPgGY - wvUoPgGY.dll
AppInit_DLLs: c:\progra~1\google\google~2\goec62~1.dll c:\windows\system32\pesotufu.dll ibuzfs.dll tbjdve.dll
LSA: Notification Packages = scecli c:\windows\system32\pesotufu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\paul's\applic~1\mozilla\firefox\profiles\0o90moui.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

============= SERVICES / DRIVERS ===============

R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-1-27 206096]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]
S3 Se2tr4xiwhsd;Se2tr4xiwhsd; [x]

=============== Created Last 30 ================

2009-01-27 16:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Electronic Arts
2009-01-27 14:49 <DIR> --d----- c:\docume~1\paul's\applic~1\Red Alert 3
2009-01-27 14:49 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-01-27 14:49 <DIR> --d----- C:\ProgramData
2009-01-27 14:48 3,624 a------- c:\windows\system32\ealregsnapshot1.reg
2009-01-27 14:21 1,491,992 a------- c:\windows\system32\D3DCompiler_38.dll
2009-01-27 14:21 467,984 a------- c:\windows\system32\d3dx10_38.dll
2009-01-27 14:21 3,850,760 a------- c:\windows\system32\D3DX9_38.dll
2009-01-27 14:21 1,358,192 a------- c:\windows\system32\D3DCompiler_35.dll
2009-01-27 14:21 444,776 a------- c:\windows\system32\d3dx10_35.dll
2009-01-27 14:20 3,727,720 a------- c:\windows\system32\d3dx9_35.dll
2009-01-27 14:20 <DIR> --d----- c:\windows\Logs
2009-01-27 13:25 <DIR> --d----- c:\program files\SpywareBlaster
2009-01-27 13:24 <DIR> --d----- c:\program files\common files\McAfee
2009-01-27 13:24 <DIR> --d----- c:\program files\McAfee
2009-01-27 13:15 <DIR> --d----- c:\windows\system32\appmgmt
2009-01-27 10:36 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-27 10:36 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-27 10:32 <DIR> --d----- C:\VundoFix Backups
2009-01-27 01:51 69,632 a------- c:\windows\RAUNINST.EXE
2009-01-27 01:51 <DIR> --d----- C:\WESTWOOD
2009-01-26 20:23 <DIR> --d----- C:\_OTScanIt
2009-01-25 20:19 230 a------- c:\windows\system32\spupdsvc.inf
2009-01-25 20:19 66,048 a------- c:\windows\ieResetIcons.exe
2009-01-25 17:27 268 a---h--- C:\sqmdata15.sqm
2009-01-25 17:27 244 a---h--- C:\sqmnoopt16.sqm
2009-01-25 01:00 121 ---sh--- c:\windows\system32\awipiyug.ini
2009-01-20 15:00 133,457 a--sh--- c:\windows\system32\tbjdve.dll
2009-01-11 17:33 <DIR> --d----- C:\Legend
2009-01-11 17:30 <DIR> --d-h--- c:\windows\PIF
2009-01-11 09:17 268 a---h--- C:\sqmdata13.sqm
2009-01-11 09:17 244 a---h--- C:\sqmnoopt15.sqm
2009-01-11 09:17 244 a---h--- C:\sqmnoopt14.sqm
2009-01-11 09:17 136 a---h--- C:\sqmdata14.sqm
2009-01-06 16:39 <DIR> --d----- c:\docume~1\paul's\applic~1\Malwarebytes
2009-01-06 16:39 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-06 16:39 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-06 16:39 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-06 16:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-01 06:59 121 ---sh--- c:\windows\system32\urovulin.ini
2009-01-01 06:16 30 ---sh--- c:\windows\system32\puwudaza.dll

==================== Find3M ====================

2009-01-25 01:00 99,817 a--sh--- c:\windows\system32\sufazibu.dll
2009-01-20 15:00 133,457 a--sh--- c:\windows\system32\sehejova.dll
2009-01-04 09:12 97,032 a--sh--- c:\windows\system32\bikojoki.dll
2009-01-01 06:59 99,160 a------- c:\windows\system32\nupibowe.dll
2008-12-31 18:58 96,860 a------- c:\windows\system32\wawobube.dll
2008-12-31 06:19 99,004 a------- c:\windows\system32\tofijahi.dll
2008-12-30 17:14 96,954 a--sh--- c:\windows\system32\sututiya.dll
2008-12-30 10:37 62,714 a--sh--- c:\windows\system32\duvubuse.dll
2008-12-28 13:01 61,168 a--sh--- c:\windows\system32\sebasasa.dll
2008-12-23 22:09 63,755 a--sh--- c:\windows\system32\golosufu.dll
2008-12-18 07:18 93,882 a------- c:\windows\system32\diwihimo.dll
2008-12-17 19:10 94,821 a------- c:\windows\system32\digukifi.dll
2008-12-17 07:10 95,031 a------- c:\windows\system32\sahoruhe.dll
2008-12-08 21:04 65,024 a------- c:\windows\system32\byXPfdCT.dll
2008-12-04 22:46 78,349 a------- c:\windows\War3Unin.dat
2008-11-21 21:47 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-21 21:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 21:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-21 21:45 196,608 a------- c:\windows\system32\dtu100.dll
2008-11-21 21:45 81,920 a------- c:\windows\system32\dpl100.dll
2008-11-21 21:45 593,920 a------- c:\windows\system32\dpuGUI11.dll
2008-11-21 21:45 344,064 a------- c:\windows\system32\dpus11.dll
2008-11-21 21:45 294,912 a------- c:\windows\system32\dpu11.dll
2008-11-21 21:45 294,912 a------- c:\windows\system32\dpu10.dll
2008-11-21 21:45 57,344 a------- c:\windows\system32\dpv11.dll
2008-11-21 21:45 53,248 a------- c:\windows\system32\dpuGUI10.dll
2007-05-16 05:52 37,873,216 a------- c:\program files\iTunesSetup.exe
2007-05-13 05:17 21,407,888 a------- c:\program files\avg.exe
2007-05-12 19:27 48,514,502 a------- c:\program files\flashmx_trial_en.exe
2007-05-12 18:43 1,207,301 a------- c:\program files\wrar37b8.exe
2007-05-12 17:12 153,336 a------- c:\program files\RealPlayer10-5GOLD.exe
2007-06-15 07:55 11,931 ---sh--- c:\windows\system32\SRVH0ST.exe
2008-09-28 17:00 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092820080929\index.dat
2005-08-02 16:46 187,904 a--shr-- c:\windows\ugf1bcbmawv3\asappsrv.dll
2005-08-02 16:58 293,888 a--shr-- c:\windows\ugf1bcbmawv3\command.exe
2005-07-29 16:24 472 a--shr-- c:\windows\ugf1bcbmawv3\o3IYvF1guqpa.vbs

============= FINISH: 20:35:35.15 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 03 February 2009 - 05:12 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 darkzero1986

darkzero1986
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 05 February 2009 - 02:30 PM

Hi,

My combofix log is as follow

ComboFix 09-02-04.04 - Paul's 2009-02-05 19:10:56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.325 [GMT 0:00]
Running from: c:\documents and settings\Paul's\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Paul's\Desktop\ComboFix.exe
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Paul's\Temporary Internet Files\fbk.sts
c:\temp\DIV55
c:\temp\DIV55\xDb.log
c:\windows\system32\afitelud.ini
c:\windows\system32\alemitow.ini
c:\windows\system32\anesuzen.ini
c:\windows\system32\avadijev.ini
c:\windows\system32\awipiyug.ini
c:\windows\system32\devawije.dll
c:\windows\system32\dibojine.dll
c:\windows\system32\duletifa.dll
c:\windows\system32\duvubuse.dll
c:\windows\system32\enijobid.ini
c:\windows\system32\enoseroh.ini
c:\windows\system32\eyaviyus.ini
c:\windows\system32\fihiwiku.dll
c:\windows\system32\fukafati.dll
c:\windows\system32\gakewake.dll
c:\windows\system32\gejuzuge.dll
c:\windows\system32\golosufu.dll
c:\windows\system32\huzegeko.dll
c:\windows\system32\ibikayan.ini
c:\windows\system32\isevufuz.ini
c:\windows\system32\kuhajima.dll
c:\windows\system32\mariwovu.dll
c:\windows\system32\nayakibi.dll
c:\windows\system32\nezejage.dll
c:\windows\system32\nezusena.dll
c:\windows\system32\nisinupo.dll
c:\windows\system32\oweguwaw.ini
c:\windows\system32\puwudaza.dll
c:\windows\system32\sebasasa.dll
c:\windows\system32\sehejova.dll
c:\windows\system32\sosadowe.dll
c:\windows\system32\sufazibu.dll
c:\windows\system32\sututiya.dll
c:\windows\system32\suyivaye.dll
c:\windows\system32\tbjdve.dll
c:\windows\system32\tivijaro.dll
c:\windows\system32\ukiwihif.ini
c:\windows\system32\urovulin.ini
c:\windows\system32\uwepilaz.ini
c:\windows\system32\vejidava.dll
c:\windows\system32\vunuwime.dll
c:\windows\system32\wetewutu.dll
c:\windows\system32\wotimela.dll
c:\windows\system32\wuyedifu.dll
c:\windows\system32\yidonizo.dll
c:\windows\system32\zalipewu.dll
c:\windows\system32\zufuvesi.dll
c:\windows\system32\zuninipi.dll
c:\windows\Tasks\wtwicain.job
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://77.74.48.105
.
((((((((((((((((((((((((( Files Created from 2009-01-05 to 2009-02-05 )))))))))))))))))))))))))))))))
.

2009-02-05 19:20 . 2009-02-05 19:20 <DIR> d-------- c:\windows\LastGood
2009-01-29 23:40 . 2009-01-29 23:40 <DIR> d-------- c:\program files\Opera
2009-01-28 17:02 . 2009-01-28 17:02 25,992 --a------ c:\windows\system32\pgdfgsvc.exe
2009-01-27 17:21 . 2009-01-31 06:00 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\SACore
2009-01-27 16:36 . 2009-01-27 16:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-01-27 14:49 . 2009-01-27 14:49 <DIR> d-------- C:\ProgramData
2009-01-27 14:49 . 2009-01-27 14:49 <DIR> dr-h----- c:\documents and settings\Paul's\Application Data\SecuROM
2009-01-27 14:49 . 2009-01-27 14:50 <DIR> d-------- c:\documents and settings\Paul's\Application Data\Red Alert 3
2009-01-27 14:49 . 2009-01-27 14:49 107,888 --a------ c:\windows\system32\CmdLineExt.dll
2009-01-27 14:48 . 2009-01-27 14:48 3,624 --a------ c:\windows\system32\ealregsnapshot1.reg
2009-01-27 14:21 . 2009-01-27 14:49 <DIR> d-------- c:\program files\Electronic Arts
2009-01-27 14:21 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\system32\D3DX9_38.dll
2009-01-27 14:21 . 2008-05-30 14:11 1,491,992 --a------ c:\windows\system32\D3DCompiler_38.dll
2009-01-27 14:21 . 2007-07-19 18:14 1,358,192 --a------ c:\windows\system32\D3DCompiler_35.dll
2009-01-27 14:21 . 2008-05-30 14:11 467,984 --a------ c:\windows\system32\d3dx10_38.dll
2009-01-27 14:21 . 2007-07-19 18:14 444,776 --a------ c:\windows\system32\d3dx10_35.dll
2009-01-27 14:20 . 2009-01-27 14:20 <DIR> d-------- c:\windows\Logs
2009-01-27 14:20 . 2007-07-19 18:14 3,727,720 --a------ c:\windows\system32\d3dx9_35.dll
2009-01-27 13:25 . 2009-01-27 13:25 <DIR> d-------- c:\program files\SpywareBlaster
2009-01-27 13:25 . 2009-01-27 13:25 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore
2009-01-27 13:24 . 2009-01-27 16:18 <DIR> d-------- c:\program files\McAfee
2009-01-27 13:24 . 2009-01-27 13:24 <DIR> d-------- c:\program files\Common Files\McAfee
2009-01-27 13:24 . 2009-01-27 13:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-01-27 13:24 . 2009-01-27 13:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-01-27 10:36 . 2009-01-27 10:36 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-27 10:36 . 2009-01-27 10:36 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-27 10:32 . 2009-01-27 10:32 <DIR> d-------- C:\VundoFix Backups
2009-01-27 01:51 . 2009-01-27 01:51 <DIR> d-------- C:\WESTWOOD
2009-01-27 01:51 . 1996-11-06 19:11 69,632 --a------ c:\windows\RAUNINST.EXE
2009-01-26 20:23 . 2009-01-26 20:23 <DIR> d-------- C:\_OTScanIt
2009-01-25 20:19 . 2006-11-07 13:01 66,048 --a------ c:\windows\ieResetIcons.exe
2009-01-25 20:19 . 2009-01-25 20:19 230 --a------ c:\windows\system32\spupdsvc.inf
2009-01-25 17:27 . 2009-01-25 17:27 268 --ah----- C:\sqmdata15.sqm
2009-01-25 17:27 . 2009-01-25 17:27 244 --ah----- C:\sqmnoopt16.sqm
2009-01-11 17:33 . 2009-01-11 17:33 <DIR> d-------- C:\Legend
2009-01-11 17:30 . 2009-01-11 17:30 <DIR> d--h----- c:\windows\PIF
2009-01-11 09:17 . 2009-01-11 09:17 268 --ah----- C:\sqmdata13.sqm
2009-01-11 09:17 . 2009-01-11 09:17 244 --ah----- C:\sqmnoopt15.sqm
2009-01-11 09:17 . 2009-01-11 09:17 244 --ah----- C:\sqmnoopt14.sqm
2009-01-11 09:17 . 2009-01-11 09:17 136 --ah----- C:\sqmdata14.sqm
2009-01-06 16:39 . 2009-01-26 20:52 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-06 16:39 . 2009-01-06 16:39 <DIR> d-------- c:\documents and settings\Paul's\Application Data\Malwarebytes
2009-01-06 16:39 . 2009-01-06 16:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-06 16:39 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-06 16:39 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-05 18:58 --------- d-----w c:\documents and settings\Paul's\Application Data\Skype
2009-02-05 18:56 --------- d-----w c:\documents and settings\Paul's\Application Data\skypePM
2009-02-02 17:30 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-27 14:49 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-27 13:17 --------- d-----w c:\program files\Java
2009-01-27 10:37 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-27 10:37 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-02 08:17 --------- d-----w c:\program files\Warcraft III
2008-12-27 10:52 --------- d-----w c:\documents and settings\Paul's\Application Data\LimeWire
2008-12-26 05:41 --------- d-----w c:\documents and settings\All Users\Application Data\Logishrd
2008-12-20 04:54 --------- d-----w c:\program files\LimeWire
2008-12-19 10:38 --------- d-----w c:\program files\Google
2008-12-18 19:36 --------- d-----w c:\program files\Common Files\LogiShrd
2008-12-18 19:30 --------- d-----w c:\program files\Common Files\Logitech
2008-12-18 19:29 --------- d-----w c:\program files\Logitech
2008-12-18 11:21 --------- d-----w c:\program files\FreeMind
2008-12-17 13:28 --------- d-----w c:\program files\Common Files\Java
2008-12-17 13:26 --------- d-----w c:\program files\Buzan Online
2008-12-11 17:52 --------- d-----w c:\program files\RaybanMirror
2008-12-11 17:51 --------- d-----w c:\documents and settings\Paul's\Application Data\Fit3DLive
2008-12-10 04:30 --------- d-----w c:\documents and settings\NetworkService\Application Data\Yahoo!
2008-12-08 21:22 --------- d-----w c:\documents and settings\LocalService\Application Data\Yahoo!
2008-12-05 00:51 --------- d-----w c:\program files\DivX
2007-05-16 05:52 37,873,216 ----a-w c:\program files\iTunesSetup.exe
2007-05-13 05:17 21,407,888 ----a-w c:\program files\avg.exe
2007-05-12 19:27 48,514,502 ----a-w c:\program files\flashmx_trial_en.exe
2007-05-12 18:43 1,207,301 ----a-w c:\program files\wrar37b8.exe
2007-05-12 17:12 153,336 ----a-w c:\program files\RealPlayer10-5GOLD.exe
2007-06-15 07:55 11,931 --sh--w c:\windows\system32\SRVH0ST.exe
2008-09-28 17:00 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092820080929\index.dat
2005-08-02 16:46 187,904 --sha-r c:\windows\UGF1bCBMaWV3\asappsrv.dll
2005-08-02 16:58 293,888 --sha-r c:\windows\UGF1bCBMaWV3\command.exe
2005-07-29 16:24 472 --sha-r c:\windows\UGF1bCBMaWV3\o3IYvF1guqpa.vbs
.

------- Sigcheck -------

2005-07-03 10:09 659456 6e533d155b259eb2363d3e04b5be309f c:\windows\$hf_mig$\KB896727\SP2QFE\wininet.dll
2007-03-07 17:40 823296 b8f4db39ca7353752f245379d285c80e c:\windows\$hf_mig$\KB931768-IE7\SP2QFE\wininet.dll
2007-04-25 09:08 823808 431defbb4a3d7b0dc062c1b064623a2f c:\windows\$hf_mig$\KB933566-IE7\SP2QFE\wininet.dll
2007-06-27 14:40 824320 d6ed5e042c5207553e7f5e842918137f c:\windows\$hf_mig$\KB937143-IE7\SP2QFE\wininet.dll
2007-08-20 10:02 825344 357d54bf94fe9d6d8505a96b5c2a3bca c:\windows\$hf_mig$\KB939653-IE7\SP2QFE\wininet.dll
2007-10-10 23:47 825344 0e5d918f87efa7d2424d66b499c7eb04 c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
2007-12-07 02:01 825344 b5b411bb229ae6ead7652a32ed47bfb9 c:\windows\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
2008-03-01 13:03 827392 6316c2f0c61271c8abdff7429174879e c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
2008-04-23 03:35 827392 41546b396a526918da7995a02ea04e51 c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\wininet.dll
2008-06-23 16:01 827904 c66402a06b83b036c195242c0c8cf83c c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
2008-08-26 09:08 827904 77c192fe56a70d7fa0247ba0a6201c32 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
2008-10-16 20:24 827904 0d5b75171ff51775b630a431b6c667e8 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
2006-03-16 04:00 656384 c0823fc5469663ba63e7db88f9919d70 c:\windows\$NtUninstallKB896727$\wininet.dll
2006-01-09 18:02 662016 dde9597a3311748c1519444e2bc147bd c:\windows\$NtUninstallKB922760$\wininet.dll
2006-09-14 08:31 664576 d207370287cf769aebebf03837784963 c:\windows\$NtUninstallKB925454$\wininet.dll
2007-03-07 17:45 822784 5b35dae6e4886f64d1da58c4e3e01eb9 c:\windows\ie7updates\KB933566-IE7\wininet.dll
2007-10-10 23:56 824832 30c1e0f34ad2972c72a01db5c74ab065 c:\windows\ie7updates\KB944533-IE7\wininet.dll
2008-03-01 13:06 826368 ad21461aef8244edec2ef18e55e1dcf3 c:\windows\ie7updates\KB950759-IE7\wininet.dll
2008-06-23 16:57 826368 8c13d4a7479fa0a026eda8abce82c0ed c:\windows\ie7updates\KB956390-IE7\wininet.dll
2008-04-14 00:12 666112 7a4f775abb2f1c97def3e73afa2faedd c:\windows\ServicePackFiles\i386\wininet.dll
2008-10-16 10:37 659456 6f1e4bfd78c4e0d05ff3725d59b72925 c:\windows\SoftwareDistribution\Download\7bc58354ca50aa200544caaef7677c8a\SP2GDR\wininet.dll
2008-10-16 10:20 667648 93c9d0a216498ee14eb9b26119bb95ee c:\windows\SoftwareDistribution\Download\7bc58354ca50aa200544caaef7677c8a\SP2QFE\wininet.dll
2008-10-16 01:00 666112 1576318bf08d28cc61d1278114ad8d5b c:\windows\SoftwareDistribution\Download\7bc58354ca50aa200544caaef7677c8a\SP3GDR\wininet.dll
2008-10-16 01:04 667136 e8fce58a470999350f64c591557f9e42 c:\windows\SoftwareDistribution\Download\7bc58354ca50aa200544caaef7677c8a\SP3QFE\wininet.dll
2006-10-23 15:34 664576 231ef4179acabe486376b5ca893f1076 c:\windows\system32\wininet.dll
2006-10-23 15:34 664576 231ef4179acabe486376b5ca893f1076 c:\windows\system32\dllcache\wininet.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2006-11-12 157592]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-01-09 3321856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-24 7569408]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-01-26 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-03-15 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2006-03-15 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-03-15 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-03-15 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-03-15 455168]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-12-03 241152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-05-12 185896]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-29 30248]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-29 46632]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-12 663552]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-27 136600]
"MsmqIntCert"="mqrt.dll" [2008-04-14 c:\windows\system32\mqrt.dll]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-12 581693]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\DAP\\DAP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\verclsid.exe"=
"c:\\Program Files\\Internet Explorer\\iedw.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16233:TCP"= 16233:TCP:BitComet 16233 TCP
"16233:UDP"= 16233:UDP:BitComet 16233 UDP

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-27 206096]
S3 Se2tr4xiwhsd;Se2tr4xiwhsd; [x]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0ba35242-0836-11dc-a6df-0016d3113049}]
\Shell\AutoRun\command - RavMon.exe
\Shell\explore\Command - RavMon.exe -e
\Shell\open\Command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6231cfa0-a9e8-11db-a675-0016d3113049}]
\Shell\Auto\command - H:\udisk.exe e
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL udisk.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7780c325-1398-11dc-a6f0-0016d3113049}]
\Shell\AutoRun\command - RavMon.exe
\Shell\explore\Command - RavMon.exe -e
\Shell\open\Command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b7a71711-6739-11dc-a75b-0016d3113049}]
\Shell\AutoRun\command - F:\ntde1ect.com
\Shell\explore\Command - F:\ntde1ect.com
\Shell\open\Command - F:\ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef9c15b7-231c-11dc-a709-0016d3113049}]
\Shell\Auto\command - F:\udisk.exe e
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL udisk.exe e
.
Contents of the 'Scheduled Tasks' folder

2009-02-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{3f5e1592-b17b-4026-9cda-cc2453c2b56c} - (no file)
BHO-{7e26c2ee-a843-49c8-ab4b-1262eca8d57f} - c:\windows\system32\nisinupo.dll
HKLM-Run-jazefisano - c:\windows\system32\neruvowu.dll
Notify-wvUoPgGY - wvUoPgGY.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_SG&c=64&bd=presario&pf=laptop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
DPF: {B46FA8BD-AE41-4821-AFF4-D4FFE4F3D390} - hxxp://presentur.ntu.edu.sg/aculearn-idm/dlls/acuviewer.cab
FF - ProfilePath - c:\documents and settings\Paul's\Application Data\Mozilla\Firefox\Profiles\0o90moui.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-05 19:21:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ????R????????@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3459262004-2373878787-672632822-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{45F47FFF-90CF-0EB0-2432-A695AD0351EE}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-3459262004-2373878787-672632822-1005\Software\SecuROM\License information*]
"datasecu"=hex:5b,57,d1,21,00,c2,3d,f2,94,3a,d8,a0,80,98,b1,b6,d3,c2,8c,0d,a5,
ee,ea,32,87,6b,7a,0b,59,a8,e6,46,2d,fe,42,39,ef,71,c9,b6,99,f6,c9,45,6f,62,\
"rkeysecu"=hex:2e,84,61,1f,19,fd,8b,25,bb,38,b3,5f,2e,bd,d3,38
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\msdtc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\nvsvc32.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\mqsvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\mqtgsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Brother\Brmfcmon\BrMfcMon.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2009-02-05 19:26:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-05 19:26:35

Pre-Run: 16,037,728,256 bytes free
Post-Run: 16,042,954,752 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /usepmtimer

361 --- E O F --- 2008-12-13 03:03:53





My new hijackit log is as follow


DDS (Ver_09-01-19.01) - NTFSx86
Run by Paul's at 19:27:06.28 on Thu 02/05/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.466 [GMT 0:00]

FW: Norton Internet Worm Protection *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Paul's\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_SG&c=64&bd=presario&pf=laptop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: &Clean Traces - c:\program files\dap\privacy package\dapcleanerie.htm
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\npjpi160_11.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B46FA8BD-AE41-4821-AFF4-D4FFE4F3D390} - hxxp://presentur.ntu.edu.sg/aculearn-idm/dlls/acuviewer.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\paul's\applic~1\mozilla\firefox\profiles\0o90moui.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

============= SERVICES / DRIVERS ===============

R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-1-27 206096]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]
S3 Se2tr4xiwhsd;Se2tr4xiwhsd; [x]

=============== Created Last 30 ================

2009-02-05 19:06 <DIR> a-dshr-- C:\cmdcons
2009-02-05 19:04 161,792 a------- c:\windows\SWREG.exe
2009-02-05 19:04 98,816 a------- c:\windows\sed.exe
2009-01-28 17:02 25,992 a------- c:\windows\system32\pgdfgsvc.exe
2009-01-27 16:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Electronic Arts
2009-01-27 14:49 <DIR> --d----- c:\docume~1\paul's\applic~1\Red Alert 3
2009-01-27 14:49 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-01-27 14:49 <DIR> --d----- C:\ProgramData
2009-01-27 14:48 3,624 a------- c:\windows\system32\ealregsnapshot1.reg
2009-01-27 14:21 1,491,992 a------- c:\windows\system32\D3DCompiler_38.dll
2009-01-27 14:21 467,984 a------- c:\windows\system32\d3dx10_38.dll
2009-01-27 14:21 3,850,760 a------- c:\windows\system32\D3DX9_38.dll
2009-01-27 14:21 1,358,192 a------- c:\windows\system32\D3DCompiler_35.dll
2009-01-27 14:21 444,776 a------- c:\windows\system32\d3dx10_35.dll
2009-01-27 14:20 3,727,720 a------- c:\windows\system32\d3dx9_35.dll
2009-01-27 14:20 <DIR> --d----- c:\windows\Logs
2009-01-27 13:25 <DIR> --d----- c:\program files\SpywareBlaster
2009-01-27 13:24 <DIR> --d----- c:\program files\common files\McAfee
2009-01-27 13:24 <DIR> --d----- c:\program files\McAfee
2009-01-27 13:15 <DIR> --d----- c:\windows\system32\appmgmt
2009-01-27 10:36 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-27 10:36 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-27 10:32 <DIR> --d----- C:\VundoFix Backups
2009-01-27 01:51 69,632 a------- c:\windows\RAUNINST.EXE
2009-01-27 01:51 <DIR> --d----- C:\WESTWOOD
2009-01-26 20:23 <DIR> --d----- C:\_OTScanIt
2009-01-25 20:19 230 a------- c:\windows\system32\spupdsvc.inf
2009-01-25 20:19 66,048 a------- c:\windows\ieResetIcons.exe
2009-01-25 17:27 268 a---h--- C:\sqmdata15.sqm
2009-01-25 17:27 244 a---h--- C:\sqmnoopt16.sqm
2009-01-11 17:33 <DIR> --d----- C:\Legend
2009-01-11 17:30 <DIR> --d-h--- c:\windows\PIF
2009-01-11 09:17 268 a---h--- C:\sqmdata13.sqm
2009-01-11 09:17 244 a---h--- C:\sqmnoopt15.sqm
2009-01-11 09:17 244 a---h--- C:\sqmnoopt14.sqm
2009-01-11 09:17 136 a---h--- C:\sqmdata14.sqm

==================== Find3M ====================

2009-01-14 16:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 16:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-04 09:12 97,032 a--sh--- c:\windows\system32\bikojoki.dll
2009-01-01 06:59 99,160 a------- c:\windows\system32\nupibowe.dll
2008-12-31 18:58 96,860 a------- c:\windows\system32\wawobube.dll
2008-12-31 06:19 99,004 a------- c:\windows\system32\tofijahi.dll
2008-12-18 07:18 93,882 a------- c:\windows\system32\diwihimo.dll
2008-12-17 19:10 94,821 a------- c:\windows\system32\digukifi.dll
2008-12-17 07:10 95,031 a------- c:\windows\system32\sahoruhe.dll
2008-12-08 21:04 65,024 a------- c:\windows\system32\byXPfdCT.dll
2008-12-04 22:46 78,349 a------- c:\windows\War3Unin.dat
2008-11-21 21:47 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-21 21:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 21:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-21 21:45 196,608 a------- c:\windows\system32\dtu100.dll
2008-11-21 21:45 81,920 a------- c:\windows\system32\dpl100.dll
2008-11-21 21:45 593,920 a------- c:\windows\system32\dpuGUI11.dll
2008-11-21 21:45 344,064 a------- c:\windows\system32\dpus11.dll
2008-11-21 21:45 294,912 a------- c:\windows\system32\dpu11.dll
2008-11-21 21:45 294,912 a------- c:\windows\system32\dpu10.dll
2008-11-21 21:45 57,344 a------- c:\windows\system32\dpv11.dll
2008-11-21 21:45 53,248 a------- c:\windows\system32\dpuGUI10.dll
2007-05-16 05:52 37,873,216 a------- c:\program files\iTunesSetup.exe
2007-05-13 05:17 21,407,888 a------- c:\program files\avg.exe
2007-05-12 19:27 48,514,502 a------- c:\program files\flashmx_trial_en.exe
2007-05-12 18:43 1,207,301 a------- c:\program files\wrar37b8.exe
2007-05-12 17:12 153,336 a------- c:\program files\RealPlayer10-5GOLD.exe
2007-06-15 07:55 11,931 ---sh--- c:\windows\system32\SRVH0ST.exe
2008-09-28 17:00 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092820080929\index.dat
2005-08-02 16:46 187,904 a--shr-- c:\windows\ugf1bcbmawv3\asappsrv.dll
2005-08-02 16:58 293,888 a--shr-- c:\windows\ugf1bcbmawv3\command.exe
2005-07-29 16:24 472 a--shr-- c:\windows\ugf1bcbmawv3\o3IYvF1guqpa.vbs

============= FINISH: 19:27:26.68 ===============


Thanks alot for your kind attention

Attached Files



#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 06 February 2009 - 01:27 AM

1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
Se2tr4xiwhsd

File::
c:\windows\system32\bikojoki.dll
c:\windows\system32\nupibowe.dll
c:\windows\system32\wawobube.dll
c:\windows\system32\tofijahi.dll
c:\windows\system32\diwihimo.dll
c:\windows\system32\digukifi.dll
c:\windows\system32\sahoruhe.dll
c:\windows\system32\byXPfdCT.dll
c:\windows\system32\SRVH0ST.exe

Folder::
c:\windows\UGF1bCBMaWV3

RegNull::
[HKEY_USERS\S-1-5-21-3459262004-2373878787-672632822-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{45F47FFF-90CF-0EB0-2432-A695AD0351EE}*]

RegLock::
[HKEY_USERS\S-1-5-21-3459262004-2373878787-672632822-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{45F47FFF-90CF-0EB0-2432-A695AD0351EE}*]

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0ba35242-0836-11dc-a6df-0016d3113049}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6231cfa0-a9e8-11db-a675-0016d3113049}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7780c325-1398-11dc-a6f0-0016d3113049}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b7a71711-6739-11dc-a75b-0016d3113049}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef9c15b7-231c-11dc-a709-0016d3113049}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Edited by fenzodahl512, 06 February 2009 - 01:29 AM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 darkzero1986

darkzero1986
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:12:58 AM

Posted 06 February 2009 - 03:35 PM

Thanks for your reply.

New combo fix log is as follow:




ComboFix 09-02-04.04 - Paul's 2009-02-05 19:10:56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.325 [GMT 0:00]
Running from: c:\documents and settings\Paul's\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Paul's\Desktop\ComboFix.exe
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Paul's\Temporary Internet Files\fbk.sts
c:\temp\DIV55
c:\temp\DIV55\xDb.log
c:\windows\system32\afitelud.ini
c:\windows\system32\alemitow.ini
c:\windows\system32\anesuzen.ini
c:\windows\system32\avadijev.ini
c:\windows\system32\awipiyug.ini
c:\windows\system32\devawije.dll
c:\windows\system32\dibojine.dll
c:\windows\system32\duletifa.dll
c:\windows\system32\duvubuse.dll
c:\windows\system32\enijobid.ini
c:\windows\system32\enoseroh.ini
c:\windows\system32\eyaviyus.ini
c:\windows\system32\fihiwiku.dll
c:\windows\system32\fukafati.dll
c:\windows\system32\gakewake.dll
c:\windows\system32\gejuzuge.dll
c:\windows\system32\golosufu.dll
c:\windows\system32\huzegeko.dll
c:\windows\system32\ibikayan.ini
c:\windows\system32\isevufuz.ini
c:\windows\system32\kuhajima.dll
c:\windows\system32\mariwovu.dll
c:\windows\system32\nayakibi.dll
c:\windows\system32\nezejage.dll
c:\windows\system32\nezusena.dll
c:\windows\system32\nisinupo.dll
c:\windows\system32\oweguwaw.ini
c:\windows\system32\puwudaza.dll
c:\windows\system32\sebasasa.dll
c:\windows\system32\sehejova.dll
c:\windows\system32\sosadowe.dll
c:\windows\system32\sufazibu.dll
c:\windows\system32\sututiya.dll
c:\windows\system32\suyivaye.dll
c:\windows\system32\tbjdve.dll
c:\windows\system32\tivijaro.dll
c:\windows\system32\ukiwihif.ini
c:\windows\system32\urovulin.ini
c:\windows\system32\uwepilaz.ini
c:\windows\system32\vejidava.dll
c:\windows\system32\vunuwime.dll
c:\windows\system32\wetewutu.dll
c:\windows\system32\wotimela.dll
c:\windows\system32\wuyedifu.dll
c:\windows\system32\yidonizo.dll
c:\windows\system32\zalipewu.dll
c:\windows\system32\zufuvesi.dll
c:\windows\system32\zuninipi.dll
c:\windows\Tasks\wtwicain.job
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://77.74.48.105
.
((((((((((((((((((((((((( Files Created from 2009-01-05 to 2009-02-05 )))))))))))))))))))))))))))))))
.

2009-02-05 19:20 . 2009-02-05 19:20 <DIR> d-------- c:\windows\LastGood
2009-01-29 23:40 . 2009-01-29 23:40 <DIR> d-------- c:\program files\Opera
2009-01-28 17:02 . 2009-01-28 17:02 25,992 --a------ c:\windows\system32\pgdfgsvc.exe
2009-01-27 17:21 . 2009-01-31 06:00 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\SACore
2009-01-27 16:36 . 2009-01-27 16:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Electronic Arts
2009-01-27 14:49 . 2009-01-27 14:49 <DIR> d-------- C:\ProgramData
2009-01-27 14:49 . 2009-01-27 14:49 <DIR> dr-h----- c:\documents and settings\Paul's\Application Data\SecuROM
2009-01-27 14:49 . 2009-01-27 14:50 <DIR> d-------- c:\documents and settings\Paul's\Application Data\Red Alert 3
2009-01-27 14:49 . 2009-01-27 14:49 107,888 --a------ c:\windows\system32\CmdLineExt.dll
2009-01-27 14:48 . 2009-01-27 14:48 3,624 --a------ c:\windows\system32\ealregsnapshot1.reg
2009-01-27 14:21 . 2009-01-27 14:49 <DIR> d-------- c:\program files\Electronic Arts
2009-01-27 14:21 . 2008-05-30 14:11 3,850,760 --a------ c:\windows\system32\D3DX9_38.dll
2009-01-27 14:21 . 2008-05-30 14:11 1,491,992 --a------ c:\windows\system32\D3DCompiler_38.dll
2009-01-27 14:21 . 2007-07-19 18:14 1,358,192 --a------ c:\windows\system32\D3DCompiler_35.dll
2009-01-27 14:21 . 2008-05-30 14:11 467,984 --a------ c:\windows\system32\d3dx10_38.dll
2009-01-27 14:21 . 2007-07-19 18:14 444,776 --a------ c:\windows\system32\d3dx10_35.dll
2009-01-27 14:20 . 2009-01-27 14:20 <DIR> d-------- c:\windows\Logs
2009-01-27 14:20 . 2007-07-19 18:14 3,727,720 --a------ c:\windows\system32\d3dx9_35.dll
2009-01-27 13:25 . 2009-01-27 13:25 <DIR> d-------- c:\program files\SpywareBlaster
2009-01-27 13:25 . 2009-01-27 13:25 <DIR> d-------- c:\documents and settings\LocalService\Application Data\SACore
2009-01-27 13:24 . 2009-01-27 16:18 <DIR> d-------- c:\program files\McAfee
2009-01-27 13:24 . 2009-01-27 13:24 <DIR> d-------- c:\program files\Common Files\McAfee
2009-01-27 13:24 . 2009-01-27 13:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor
2009-01-27 13:24 . 2009-01-27 13:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2009-01-27 10:36 . 2009-01-27 10:36 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-27 10:36 . 2009-01-27 10:36 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-27 10:32 . 2009-01-27 10:32 <DIR> d-------- C:\VundoFix Backups
2009-01-27 01:51 . 2009-01-27 01:51 <DIR> d-------- C:\WESTWOOD
2009-01-27 01:51 . 1996-11-06 19:11 69,632 --a------ c:\windows\RAUNINST.EXE
2009-01-26 20:23 . 2009-01-26 20:23 <DIR> d-------- C:\_OTScanIt
2009-01-25 20:19 . 2006-11-07 13:01 66,048 --a------ c:\windows\ieResetIcons.exe
2009-01-25 20:19 . 2009-01-25 20:19 230 --a------ c:\windows\system32\spupdsvc.inf
2009-01-25 17:27 . 2009-01-25 17:27 268 --ah----- C:\sqmdata15.sqm
2009-01-25 17:27 . 2009-01-25 17:27 244 --ah----- C:\sqmnoopt16.sqm
2009-01-11 17:33 . 2009-01-11 17:33 <DIR> d-------- C:\Legend
2009-01-11 17:30 . 2009-01-11 17:30 <DIR> d--h----- c:\windows\PIF
2009-01-11 09:17 . 2009-01-11 09:17 268 --ah----- C:\sqmdata13.sqm
2009-01-11 09:17 . 2009-01-11 09:17 244 --ah----- C:\sqmnoopt15.sqm
2009-01-11 09:17 . 2009-01-11 09:17 244 --ah----- C:\sqmnoopt14.sqm
2009-01-11 09:17 . 2009-01-11 09:17 136 --ah----- C:\sqmdata14.sqm
2009-01-06 16:39 . 2009-01-26 20:52 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-06 16:39 . 2009-01-06 16:39 <DIR> d-------- c:\documents and settings\Paul's\Application Data\Malwarebytes
2009-01-06 16:39 . 2009-01-06 16:39 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-06 16:39 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-06 16:39 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-05 18:58 --------- d-----w c:\documents and settings\Paul's\Application Data\Skype
2009-02-05 18:56 --------- d-----w c:\documents and settings\Paul's\Application Data\skypePM
2009-02-02 17:30 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-27 14:49 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-27 13:17 --------- d-----w c:\program files\Java
2009-01-27 10:37 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-27 10:37 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-02 08:17 --------- d-----w c:\program files\Warcraft III
2008-12-27 10:52 --------- d-----w c:\documents and settings\Paul's\Application Data\LimeWire
2008-12-26 05:41 --------- d-----w c:\documents and settings\All Users\Application Data\Logishrd
2008-12-20 04:54 --------- d-----w c:\program files\LimeWire
2008-12-19 10:38 --------- d-----w c:\program files\Google
2008-12-18 19:36 --------- d-----w c:\program files\Common Files\LogiShrd
2008-12-18 19:30 --------- d-----w c:\program files\Common Files\Logitech
2008-12-18 19:29 --------- d-----w c:\program files\Logitech
2008-12-18 11:21 --------- d-----w c:\program files\FreeMind
2008-12-17 13:28 --------- d-----w c:\program files\Common Files\Java
2008-12-17 13:26 --------- d-----w c:\program files\Buzan Online
2008-12-11 17:52 --------- d-----w c:\program files\RaybanMirror
2008-12-11 17:51 --------- d-----w c:\documents and settings\Paul's\Application Data\Fit3DLive
2008-12-10 04:30 --------- d-----w c:\documents and settings\NetworkService\Application Data\Yahoo!
2008-12-08 21:22 --------- d-----w c:\documents and settings\LocalService\Application Data\Yahoo!
2008-12-05 00:51 --------- d-----w c:\program files\DivX
2007-05-16 05:52 37,873,216 ----a-w c:\program files\iTunesSetup.exe
2007-05-13 05:17 21,407,888 ----a-w c:\program files\avg.exe
2007-05-12 19:27 48,514,502 ----a-w c:\program files\flashmx_trial_en.exe
2007-05-12 18:43 1,207,301 ----a-w c:\program files\wrar37b8.exe
2007-05-12 17:12 153,336 ----a-w c:\program files\RealPlayer10-5GOLD.exe
2007-06-15 07:55 11,931 --sh--w c:\windows\system32\SRVH0ST.exe
2008-09-28 17:00 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092820080929\index.dat
2005-08-02 16:46 187,904 --sha-r c:\windows\UGF1bCBMaWV3\asappsrv.dll
2005-08-02 16:58 293,888 --sha-r c:\windows\UGF1bCBMaWV3\command.exe
2005-07-29 16:24 472 --sha-r c:\windows\UGF1bCBMaWV3\o3IYvF1guqpa.vbs
.

------- Sigcheck -------

2005-07-03 10:09 659456 6e533d155b259eb2363d3e04b5be309f c:\windows\$hf_mig$\KB896727\SP2QFE\wininet.dll
2007-03-07 17:40 823296 b8f4db39ca7353752f245379d285c80e c:\windows\$hf_mig$\KB931768-IE7\SP2QFE\wininet.dll
2007-04-25 09:08 823808 431defbb4a3d7b0dc062c1b064623a2f c:\windows\$hf_mig$\KB933566-IE7\SP2QFE\wininet.dll
2007-06-27 14:40 824320 d6ed5e042c5207553e7f5e842918137f c:\windows\$hf_mig$\KB937143-IE7\SP2QFE\wininet.dll
2007-08-20 10:02 825344 357d54bf94fe9d6d8505a96b5c2a3bca c:\windows\$hf_mig$\KB939653-IE7\SP2QFE\wininet.dll
2007-10-10 23:47 825344 0e5d918f87efa7d2424d66b499c7eb04 c:\windows\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
2007-12-07 02:01 825344 b5b411bb229ae6ead7652a32ed47bfb9 c:\windows\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
2008-03-01 13:03 827392 6316c2f0c61271c8abdff7429174879e c:\windows\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
2008-04-23 03:35 827392 41546b396a526918da7995a02ea04e51 c:\windows\$hf_mig$\KB950759-IE7\SP2QFE\wininet.dll
2008-06-23 16:01 827904 c66402a06b83b036c195242c0c8cf83c c:\windows\$hf_mig$\KB953838-IE7\SP2QFE\wininet.dll
2008-08-26 09:08 827904 77c192fe56a70d7fa0247ba0a6201c32 c:\windows\$hf_mig$\KB956390-IE7\SP2QFE\wininet.dll
2008-10-16 20:24 827904 0d5b75171ff51775b630a431b6c667e8 c:\windows\$hf_mig$\KB958215-IE7\SP2QFE\wininet.dll
2006-03-16 04:00 656384 c0823fc5469663ba63e7db88f9919d70 c:\windows\$NtUninstallKB896727$\wininet.dll
2006-01-09 18:02 662016 dde9597a3311748c1519444e2bc147bd c:\windows\$NtUninstallKB922760$\wininet.dll
2006-09-14 08:31 664576 d207370287cf769aebebf03837784963 c:\windows\$NtUninstallKB925454$\wininet.dll
2007-03-07 17:45 822784 5b35dae6e4886f64d1da58c4e3e01eb9 c:\windows\ie7updates\KB933566-IE7\wininet.dll
2007-10-10 23:56 824832 30c1e0f34ad2972c72a01db5c74ab065 c:\windows\ie7updates\KB944533-IE7\wininet.dll
2008-03-01 13:06 826368 ad21461aef8244edec2ef18e55e1dcf3 c:\windows\ie7updates\KB950759-IE7\wininet.dll
2008-06-23 16:57 826368 8c13d4a7479fa0a026eda8abce82c0ed c:\windows\ie7updates\KB956390-IE7\wininet.dll
2008-04-14 00:12 666112 7a4f775abb2f1c97def3e73afa2faedd c:\windows\ServicePackFiles\i386\wininet.dll
2008-10-16 10:37 659456 6f1e4bfd78c4e0d05ff3725d59b72925 c:\windows\SoftwareDistribution\Download\7bc58354ca50aa200544caaef7677c8a\SP2GDR\wininet.dll
2008-10-16 10:20 667648 93c9d0a216498ee14eb9b26119bb95ee c:\windows\SoftwareDistribution\Download\7bc58354ca50aa200544caaef7677c8a\SP2QFE\wininet.dll
2008-10-16 01:00 666112 1576318bf08d28cc61d1278114ad8d5b c:\windows\SoftwareDistribution\Download\7bc58354ca50aa200544caaef7677c8a\SP3GDR\wininet.dll
2008-10-16 01:04 667136 e8fce58a470999350f64c591557f9e42 c:\windows\SoftwareDistribution\Download\7bc58354ca50aa200544caaef7677c8a\SP3QFE\wininet.dll
2006-10-23 15:34 664576 231ef4179acabe486376b5ca893f1076 c:\windows\system32\wininet.dll
2006-10-23 15:34 664576 231ef4179acabe486376b5ca893f1076 c:\windows\system32\dllcache\wininet.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-28 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2006-11-12 157592]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-01-09 3321856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-24 7569408]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-01-26 40960]
"RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840]
"Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-03-15 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2006-03-15 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-03-15 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-03-15 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-03-15 455168]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-12-03 241152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-05-12 185896]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-29 30248]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-29 46632]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2007-03-12 663552]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-27 136600]
"MsmqIntCert"="mqrt.dll" [2008-04-14 c:\windows\system32\mqrt.dll]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-12 581693]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 73728]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\DAP\\DAP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\system32\\verclsid.exe"=
"c:\\Program Files\\Internet Explorer\\iedw.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=
"c:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"16233:TCP"= 16233:TCP:BitComet 16233 TCP
"16233:UDP"= 16233:UDP:BitComet 16233 UDP

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-01-27 206096]
S3 Se2tr4xiwhsd;Se2tr4xiwhsd; [x]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0ba35242-0836-11dc-a6df-0016d3113049}]
\Shell\AutoRun\command - RavMon.exe
\Shell\explore\Command - RavMon.exe -e
\Shell\open\Command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6231cfa0-a9e8-11db-a675-0016d3113049}]
\Shell\Auto\command - H:\udisk.exe e
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL udisk.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7780c325-1398-11dc-a6f0-0016d3113049}]
\Shell\AutoRun\command - RavMon.exe
\Shell\explore\Command - RavMon.exe -e
\Shell\open\Command - RavMon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b7a71711-6739-11dc-a75b-0016d3113049}]
\Shell\AutoRun\command - F:\ntde1ect.com
\Shell\explore\Command - F:\ntde1ect.com
\Shell\open\Command - F:\ntde1ect.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ef9c15b7-231c-11dc-a709-0016d3113049}]
\Shell\Auto\command - F:\udisk.exe e
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL udisk.exe e
.
Contents of the 'Scheduled Tasks' folder

2009-02-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{3f5e1592-b17b-4026-9cda-cc2453c2b56c} - (no file)
BHO-{7e26c2ee-a843-49c8-ab4b-1262eca8d57f} - c:\windows\system32\nisinupo.dll
HKLM-Run-jazefisano - c:\windows\system32\neruvowu.dll
Notify-wvUoPgGY - wvUoPgGY.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_SG&c=64&bd=presario&pf=laptop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Clean Traces - c:\program files\DAP\Privacy Package\dapcleanerie.htm
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Download with &DAP - c:\program files\DAP\dapextie.htm
IE: Download &all with DAP - c:\program files\DAP\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\DAP\dapie.dll
DPF: {B46FA8BD-AE41-4821-AFF4-D4FFE4F3D390} - hxxp://presentur.ntu.edu.sg/aculearn-idm/dlls/acuviewer.cab
FF - ProfilePath - c:\documents and settings\Paul's\Application Data\Mozilla\Firefox\Profiles\0o90moui.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-05 19:21:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ????R????????@???????@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3459262004-2373878787-672632822-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{45F47FFF-90CF-0EB0-2432-A695AD0351EE}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-3459262004-2373878787-672632822-1005\Software\SecuROM\License information*]
"datasecu"=hex:5b,57,d1,21,00,c2,3d,f2,94,3a,d8,a0,80,98,b1,b6,d3,c2,8c,0d,a5,
ee,ea,32,87,6b,7a,0b,59,a8,e6,46,2d,fe,42,39,ef,71,c9,b6,99,f6,c9,45,6f,62,\
"rkeysecu"=hex:2e,84,61,1f,19,fd,8b,25,bb,38,b3,5f,2e,bd,d3,38
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\msdtc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\nvsvc32.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\mqsvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\mqtgsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Brother\Brmfcmon\BrMfcMon.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2009-02-05 19:26:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-05 19:26:35

Pre-Run: 16,037,728,256 bytes free
Post-Run: 16,042,954,752 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /usepmtimer

361 --- E O F --- 2008-12-13 03:03:53











New hijackit log is as follow:



DDS (Ver_09-01-19.01) - NTFSx86
Run by Paul's at 20:31:36.85 on Fri 02/06/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.474 [GMT 0:00]

FW: Norton Internet Worm Protection *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Electronic Arts\EADM\Core.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Skype\Plugin Manager\SkypePM.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\WINDOWS\system32\nvsvc32.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Paul's\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_SG&c=64&bd=presario&pf=laptop
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: NoExplorer - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Cpqset] c:\program files\hpq\default settings\cpqset.exe
mRun: [RecGuard] c:\windows\sminst\RecGuard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpphot~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: &Clean Traces - c:\program files\dap\privacy package\dapcleanerie.htm
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: &Download with &DAP - c:\program files\dap\dapextie.htm
IE: Download &all with DAP - c:\program files\dap\dapextie2.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\npjpi160_11.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B46FA8BD-AE41-4821-AFF4-D4FFE4F3D390} - hxxp://presentur.ntu.edu.sg/aculearn-idm/dlls/acuviewer.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Name-Space Handler: ftp\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll
Name-Space Handler: http\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\progra~1\dap\dapie.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\paul's\applic~1\mozilla\firefox\profiles\0o90moui.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll

============= SERVICES / DRIVERS ===============

R4 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-1-27 206096]
R4 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]

=============== Created Last 30 ================

2009-02-05 19:21 1,499,136 -------- c:\windows\system32\dllcache\shdocvw.dll
2009-02-05 19:06 <DIR> a-dshr-- C:\cmdcons
2009-02-05 19:04 161,792 a------- c:\windows\SWREG.exe
2009-02-05 19:04 98,816 a------- c:\windows\sed.exe
2009-01-28 17:02 25,992 a------- c:\windows\system32\pgdfgsvc.exe
2009-01-27 16:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Electronic Arts
2009-01-27 14:49 <DIR> --d----- c:\docume~1\paul's\applic~1\Red Alert 3
2009-01-27 14:49 107,888 a------- c:\windows\system32\CmdLineExt.dll
2009-01-27 14:49 <DIR> --d----- C:\ProgramData
2009-01-27 14:48 3,624 a------- c:\windows\system32\ealregsnapshot1.reg
2009-01-27 14:21 1,491,992 a------- c:\windows\system32\D3DCompiler_38.dll
2009-01-27 14:21 467,984 a------- c:\windows\system32\d3dx10_38.dll
2009-01-27 14:21 3,850,760 a------- c:\windows\system32\D3DX9_38.dll
2009-01-27 14:21 1,358,192 a------- c:\windows\system32\D3DCompiler_35.dll
2009-01-27 14:21 444,776 a------- c:\windows\system32\d3dx10_35.dll
2009-01-27 14:20 3,727,720 a------- c:\windows\system32\d3dx9_35.dll
2009-01-27 14:20 <DIR> --d----- c:\windows\Logs
2009-01-27 13:25 <DIR> --d----- c:\program files\SpywareBlaster
2009-01-27 13:24 <DIR> --d----- c:\program files\common files\McAfee
2009-01-27 13:24 <DIR> --d----- c:\program files\McAfee
2009-01-27 13:15 <DIR> --d----- c:\windows\system32\appmgmt
2009-01-27 10:36 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-27 10:36 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-27 10:32 <DIR> --d----- C:\VundoFix Backups
2009-01-27 01:51 69,632 a------- c:\windows\RAUNINST.EXE
2009-01-27 01:51 <DIR> --d----- C:\WESTWOOD
2009-01-26 20:23 <DIR> --d----- C:\_OTScanIt
2009-01-25 20:19 230 a------- c:\windows\system32\spupdsvc.inf
2009-01-25 20:19 66,048 a------- c:\windows\ieResetIcons.exe
2009-01-25 17:27 268 a---h--- C:\sqmdata15.sqm
2009-01-25 17:27 244 a---h--- C:\sqmnoopt16.sqm
2009-01-11 17:33 <DIR> --d----- C:\Legend
2009-01-11 17:30 <DIR> --d-h--- c:\windows\PIF
2009-01-11 09:17 268 a---h--- C:\sqmdata13.sqm
2009-01-11 09:17 244 a---h--- C:\sqmnoopt15.sqm
2009-01-11 09:17 244 a---h--- C:\sqmnoopt14.sqm
2009-01-11 09:17 136 a---h--- C:\sqmdata14.sqm

==================== Find3M ====================

2009-01-14 16:11 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 16:11 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-12 17:01 3,067,904 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 10:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-12-04 22:46 78,349 a------- c:\windows\War3Unin.dat
2008-11-21 21:47 3,596,288 a------- c:\windows\system32\qt-dx331.dll
2008-11-21 21:46 1,044,480 a------- c:\windows\system32\libdivx.dll
2008-11-21 21:46 200,704 a------- c:\windows\system32\ssldivx.dll
2008-11-21 21:45 196,608 a------- c:\windows\system32\dtu100.dll
2008-11-21 21:45 81,920 a------- c:\windows\system32\dpl100.dll
2008-11-21 21:45 593,920 a------- c:\windows\system32\dpuGUI11.dll
2008-11-21 21:45 344,064 a------- c:\windows\system32\dpus11.dll
2008-11-21 21:45 294,912 a------- c:\windows\system32\dpu11.dll
2008-11-21 21:45 294,912 a------- c:\windows\system32\dpu10.dll
2008-11-21 21:45 57,344 a------- c:\windows\system32\dpv11.dll
2008-11-21 21:45 53,248 a------- c:\windows\system32\dpuGUI10.dll
2007-05-16 05:52 37,873,216 a------- c:\program files\iTunesSetup.exe
2007-05-13 05:17 21,407,888 a------- c:\program files\avg.exe
2007-05-12 19:27 48,514,502 a------- c:\program files\flashmx_trial_en.exe
2007-05-12 18:43 1,207,301 a------- c:\program files\wrar37b8.exe
2007-05-12 17:12 153,336 a------- c:\program files\RealPlayer10-5GOLD.exe
2008-09-28 17:00 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092820080929\index.dat

============= FINISH: 20:31:58.14 ===============

Attached Files



#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 07 February 2009 - 12:27 AM

Hello.. That's an old ComboFix log.. Please redo my previous step and post the log here :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:58 AM

Posted 18 February 2009 - 05:55 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users