Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Had Virtumonde/Vundo. Now other problems.


  • This topic is locked This topic is locked
12 replies to this topic

#1 Peivalke

Peivalke

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 27 January 2009 - 05:33 PM

This computer was attacked by Virtumonde/Vungo a few days ago. I thought I had gotten things cleared up but I am still having strange browser pages popping up occasionally and after looking around in the add/remove programs interface I found several programs there that I did not load (Contextual Platform Adsoftinc, DPS, ECO Bar, PPC Booster, RON Too1 Adsoftinc, and Run It.) Some of them ask for a password before I can uninstall them. Any help with this would be great. I've run AVG 8.0, MBAM, Adaware and SpyBot all multiple times and still cannot get this fixed. I am using Windows XP professional and have always had the XP firewall up and running. I believe that the attack came through a Trilliam IM from an infected friends computer. If you need more information I will gladly provide everything needed. Thank you!



DDS (Ver_09-01-19.01) - NTFSx86
Run by Kerry at 16:19:20.89 on Tue 01/27/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.366 [GMT -6:00]

AV: AVG 7.5.552 *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Kerry\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: {77d4a768-a3db-48c2-9c0a-e2aa43848532} - No File
BHO: {85919826-5E0D-CA58-5BD9-0798C2E5E965} - No File
BHO: {C5BF49A2-94F3-42BD-F434-3604812C8955} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [jsf8uiw3jnjgffght] c:\docume~1\kerry\locals~1\temp\winlognn.exe
uRun: [GetModule35] c:\program files\getmodule\GetModule35.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\kerry\startm~1\programs\startup\p2pmax.lnk - c:\program files\p2pmax\p2pmax.exe
StartupFolder: c:\docume~1\kerry\startm~1\programs\startup\ppcb_32.lnk - c:\program files\ppcbooster\ppcb_32.exe
StartupFolder: c:\docume~1\kerry\startm~1\programs\startup\runit_32.lnk - c:\program files\runit\runit_32.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197910716578
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197996084921
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: vtUnlIxV - vtUnlIxV.dll
AppInit_DLLs: vvgjuz.dll ngtxwb.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kerry\applic~1\mozilla\firefox\profiles\yz8dyhh7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www9.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: browser.startup.homepage - hxxp://seattle.digitaldreaming.org/
FF - prefs.js: keyword.URL - hxxp://www9.yoog.com/search.php?q=
FF - component: c:\program files\mozilla firefox\components\nsadsoftinc.dll
FF - HiddenExtension: XUL Cache: {56BEEA16-1A63-4D22-9301-20E3702904DF} - c:\documents and settings\kerry\local settings\application data\{56BEEA16-1A63-4D22-9301-20E3702904DF}

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www9.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www9.yoog.com/search.php?q=

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2007-12-17 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2007-12-17 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2007-12-17 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-12-17 10760]
R4 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2007-12-17 418816]
R4 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2007-12-17 49664]
R4 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2007-12-17 406528]
R4 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2007-12-17 4960]

=============== Created Last 30 ================

2009-01-25 14:58 <DIR> --d----- C:\VundoFix Backups
2009-01-25 14:20 <DIR> --d----- c:\docume~1\kerry\applic~1\Malwarebytes
2009-01-25 13:03 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-25 13:03 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-25 13:03 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-25 13:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-25 12:57 <DIR> --d----- c:\program files\Trend Micro
2009-01-25 12:31 145 a------- c:\windows\wininit.ini
2009-01-25 11:31 0 a------- c:\windows\system32\system32xp.exe.tmp
2009-01-25 00:24 133,120 a------- c:\windows\ayikelikufev.dll
2009-01-25 00:04 142,607 a------- c:\windows\ptllfx81403.exe
2009-01-25 00:04 1,454,080 a------- c:\windows\system32\hlidemon.exe
2009-01-25 00:04 477,184 a------- c:\windows\rgmonsvc.exe
2009-01-25 00:04 85,460 a------- c:\windows\atjhhhjcx6182.exe
2009-01-25 00:04 0 a------- c:\windows\mqcd.dbt
2009-01-25 00:04 10,752 a------- c:\windows\wlulwgmg1437.exe
2009-01-25 00:03 4,574,328 a------- c:\windows\enjf6330.exe
2009-01-25 00:03 56,320 a------- c:\windows\vnaqvaw4788.exe
2009-01-25 00:03 32,768 a------- c:\windows\system32\f2djq.as
2009-01-25 00:03 28,672 a------- c:\windows\system32\do8d.sr
2009-01-25 00:03 32,768 a------- c:\windows\system32\zd.zag
2009-01-25 00:03 28,672 a------- c:\windows\system32\dedwf.lp
2009-01-25 00:03 77,312 a------- c:\windows\system32\f3g.e
2009-01-25 00:03 32,768 a------- c:\windows\avofgqfh41488.exe
2009-01-25 00:03 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-01-25 00:02 69,697 a------- c:\windows\bmkxapbdh6787.exe
2009-01-25 00:02 85,293 a------- c:\windows\system32\cont_adsoftinc-remove.exe
2009-01-25 00:02 93,696 a------- c:\windows\dadrxx3326.exe
2009-01-25 00:02 47,578 a------- c:\windows\system32\qjsoprfbbjkkfe.exe
2009-01-25 00:02 194,746 a------- c:\windows\svtbc7701.exe
2009-01-25 00:01 <DIR> --d----- c:\windows\tmpie
2009-01-24 18:47 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-01-24 18:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-01-24 18:46 <DIR> --d----- c:\program files\Lavasoft
2009-01-24 18:41 <DIR> --d-hr-- C:\$VAULT$.AVG
2009-01-24 18:30 <DIR> --d----- c:\docume~1\kerry\applic~1\cogad
2009-01-23 21:40 268 a---h--- C:\sqmdata08.sqm
2009-01-23 21:40 244 a---h--- C:\sqmnoopt08.sqm
2009-01-22 19:10 232 a---h--- C:\sqmdata07.sqm
2009-01-22 19:10 244 a---h--- C:\sqmnoopt07.sqm
2009-01-06 11:50 683,008 a------- c:\windows\system32\nsl169.dll

==================== Find3M ====================

2008-12-14 17:19 1,474 a------- c:\docume~1\kerry\applic~1\SAS7_000.DAT
2008-12-11 04:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-05 11:12 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-11-12 13:45 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-04-13 19:39 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat

============= FINISH: 16:19:37.71 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:53 PM

Posted 27 January 2009 - 08:59 PM

Hi, Peivalke :thumbup2:

Welcome.

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 11.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u11-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u11-windows-i586-p.exe) and select "Run as an Administrator.")
Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • If you receive a message that Combofix has detected the presence of rootkit activity and needs to reboot, kindly write down on paper the list of files present in the message before continuing, and post it in your next reply.
  • Install the Recovery Console upon request.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 Peivalke

Peivalke
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 28 January 2009 - 06:39 PM

Sorry for the long wait. Here are the followup logs. I checked the Add/Remove program interface again and I still have Contextual Platform Adsoftinc, RON Too1 Adsoftinc and Run It showing there. Below are the Combofix and DDS report logs.

Combofix log.

ComboFix 09-01-21.04 - Kerry 2009-01-28 17:29:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.637 [GMT -6:00]
Running from: c:\documents and settings\Kerry\Desktop\ComboFix.exe
AV: AVG 7.5.552 *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Kerry\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\Kerry\Start Menu\Programs\Startup\ppcb_32.lnk
c:\windows\Tasks\aedccnvd.job
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-28 )))))))))))))))))))))))))))))))
.

2009-01-28 17:18 . 2009-01-28 17:18 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-28 17:18 . 2009-01-28 17:18 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-25 14:58 . 2009-01-25 14:58 <DIR> d-------- C:\VundoFix Backups
2009-01-25 14:20 . 2009-01-25 14:20 <DIR> d-------- c:\documents and settings\Kerry\Application Data\Malwarebytes
2009-01-25 13:03 . 2009-01-25 13:03 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-25 13:03 . 2009-01-25 13:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-25 13:03 . 2009-01-25 13:03 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-25 13:03 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-25 13:03 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-25 12:57 . 2009-01-25 12:57 <DIR> d-------- c:\program files\Trend Micro
2009-01-25 12:31 . 2009-01-25 12:31 145 --a------ c:\windows\wininit.ini
2009-01-25 11:31 . 2009-01-25 11:31 0 --a------ c:\windows\system32\system32xp.exe.tmp
2009-01-25 00:24 . 2009-01-25 00:24 133,120 --a------ c:\windows\ayikelikufev.dll
2009-01-25 00:04 . 2009-01-25 00:04 1,454,080 --a------ c:\windows\system32\hlidemon.exe
2009-01-25 00:04 . 2009-01-25 00:04 477,184 --a------ c:\windows\rgmonsvc.exe
2009-01-25 00:04 . 2009-01-25 00:04 142,607 --a------ c:\windows\ptllfx81403.exe
2009-01-25 00:04 . 2009-01-25 00:04 85,460 --a------ c:\windows\atjhhhjcx6182.exe
2009-01-25 00:04 . 2009-01-25 00:04 10,752 --a------ c:\windows\wlulwgmg1437.exe
2009-01-25 00:04 . 2009-01-25 00:04 0 --a------ c:\windows\mqcd.dbt
2009-01-25 00:03 . 2009-01-25 00:03 4,574,328 --a------ c:\windows\enjf6330.exe
2009-01-25 00:03 . 2009-01-25 00:03 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-01-25 00:03 . 2009-01-25 00:03 77,312 --a------ c:\windows\system32\f3g.e
2009-01-25 00:03 . 2009-01-25 00:03 56,320 --a------ c:\windows\vnaqvaw4788.exe
2009-01-25 00:03 . 2009-01-25 00:03 32,768 --a------ c:\windows\system32\zd.zag
2009-01-25 00:03 . 2009-01-25 00:03 32,768 --a------ c:\windows\system32\f2djq.as
2009-01-25 00:03 . 2009-01-25 00:03 32,768 --a------ c:\windows\avofgqfh41488.exe
2009-01-25 00:03 . 2009-01-25 00:03 28,672 --a------ c:\windows\system32\do8d.sr
2009-01-25 00:03 . 2009-01-25 00:03 28,672 --a------ c:\windows\system32\dedwf.lp
2009-01-25 00:02 . 2009-01-25 00:02 194,746 --a------ c:\windows\svtbc7701.exe
2009-01-25 00:02 . 2009-01-25 00:02 93,696 --a------ c:\windows\dadrxx3326.exe
2009-01-25 00:02 . 2009-01-25 00:02 85,293 --a------ c:\windows\system32\cont_adsoftinc-remove.exe
2009-01-25 00:02 . 2009-01-25 00:02 69,697 --a------ c:\windows\bmkxapbdh6787.exe
2009-01-25 00:02 . 2009-01-25 00:02 47,578 --a------ c:\windows\system32\qjsoprfbbjkkfe.exe
2009-01-25 00:01 . 2009-01-27 14:24 <DIR> d-------- c:\windows\tmpie
2009-01-24 18:47 . 2009-01-24 18:55 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-24 18:47 . 2009-01-25 12:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-24 18:46 . 2009-01-25 12:09 <DIR> d-------- c:\program files\Lavasoft
2009-01-24 18:46 . 2009-01-25 12:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-24 18:41 . 2009-01-27 14:24 <DIR> dr-h----- C:\$VAULT$.AVG
2009-01-24 18:30 . 2009-01-24 18:47 <DIR> d-------- c:\documents and settings\Kerry\Application Data\cogad
2009-01-23 21:40 . 2009-01-23 21:40 268 --ah----- C:\sqmdata08.sqm
2009-01-23 21:40 . 2009-01-23 21:40 244 --ah----- C:\sqmnoopt08.sqm
2009-01-22 19:10 . 2009-01-22 19:10 244 --ah----- C:\sqmnoopt07.sqm
2009-01-22 19:10 . 2009-01-22 19:10 232 --ah----- C:\sqmdata07.sqm
2009-01-06 11:50 . 2009-01-06 11:50 683,008 --a------ c:\windows\system32\nsl169.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-28 23:18 --------- d-----w c:\program files\Java
2009-01-28 23:18 --------- d-----w c:\documents and settings\Kerry\Application Data\Skype
2009-01-28 15:32 --------- d-----w c:\documents and settings\Kerry\Application Data\skypePM
2009-01-28 15:31 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2009-01-27 19:35 --------- d-----w c:\documents and settings\Kerry\Application Data\AVG7
2009-01-27 02:39 --------- d-----w c:\program files\Trillian
2008-12-23 22:35 --------- d-----w c:\program files\Ventrilo
2008-12-23 22:35 --------- d-----w c:\documents and settings\Kerry\Application Data\Ventrilo
2008-12-23 22:33 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-23 20:16 --------- d-----w c:\program files\Driver Sweeper
2008-12-14 23:23 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-14 23:19 1,474 ----a-w c:\documents and settings\Kerry\Application Data\SAS7_000.DAT
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-30 05:30 --------- d-----w c:\program files\AGEIA Technologies
2008-11-12 19:45 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-04-14 01:39 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-02-01 21898024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-28 136600]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-12-17 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= vvgjuz.dll ngtxwb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=


--- Other Services/Drivers In Memory ---

*NewlyCreated* - JAVAQUICKSTARTERSERVICE
.
Contents of the 'Scheduled Tasks' folder

2009-01-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-01-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-11-20 c:\windows\Tasks\NatSpeak Periodic Acoustic Optimization.job
- f:\program\schedmgr.exe [2008-07-27 22:07]

2008-12-23 c:\windows\Tasks\NatSpeak Periodic Language Model Optimization.job
- f:\program\schedmgr.exe [2008-07-27 22:07]
.
- - - - ORPHANS REMOVED - - - -

BHO-{77d4a768-a3db-48c2-9c0a-e2aa43848532} - (no file)
BHO-{85919826-5E0D-CA58-5BD9-0798C2E5E965} - (no file)
HKCU-Run-GetModule35 - c:\program files\GetModule\GetModule35.exe
Notify-vtUnlIxV - vtUnlIxV.dll


.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Kerry\Application Data\Mozilla\Firefox\Profiles\yz8dyhh7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www9.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: browser.startup.homepage - hxxp://seattle.digitaldreaming.org/
FF - prefs.js: keyword.URL - hxxp://www9.yoog.com/search.php?q=

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www9.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www9.yoog.com/search.php?q=
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-28 17:30:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-28 17:31:53
ComboFix-quarantined-files.txt 2009-01-28 23:31:51

Pre-Run: 149,287,309,312 bytes free
Post-Run: 149,434,335,232 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

172 --- E O F --- 2009-01-15 06:28:42






And here is the DDS log (I hope this is ok instead of HiJackThis log?



DDS (Ver_09-01-19.01) - NTFSx86
Run by Kerry at 17:33:47.18 on Wed 01/28/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.577 [GMT -6:00]

AV: AVG 7.5.552 *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Kerry\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\kerry\startm~1\programs\startup\p2pmax.lnk - c:\program files\p2pmax\p2pmax.exe
StartupFolder: c:\docume~1\kerry\startm~1\programs\startup\runit_32.lnk - c:\program files\runit\runit_32.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197910716578
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197996084921
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: vvgjuz.dll ngtxwb.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kerry\applic~1\mozilla\firefox\profiles\yz8dyhh7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www9.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: browser.startup.homepage - hxxp://seattle.digitaldreaming.org/
FF - prefs.js: keyword.URL - hxxp://www9.yoog.com/search.php?q=
FF - HiddenExtension: XUL Cache: {56BEEA16-1A63-4D22-9301-20E3702904DF} - c:\documents and settings\kerry\local settings\application data\{56BEEA16-1A63-4D22-9301-20E3702904DF}

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www9.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www9.yoog.com/search.php?q=

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2007-12-17 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2007-12-17 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2007-12-17 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-12-17 10760]
R4 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2007-12-17 418816]
R4 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2007-12-17 49664]
R4 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2007-12-17 406528]
R4 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2007-12-17 4960]

=============== Created Last 30 ================

2009-01-28 17:29 <DIR> a-dshr-- C:\cmdcons
2009-01-28 17:28 161,792 a------- c:\windows\SWREG.exe
2009-01-28 17:28 98,816 a------- c:\windows\sed.exe
2009-01-28 17:18 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-28 17:18 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-25 14:58 <DIR> --d----- C:\VundoFix Backups
2009-01-25 14:20 <DIR> --d----- c:\docume~1\kerry\applic~1\Malwarebytes
2009-01-25 13:03 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-25 13:03 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-25 13:03 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-25 13:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-25 12:57 <DIR> --d----- c:\program files\Trend Micro
2009-01-25 12:31 145 a------- c:\windows\wininit.ini
2009-01-25 11:31 0 a------- c:\windows\system32\system32xp.exe.tmp
2009-01-25 00:24 133,120 a------- c:\windows\ayikelikufev.dll
2009-01-25 00:04 142,607 a------- c:\windows\ptllfx81403.exe
2009-01-25 00:04 1,454,080 a------- c:\windows\system32\hlidemon.exe
2009-01-25 00:04 477,184 a------- c:\windows\rgmonsvc.exe
2009-01-25 00:04 85,460 a------- c:\windows\atjhhhjcx6182.exe
2009-01-25 00:04 0 a------- c:\windows\mqcd.dbt
2009-01-25 00:04 10,752 a------- c:\windows\wlulwgmg1437.exe
2009-01-25 00:03 4,574,328 a------- c:\windows\enjf6330.exe
2009-01-25 00:03 56,320 a------- c:\windows\vnaqvaw4788.exe
2009-01-25 00:03 32,768 a------- c:\windows\system32\f2djq.as
2009-01-25 00:03 28,672 a------- c:\windows\system32\do8d.sr
2009-01-25 00:03 32,768 a------- c:\windows\system32\zd.zag
2009-01-25 00:03 28,672 a------- c:\windows\system32\dedwf.lp
2009-01-25 00:03 77,312 a------- c:\windows\system32\f3g.e
2009-01-25 00:03 32,768 a------- c:\windows\avofgqfh41488.exe
2009-01-25 00:03 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-01-25 00:02 69,697 a------- c:\windows\bmkxapbdh6787.exe
2009-01-25 00:02 85,293 a------- c:\windows\system32\cont_adsoftinc-remove.exe
2009-01-25 00:02 93,696 a------- c:\windows\dadrxx3326.exe
2009-01-25 00:02 47,578 a------- c:\windows\system32\qjsoprfbbjkkfe.exe
2009-01-25 00:02 194,746 a------- c:\windows\svtbc7701.exe
2009-01-25 00:01 <DIR> --d----- c:\windows\tmpie
2009-01-24 18:47 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-01-24 18:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-01-24 18:46 <DIR> --d----- c:\program files\Lavasoft
2009-01-24 18:41 <DIR> --d-hr-- C:\$VAULT$.AVG
2009-01-24 18:30 <DIR> --d----- c:\docume~1\kerry\applic~1\cogad
2009-01-23 21:40 268 a---h--- C:\sqmdata08.sqm
2009-01-23 21:40 244 a---h--- C:\sqmnoopt08.sqm
2009-01-22 19:10 232 a---h--- C:\sqmdata07.sqm
2009-01-22 19:10 244 a---h--- C:\sqmnoopt07.sqm
2009-01-06 11:50 683,008 a------- c:\windows\system32\nsl169.dll

==================== Find3M ====================

2008-12-14 17:19 1,474 a------- c:\docume~1\kerry\applic~1\SAS7_000.DAT
2008-12-11 04:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-05 11:12 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-11-12 13:45 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-04-13 19:39 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat

============= FINISH: 17:33:54.12 ===============




Thank you for the help so far!

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:53 PM

Posted 28 January 2009 - 08:53 PM

Hi, Peivalke :thumbup2:

There are files that we will need to take a look.
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
http://www.bleepingcomputer.com/forums/t/198611/had-virtumondevundo-now-other-problems/Suspect::[4]c:\windows\system32\system32xp.exe.tmp  c:\windows\ayikelikufev.dll  c:\windows\system32\hlidemon.exe  c:\windows\rgmonsvc.exe  c:\windows\ptllfx81403.exe  c:\windows\atjhhhjcx6182.exe  c:\windows\wlulwgmg1437.exe  c:\windows\mqcd.dbt  c:\windows\enjf6330.exe  c:\windows\system32\f3g.e  c:\windows\vnaqvaw4788.exe  c:\windows\system32\zd.zag  c:\windows\system32\f2djq.as  c:\windows\avofgqfh41488.exe  c:\windows\system32\do8d.sr  c:\windows\system32\dedwf.lp  c:\windows\svtbc7701.exe  c:\windows\dadrxx3326.exe  c:\windows\system32\cont_adsoftinc-remove.exe  c:\windows\bmkxapbdh6787.exe  c:\windows\system32\qjsoprfbbjkkfe.exe  c:\windows\system32\nsl169.dllDirLook::c:\windows\tmpieRegistry::[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]"AppInit_DLLs"=""HKEY_LOCAL_MACHINE\software\microsoft\security center]"UpdatesDisableNotify"=dword:00000000

Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log.

Additonally, ComboFix will generate a zipped file on the C:\Qoobox\Quarantine foldercalled Submit [Date Time].zip

Although Combofix will attempt to upload this file automatically, in case is unsuccessful, please submit this file to:

http://www.bleepingcomputer.com/submit-malware.php?channel=4

Please include a link to this topic in the message.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 Peivalke

Peivalke
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 28 January 2009 - 09:10 PM

Ok, here are the logs. The zipped file that combofix generated uploaded successfully.


Combofix log.


ComboFix 09-01-21.04 - Kerry 2009-01-28 20:01:31.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.646 [GMT -6:00]
Running from: c:\documents and settings\Kerry\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kerry\Desktop\CFScript.txt
AV: AVG 7.5.552 *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-29 )))))))))))))))))))))))))))))))
.

2009-01-28 17:18 . 2009-01-28 17:18 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-28 17:18 . 2009-01-28 17:18 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-25 14:58 . 2009-01-25 14:58 <DIR> d-------- C:\VundoFix Backups
2009-01-25 14:20 . 2009-01-25 14:20 <DIR> d-------- c:\documents and settings\Kerry\Application Data\Malwarebytes
2009-01-25 13:03 . 2009-01-25 13:03 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-25 13:03 . 2009-01-25 13:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-25 13:03 . 2009-01-25 13:03 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-25 13:03 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-25 13:03 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-25 12:57 . 2009-01-25 12:57 <DIR> d-------- c:\program files\Trend Micro
2009-01-25 12:31 . 2009-01-25 12:31 145 --a------ c:\windows\wininit.ini
2009-01-25 11:31 . 2009-01-25 11:31 0 --a------ c:\windows\system32\system32xp.exe.tmp
2009-01-25 00:24 . 2009-01-25 00:24 133,120 --a------ c:\windows\ayikelikufev.dll
2009-01-25 00:04 . 2009-01-25 00:04 1,454,080 --a------ c:\windows\system32\hlidemon.exe
2009-01-25 00:04 . 2009-01-25 00:04 477,184 --a------ c:\windows\rgmonsvc.exe
2009-01-25 00:04 . 2009-01-25 00:04 142,607 --a------ c:\windows\ptllfx81403.exe
2009-01-25 00:04 . 2009-01-25 00:04 85,460 --a------ c:\windows\atjhhhjcx6182.exe
2009-01-25 00:04 . 2009-01-25 00:04 10,752 --a------ c:\windows\wlulwgmg1437.exe
2009-01-25 00:04 . 2009-01-25 00:04 0 --a------ c:\windows\mqcd.dbt
2009-01-25 00:03 . 2009-01-25 00:03 4,574,328 --a------ c:\windows\enjf6330.exe
2009-01-25 00:03 . 2009-01-25 00:03 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-01-25 00:03 . 2009-01-25 00:03 77,312 --a------ c:\windows\system32\f3g.e
2009-01-25 00:03 . 2009-01-25 00:03 56,320 --a------ c:\windows\vnaqvaw4788.exe
2009-01-25 00:03 . 2009-01-25 00:03 32,768 --a------ c:\windows\system32\zd.zag
2009-01-25 00:03 . 2009-01-25 00:03 32,768 --a------ c:\windows\system32\f2djq.as
2009-01-25 00:03 . 2009-01-25 00:03 32,768 --a------ c:\windows\avofgqfh41488.exe
2009-01-25 00:03 . 2009-01-25 00:03 28,672 --a------ c:\windows\system32\do8d.sr
2009-01-25 00:03 . 2009-01-25 00:03 28,672 --a------ c:\windows\system32\dedwf.lp
2009-01-25 00:02 . 2009-01-25 00:02 194,746 --a------ c:\windows\svtbc7701.exe
2009-01-25 00:02 . 2009-01-25 00:02 93,696 --a------ c:\windows\dadrxx3326.exe
2009-01-25 00:02 . 2009-01-25 00:02 85,293 --a------ c:\windows\system32\cont_adsoftinc-remove.exe
2009-01-25 00:02 . 2009-01-25 00:02 69,697 --a------ c:\windows\bmkxapbdh6787.exe
2009-01-25 00:02 . 2009-01-25 00:02 47,578 --a------ c:\windows\system32\qjsoprfbbjkkfe.exe
2009-01-25 00:01 . 2009-01-27 14:24 <DIR> d-------- c:\windows\tmpie
2009-01-24 18:47 . 2009-01-24 18:55 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-24 18:47 . 2009-01-25 12:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-24 18:46 . 2009-01-25 12:09 <DIR> d-------- c:\program files\Lavasoft
2009-01-24 18:46 . 2009-01-25 12:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-24 18:41 . 2009-01-27 14:24 <DIR> dr-h----- C:\$VAULT$.AVG
2009-01-24 18:30 . 2009-01-24 18:47 <DIR> d-------- c:\documents and settings\Kerry\Application Data\cogad
2009-01-23 21:40 . 2009-01-23 21:40 268 --ah----- C:\sqmdata08.sqm
2009-01-23 21:40 . 2009-01-23 21:40 244 --ah----- C:\sqmnoopt08.sqm
2009-01-22 19:10 . 2009-01-22 19:10 244 --ah----- C:\sqmnoopt07.sqm
2009-01-22 19:10 . 2009-01-22 19:10 232 --ah----- C:\sqmdata07.sqm
2009-01-06 11:50 . 2009-01-06 11:50 683,008 --a------ c:\windows\system32\nsl169.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-28 23:41 --------- d-----w c:\documents and settings\Kerry\Application Data\Skype
2009-01-28 23:18 --------- d-----w c:\program files\Java
2009-01-28 15:32 --------- d-----w c:\documents and settings\Kerry\Application Data\skypePM
2009-01-28 15:31 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2009-01-27 19:35 --------- d-----w c:\documents and settings\Kerry\Application Data\AVG7
2009-01-27 02:39 --------- d-----w c:\program files\Trillian
2008-12-23 22:35 --------- d-----w c:\program files\Ventrilo
2008-12-23 22:35 --------- d-----w c:\documents and settings\Kerry\Application Data\Ventrilo
2008-12-23 22:33 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-23 20:16 --------- d-----w c:\program files\Driver Sweeper
2008-12-14 23:23 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-14 23:19 1,474 ----a-w c:\documents and settings\Kerry\Application Data\SAS7_000.DAT
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-30 05:30 --------- d-----w c:\program files\AGEIA Technologies
2008-11-12 19:45 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-04-14 01:39 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\windows\tmpie ----

2009-01-25 00:02 97 --a------ c:\windows\tmpie\me.ini
2009-01-25 00:02 64000 --a------ c:\windows\tmpie\mspass.exe
2009-01-25 00:02 187 --a------ c:\windows\tmpie\newpw.txt
2009-01-25 00:02 176128 --a------ c:\windows\tmpie\aim61.exe
2008-08-12 19:55 81920 --a------ c:\windows\tmpie\msado25.tlb
2008-08-12 19:55 818688 --a------ c:\windows\tmpie\wininet.dll
2008-08-12 19:55 59904 --a------ c:\windows\tmpie\wbemdisp.tlb
2008-08-12 19:55 212240 --a------ c:\windows\tmpie\RICHTX32.OCX
2008-08-12 19:55 1386496 --a------ c:\windows\tmpie\MSVBVM60.DLL
2008-08-12 19:55 1152000 --a------ c:\windows\tmpie\urlmon.dll
2008-08-12 19:55 109248 --a------ c:\windows\tmpie\MSWINSCK.OCX


((((((((((((((((((((((((((((( snapshot@2009-01-28_17.31.22.73 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-28 23:41:28 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_1f4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-02-01 21898024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-28 136600]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-12-17 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUnlIxV]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

.
Contents of the 'Scheduled Tasks' folder

2009-01-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-01-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-11-20 c:\windows\Tasks\NatSpeak Periodic Acoustic Optimization.job
- f:\program\schedmgr.exe [2008-07-27 22:07]

2008-12-23 c:\windows\Tasks\NatSpeak Periodic Language Model Optimization.job
- f:\program\schedmgr.exe [2008-07-27 22:07]
.
- - - - ORPHANS REMOVED - - - -

BHO-{77d4a768-a3db-48c2-9c0a-e2aa43848532} - (no file)
BHO-{85919826-5E0D-CA58-5BD9-0798C2E5E965} - (no file)


.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Kerry\Application Data\Mozilla\Firefox\Profiles\yz8dyhh7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www9.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: browser.startup.homepage - hxxp://seattle.digitaldreaming.org/
FF - prefs.js: keyword.URL - hxxp://www9.yoog.com/search.php?q=

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www9.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www9.yoog.com/search.php?q=
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-28 20:02:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-28 20:03:53
ComboFix-quarantined-files.txt 2009-01-29 02:03:51
ComboFix2.txt 2009-01-28 23:31:54

Pre-Run: 149,477,380,096 bytes free
Post-Run: 149,457,633,280 bytes free

175 --- E O F --- 2009-01-15 06:28:42




And the DDS/HiJackThis log.




DDS (Ver_09-01-19.01) - NTFSx86
Run by Kerry at 20:08:15.46 on Wed 01/28/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.582 [GMT -6:00]

AV: AVG 7.5.552 *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Kerry\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\kerry\startm~1\programs\startup\p2pmax.lnk - c:\program files\p2pmax\p2pmax.exe
StartupFolder: c:\docume~1\kerry\startm~1\programs\startup\runit_32.lnk - c:\program files\runit\runit_32.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197910716578
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197996084921
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kerry\applic~1\mozilla\firefox\profiles\yz8dyhh7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www9.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: browser.startup.homepage - hxxp://seattle.digitaldreaming.org/
FF - prefs.js: keyword.URL - hxxp://www9.yoog.com/search.php?q=
FF - HiddenExtension: XUL Cache: {56BEEA16-1A63-4D22-9301-20E3702904DF} - c:\documents and settings\kerry\local settings\application data\{56BEEA16-1A63-4D22-9301-20E3702904DF}

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www9.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www9.yoog.com/search.php?q=

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2007-12-17 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2007-12-17 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2007-12-17 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-12-17 10760]
R4 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2007-12-17 418816]
R4 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2007-12-17 49664]
R4 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2007-12-17 406528]
R4 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2007-12-17 4960]

=============== Created Last 30 ================

2009-01-28 19:58 <DIR> --d----- C:\ComboFix
2009-01-28 17:29 <DIR> a-dshr-- C:\cmdcons
2009-01-28 17:28 161,792 a------- c:\windows\SWREG.exe
2009-01-28 17:28 98,816 a------- c:\windows\sed.exe
2009-01-28 17:18 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-28 17:18 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-25 14:58 <DIR> --d----- C:\VundoFix Backups
2009-01-25 14:20 <DIR> --d----- c:\docume~1\kerry\applic~1\Malwarebytes
2009-01-25 13:03 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-25 13:03 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-25 13:03 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-25 13:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-25 12:57 <DIR> --d----- c:\program files\Trend Micro
2009-01-25 12:31 145 a------- c:\windows\wininit.ini
2009-01-25 11:31 0 a------- c:\windows\system32\system32xp.exe.tmp
2009-01-25 00:24 133,120 a------- c:\windows\ayikelikufev.dll
2009-01-25 00:04 142,607 a------- c:\windows\ptllfx81403.exe
2009-01-25 00:04 1,454,080 a------- c:\windows\system32\hlidemon.exe
2009-01-25 00:04 477,184 a------- c:\windows\rgmonsvc.exe
2009-01-25 00:04 85,460 a------- c:\windows\atjhhhjcx6182.exe
2009-01-25 00:04 0 a------- c:\windows\mqcd.dbt
2009-01-25 00:04 10,752 a------- c:\windows\wlulwgmg1437.exe
2009-01-25 00:03 4,574,328 a------- c:\windows\enjf6330.exe
2009-01-25 00:03 56,320 a------- c:\windows\vnaqvaw4788.exe
2009-01-25 00:03 32,768 a------- c:\windows\system32\f2djq.as
2009-01-25 00:03 28,672 a------- c:\windows\system32\do8d.sr
2009-01-25 00:03 32,768 a------- c:\windows\system32\zd.zag
2009-01-25 00:03 28,672 a------- c:\windows\system32\dedwf.lp
2009-01-25 00:03 77,312 a------- c:\windows\system32\f3g.e
2009-01-25 00:03 32,768 a------- c:\windows\avofgqfh41488.exe
2009-01-25 00:03 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-01-25 00:02 69,697 a------- c:\windows\bmkxapbdh6787.exe
2009-01-25 00:02 85,293 a------- c:\windows\system32\cont_adsoftinc-remove.exe
2009-01-25 00:02 93,696 a------- c:\windows\dadrxx3326.exe
2009-01-25 00:02 47,578 a------- c:\windows\system32\qjsoprfbbjkkfe.exe
2009-01-25 00:02 194,746 a------- c:\windows\svtbc7701.exe
2009-01-25 00:01 <DIR> --d----- c:\windows\tmpie
2009-01-24 18:47 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-01-24 18:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-01-24 18:46 <DIR> --d----- c:\program files\Lavasoft
2009-01-24 18:41 <DIR> --d-hr-- C:\$VAULT$.AVG
2009-01-24 18:30 <DIR> --d----- c:\docume~1\kerry\applic~1\cogad
2009-01-23 21:40 268 a---h--- C:\sqmdata08.sqm
2009-01-23 21:40 244 a---h--- C:\sqmnoopt08.sqm
2009-01-22 19:10 232 a---h--- C:\sqmdata07.sqm
2009-01-22 19:10 244 a---h--- C:\sqmnoopt07.sqm
2009-01-06 11:50 683,008 a------- c:\windows\system32\nsl169.dll

==================== Find3M ====================

2008-12-14 17:19 1,474 a------- c:\docume~1\kerry\applic~1\SAS7_000.DAT
2008-12-11 04:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-05 11:12 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-11-12 13:45 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-04-13 19:39 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat

============= FINISH: 20:08:22.28 ===============

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:53 PM

Posted 28 January 2009 - 10:10 PM

Hi, Peivalke :thumbup2:
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
File::atjhhhjcx6182.exeavofgqfh41488.exebmkxapbdh6787.exedadrxx3326.exeenjf6330.exef2djq.asf3g.ehlidemon.exensl169.dllptllfx81403.exeqjsoprfbbjkkfe.exergmonsvc.exesvtbc7701.exevnaqvaw4788.exewlulwgmg1437.exeFolder::c:\windows\tmpieRegistry::[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUnlIxV][HKEY_LOCAL_MACHINE\software\microsoft\security center]"UpdatesDisableNotify"=dword:00000000

Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log.

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure the following is checked.
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
Upgrading Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 11.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u11-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u11-windows-i586-p.exe) and select "Run as an Administrator.")

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 Peivalke

Peivalke
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 29 January 2009 - 04:03 PM

Ok, I am just going to list out all the reports here.


ComboFix



ComboFix 09-01-21.04 - Kerry 2009-01-29 12:42:22.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.595 [GMT -6:00]
Running from: c:\documents and settings\Kerry\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kerry\Desktop\CFScript.txt
AV: AVG 7.5.552 *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\tmpie
c:\windows\tmpie\me.ini
c:\windows\tmpie\msado25.tlb
c:\windows\tmpie\mspass.exe
c:\windows\tmpie\MSVBVM60.DLL
c:\windows\tmpie\MSWINSCK.OCX
c:\windows\tmpie\newpw.txt
c:\windows\tmpie\RICHTX32.OCX
c:\windows\tmpie\urlmon.dll
c:\windows\tmpie\wbemdisp.tlb
c:\windows\tmpie\wininet.dll

.
((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-29 )))))))))))))))))))))))))))))))
.

2009-01-28 17:18 . 2009-01-28 17:18 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-28 17:18 . 2009-01-28 17:18 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-25 14:58 . 2009-01-25 14:58 <DIR> d-------- C:\VundoFix Backups
2009-01-25 14:20 . 2009-01-25 14:20 <DIR> d-------- c:\documents and settings\Kerry\Application Data\Malwarebytes
2009-01-25 13:03 . 2009-01-25 13:03 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-25 13:03 . 2009-01-25 13:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-25 13:03 . 2009-01-25 13:03 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-25 13:03 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-25 13:03 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-25 12:57 . 2009-01-25 12:57 <DIR> d-------- c:\program files\Trend Micro
2009-01-25 12:31 . 2009-01-25 12:31 145 --a------ c:\windows\wininit.ini
2009-01-25 11:31 . 2009-01-25 11:31 0 --a------ c:\windows\system32\system32xp.exe.tmp
2009-01-25 00:24 . 2009-01-25 00:24 133,120 --a------ c:\windows\ayikelikufev.dll
2009-01-25 00:04 . 2009-01-25 00:04 1,454,080 --a------ c:\windows\system32\hlidemon.exe
2009-01-25 00:04 . 2009-01-25 00:04 477,184 --a------ c:\windows\rgmonsvc.exe
2009-01-25 00:04 . 2009-01-25 00:04 142,607 --a------ c:\windows\ptllfx81403.exe
2009-01-25 00:04 . 2009-01-25 00:04 85,460 --a------ c:\windows\atjhhhjcx6182.exe
2009-01-25 00:04 . 2009-01-25 00:04 10,752 --a------ c:\windows\wlulwgmg1437.exe
2009-01-25 00:04 . 2009-01-25 00:04 0 --a------ c:\windows\mqcd.dbt
2009-01-25 00:03 . 2009-01-25 00:03 4,574,328 --a------ c:\windows\enjf6330.exe
2009-01-25 00:03 . 2009-01-25 00:03 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-01-25 00:03 . 2009-01-25 00:03 77,312 --a------ c:\windows\system32\f3g.e
2009-01-25 00:03 . 2009-01-25 00:03 56,320 --a------ c:\windows\vnaqvaw4788.exe
2009-01-25 00:03 . 2009-01-25 00:03 32,768 --a------ c:\windows\system32\zd.zag
2009-01-25 00:03 . 2009-01-25 00:03 32,768 --a------ c:\windows\system32\f2djq.as
2009-01-25 00:03 . 2009-01-25 00:03 32,768 --a------ c:\windows\avofgqfh41488.exe
2009-01-25 00:03 . 2009-01-25 00:03 28,672 --a------ c:\windows\system32\do8d.sr
2009-01-25 00:03 . 2009-01-25 00:03 28,672 --a------ c:\windows\system32\dedwf.lp
2009-01-25 00:02 . 2009-01-25 00:02 194,746 --a------ c:\windows\svtbc7701.exe
2009-01-25 00:02 . 2009-01-25 00:02 93,696 --a------ c:\windows\dadrxx3326.exe
2009-01-25 00:02 . 2009-01-25 00:02 85,293 --a------ c:\windows\system32\cont_adsoftinc-remove.exe
2009-01-25 00:02 . 2009-01-25 00:02 69,697 --a------ c:\windows\bmkxapbdh6787.exe
2009-01-25 00:02 . 2009-01-25 00:02 47,578 --a------ c:\windows\system32\qjsoprfbbjkkfe.exe
2009-01-24 18:47 . 2009-01-24 18:55 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-24 18:47 . 2009-01-25 12:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-24 18:46 . 2009-01-25 12:09 <DIR> d-------- c:\program files\Lavasoft
2009-01-24 18:46 . 2009-01-25 12:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-24 18:41 . 2009-01-29 10:00 <DIR> dr-h----- C:\$VAULT$.AVG
2009-01-24 18:30 . 2009-01-24 18:47 <DIR> d-------- c:\documents and settings\Kerry\Application Data\cogad
2009-01-23 21:40 . 2009-01-23 21:40 268 --ah----- C:\sqmdata08.sqm
2009-01-23 21:40 . 2009-01-23 21:40 244 --ah----- C:\sqmnoopt08.sqm
2009-01-22 19:10 . 2009-01-22 19:10 244 --ah----- C:\sqmnoopt07.sqm
2009-01-22 19:10 . 2009-01-22 19:10 232 --ah----- C:\sqmdata07.sqm
2009-01-06 11:50 . 2009-01-06 11:50 683,008 --a------ c:\windows\system32\nsl169.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-29 18:41 --------- d-----w c:\program files\Trillian
2009-01-29 16:00 --------- d-----w c:\documents and settings\Kerry\Application Data\AVG7
2009-01-29 15:17 --------- d-----w c:\documents and settings\Kerry\Application Data\Skype
2009-01-29 15:16 --------- d-----w c:\documents and settings\Kerry\Application Data\skypePM
2009-01-29 15:14 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2009-01-28 23:18 --------- d-----w c:\program files\Java
2008-12-23 22:35 --------- d-----w c:\program files\Ventrilo
2008-12-23 22:35 --------- d-----w c:\documents and settings\Kerry\Application Data\Ventrilo
2008-12-23 22:33 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-23 20:16 --------- d-----w c:\program files\Driver Sweeper
2008-12-14 23:23 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-14 23:19 1,474 ----a-w c:\documents and settings\Kerry\Application Data\SAS7_000.DAT
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-30 05:30 --------- d-----w c:\program files\AGEIA Technologies
2008-11-12 19:45 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-04-14 01:39 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-28_17.31.22.73 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-29 15:14:12 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6d0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-02-01 21898024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-28 136600]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-12-17 219136]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

.
Contents of the 'Scheduled Tasks' folder

2009-01-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-01-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-11-20 c:\windows\Tasks\NatSpeak Periodic Acoustic Optimization.job
- f:\program\schedmgr.exe [2008-07-27 22:07]

2008-12-23 c:\windows\Tasks\NatSpeak Periodic Language Model Optimization.job
- f:\program\schedmgr.exe [2008-07-27 22:07]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Kerry\Application Data\Mozilla\Firefox\Profiles\yz8dyhh7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www9.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: browser.startup.homepage - hxxp://seattle.digitaldreaming.org/
FF - prefs.js: keyword.URL - hxxp://www9.yoog.com/search.php?q=

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www9.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www9.yoog.com/search.php?q=
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-29 12:43:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-29 12:44:53
ComboFix-quarantined-files.txt 2009-01-29 18:44:51
ComboFix2.txt 2009-01-29 02:03:53
ComboFix3.txt 2009-01-28 23:31:54

Pre-Run: 149,334,880,256 bytes free
Post-Run: 149,378,568,192 bytes free

168 --- E O F --- 2009-01-15 06:28:42




DDS/pseudo HJT



DDS (Ver_09-01-19.01) - NTFSx86
Run by Kerry at 12:47:17.43 on Thu 01/29/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.594 [GMT -6:00]

AV: AVG 7.5.552 *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Kerry\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\kerry\startm~1\programs\startup\p2pmax.lnk - c:\program files\p2pmax\p2pmax.exe
StartupFolder: c:\docume~1\kerry\startm~1\programs\startup\runit_32.lnk - c:\program files\runit\runit_32.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197910716578
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197996084921
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kerry\applic~1\mozilla\firefox\profiles\yz8dyhh7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www9.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: browser.startup.homepage - hxxp://seattle.digitaldreaming.org/
FF - prefs.js: keyword.URL - hxxp://www9.yoog.com/search.php?q=
FF - HiddenExtension: XUL Cache: {56BEEA16-1A63-4D22-9301-20E3702904DF} - c:\documents and settings\kerry\local settings\application data\{56BEEA16-1A63-4D22-9301-20E3702904DF}

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www9.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www9.yoog.com/search.php?q=

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2007-12-17 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2007-12-17 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2007-12-17 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-12-17 10760]
R4 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2007-12-17 418816]
R4 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2007-12-17 49664]
R4 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2007-12-17 406528]
R4 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2007-12-17 4960]

=============== Created Last 30 ================

2009-01-28 17:29 <DIR> a-dshr-- C:\cmdcons
2009-01-28 17:28 161,792 a------- c:\windows\SWREG.exe
2009-01-28 17:28 98,816 a------- c:\windows\sed.exe
2009-01-28 17:18 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-28 17:18 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-25 14:58 <DIR> --d----- C:\VundoFix Backups
2009-01-25 14:20 <DIR> --d----- c:\docume~1\kerry\applic~1\Malwarebytes
2009-01-25 13:03 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-25 13:03 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-25 13:03 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-25 13:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-25 12:57 <DIR> --d----- c:\program files\Trend Micro
2009-01-25 12:31 145 a------- c:\windows\wininit.ini
2009-01-25 11:31 0 a------- c:\windows\system32\system32xp.exe.tmp
2009-01-25 00:24 133,120 a------- c:\windows\ayikelikufev.dll
2009-01-25 00:04 142,607 a------- c:\windows\ptllfx81403.exe
2009-01-25 00:04 1,454,080 a------- c:\windows\system32\hlidemon.exe
2009-01-25 00:04 477,184 a------- c:\windows\rgmonsvc.exe
2009-01-25 00:04 85,460 a------- c:\windows\atjhhhjcx6182.exe
2009-01-25 00:04 0 a------- c:\windows\mqcd.dbt
2009-01-25 00:04 10,752 a------- c:\windows\wlulwgmg1437.exe
2009-01-25 00:03 4,574,328 a------- c:\windows\enjf6330.exe
2009-01-25 00:03 56,320 a------- c:\windows\vnaqvaw4788.exe
2009-01-25 00:03 32,768 a------- c:\windows\system32\f2djq.as
2009-01-25 00:03 28,672 a------- c:\windows\system32\do8d.sr
2009-01-25 00:03 32,768 a------- c:\windows\system32\zd.zag
2009-01-25 00:03 28,672 a------- c:\windows\system32\dedwf.lp
2009-01-25 00:03 77,312 a------- c:\windows\system32\f3g.e
2009-01-25 00:03 32,768 a------- c:\windows\avofgqfh41488.exe
2009-01-25 00:03 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-01-25 00:02 69,697 a------- c:\windows\bmkxapbdh6787.exe
2009-01-25 00:02 85,293 a------- c:\windows\system32\cont_adsoftinc-remove.exe
2009-01-25 00:02 93,696 a------- c:\windows\dadrxx3326.exe
2009-01-25 00:02 47,578 a------- c:\windows\system32\qjsoprfbbjkkfe.exe
2009-01-25 00:02 194,746 a------- c:\windows\svtbc7701.exe
2009-01-24 18:47 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-01-24 18:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-01-24 18:46 <DIR> --d----- c:\program files\Lavasoft
2009-01-24 18:41 <DIR> --d-hr-- C:\$VAULT$.AVG
2009-01-24 18:30 <DIR> --d----- c:\docume~1\kerry\applic~1\cogad
2009-01-23 21:40 268 a---h--- C:\sqmdata08.sqm
2009-01-23 21:40 244 a---h--- C:\sqmnoopt08.sqm
2009-01-22 19:10 232 a---h--- C:\sqmdata07.sqm
2009-01-22 19:10 244 a---h--- C:\sqmnoopt07.sqm
2009-01-06 11:50 683,008 a------- c:\windows\system32\nsl169.dll

==================== Find3M ====================

2008-12-14 17:19 1,474 a------- c:\docume~1\kerry\applic~1\SAS7_000.DAT
2008-12-11 04:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-05 11:12 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-11-12 13:45 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-04-13 19:39 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat

============= FINISH: 12:47:24.01 ===============




And the Kapersky report


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, January 29, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, January 29, 2009 11:02:00
Records in database: 1724238
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
F:\
G:\
H:\

Scan statistics:
Files scanned: 88327
Threat name: 3
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 01:20:12


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\tmpie\mspass.exe.vir Infected: not-a-virus:PSWTool.Win32.Messen.bh 1
C:\Qoobox\Quarantine\[4]-Submit_2009-01-28@20.00.zip Infected: Trojan-Downloader.Win32.VB.kam 1
C:\Qoobox\Quarantine\[4]-Submit_2009-01-28@20.00.zip Infected: Trojan-Downloader.Win32.Adload.fu 1
C:\WINDOWS\atjhhhjcx6182.exe Infected: Trojan-Downloader.Win32.VB.kam 1
C:\WINDOWS\vnaqvaw4788.exe Infected: Trojan-Downloader.Win32.Adload.fu 1

The selected area was scanned.

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:53 PM

Posted 29 January 2009 - 05:04 PM

  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
File::c:\windows\system32\system32xp.exe.tmpc:\windows\ayikelikufev.dllc:\windows\system32\hlidemon.exec:\windows\rgmonsvc.exec:\windows\ptllfx81403.exec:\windows\atjhhhjcx6182.exec:\windows\wlulwgmg1437.exec:\windows\mqcd.dbtc:\windows\enjf6330.exec:\windows\system32\f3g.ec:\windows\vnaqvaw4788.exec:\windows\system32\zd.zagc:\windows\system32\f2djq.asc:\windows\avofgqfh41488.exec:\windows\system32\do8d.src:\windows\system32\dedwf.lpc:\windows\svtbc7701.exec:\windows\dadrxx3326.exec:\windows\system32\cont_adsoftinc-remove.exec:\windows\bmkxapbdh6787.exec:\windows\system32\qjsoprfbbjkkfe.exe

Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log.

Additionally, download the enclosed folder. Save and extract its contents to the desktop. Once extracted, open the folder and click on the Seek.bat file. A report will be produced. Copy and paste its contents in your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 Peivalke

Peivalke
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 30 January 2009 - 12:15 AM

Combofix log


ComboFix 09-01-21.04 - Kerry 2009-01-29 17:52:51.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.705 [GMT -6:00]
Running from: c:\documents and settings\Kerry\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kerry\Desktop\CFScript.txt
AV: AVG 7.5.552 *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\atjhhhjcx6182.exe
c:\windows\avofgqfh41488.exe
c:\windows\ayikelikufev.dll
c:\windows\bmkxapbdh6787.exe
c:\windows\dadrxx3326.exe
c:\windows\enjf6330.exe
c:\windows\mqcd.dbt
c:\windows\ptllfx81403.exe
c:\windows\rgmonsvc.exe
c:\windows\svtbc7701.exe
c:\windows\system32\cont_adsoftinc-remove.exe
c:\windows\system32\dedwf.lp
c:\windows\system32\do8d.sr
c:\windows\system32\f2djq.as
c:\windows\system32\f3g.e
c:\windows\system32\hlidemon.exe
c:\windows\system32\qjsoprfbbjkkfe.exe
c:\windows\system32\system32xp.exe.tmp
c:\windows\system32\zd.zag
c:\windows\vnaqvaw4788.exe
c:\windows\wlulwgmg1437.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\atjhhhjcx6182.exe
c:\windows\avofgqfh41488.exe
c:\windows\ayikelikufev.dll
c:\windows\bmkxapbdh6787.exe
c:\windows\dadrxx3326.exe
c:\windows\enjf6330.exe
c:\windows\mqcd.dbt
c:\windows\ptllfx81403.exe
c:\windows\rgmonsvc.exe
c:\windows\svtbc7701.exe
c:\windows\system32\cont_adsoftinc-remove.exe
c:\windows\system32\dedwf.lp
c:\windows\system32\do8d.sr
c:\windows\system32\f2djq.as
c:\windows\system32\f3g.e
c:\windows\system32\hlidemon.exe
c:\windows\system32\qjsoprfbbjkkfe.exe
c:\windows\system32\system32xp.exe.tmp
c:\windows\system32\zd.zag
c:\windows\vnaqvaw4788.exe
c:\windows\wlulwgmg1437.exe

.
((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-29 )))))))))))))))))))))))))))))))
.

2009-01-28 17:18 . 2009-01-28 17:18 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-28 17:18 . 2009-01-28 17:18 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-25 14:58 . 2009-01-25 14:58 <DIR> d-------- C:\VundoFix Backups
2009-01-25 14:20 . 2009-01-25 14:20 <DIR> d-------- c:\documents and settings\Kerry\Application Data\Malwarebytes
2009-01-25 13:03 . 2009-01-25 13:03 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-25 13:03 . 2009-01-25 13:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-25 13:03 . 2009-01-25 13:03 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-25 13:03 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-25 13:03 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-25 12:57 . 2009-01-25 12:57 <DIR> d-------- c:\program files\Trend Micro
2009-01-25 12:31 . 2009-01-25 12:31 145 --a------ c:\windows\wininit.ini
2009-01-25 00:03 . 2009-01-25 00:03 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-01-24 18:47 . 2009-01-24 18:55 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-24 18:47 . 2009-01-25 12:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-24 18:46 . 2009-01-25 12:09 <DIR> d-------- c:\program files\Lavasoft
2009-01-24 18:46 . 2009-01-25 12:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-24 18:41 . 2009-01-29 10:00 <DIR> dr-h----- C:\$VAULT$.AVG
2009-01-24 18:30 . 2009-01-24 18:47 <DIR> d-------- c:\documents and settings\Kerry\Application Data\cogad
2009-01-23 21:40 . 2009-01-23 21:40 268 --ah----- C:\sqmdata08.sqm
2009-01-23 21:40 . 2009-01-23 21:40 244 --ah----- C:\sqmnoopt08.sqm
2009-01-22 19:10 . 2009-01-22 19:10 244 --ah----- C:\sqmnoopt07.sqm
2009-01-22 19:10 . 2009-01-22 19:10 232 --ah----- C:\sqmdata07.sqm
2009-01-06 11:50 . 2009-01-06 11:50 683,008 --a------ c:\windows\system32\nsl169.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-29 18:41 --------- d-----w c:\program files\Trillian
2009-01-29 16:00 --------- d-----w c:\documents and settings\Kerry\Application Data\AVG7
2009-01-29 15:17 --------- d-----w c:\documents and settings\Kerry\Application Data\Skype
2009-01-29 15:16 --------- d-----w c:\documents and settings\Kerry\Application Data\skypePM
2009-01-29 15:14 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2009-01-28 23:18 --------- d-----w c:\program files\Java
2008-12-23 22:35 --------- d-----w c:\program files\Ventrilo
2008-12-23 22:35 --------- d-----w c:\documents and settings\Kerry\Application Data\Ventrilo
2008-12-23 22:33 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-23 20:16 --------- d-----w c:\program files\Driver Sweeper
2008-12-14 23:23 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-14 23:19 1,474 ----a-w c:\documents and settings\Kerry\Application Data\SAS7_000.DAT
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-30 05:30 --------- d-----w c:\program files\AGEIA Technologies
2008-11-12 19:45 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-04-14 01:39 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-28_17.31.22.73 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-29 15:14:12 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6d0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-02-01 21898024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-28 136600]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-12-17 219136]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

.
Contents of the 'Scheduled Tasks' folder

2009-01-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-01-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-11-20 c:\windows\Tasks\NatSpeak Periodic Acoustic Optimization.job
- f:\program\schedmgr.exe [2008-07-27 22:07]

2008-12-23 c:\windows\Tasks\NatSpeak Periodic Language Model Optimization.job
- f:\program\schedmgr.exe [2008-07-27 22:07]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Kerry\Application Data\Mozilla\Firefox\Profiles\yz8dyhh7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www9.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: browser.startup.homepage - hxxp://seattle.digitaldreaming.org/
FF - prefs.js: keyword.URL - hxxp://www9.yoog.com/search.php?q=

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www9.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www9.yoog.com/search.php?q=
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-29 17:54:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-29 17:55:40
ComboFix-quarantined-files.txt 2009-01-29 23:55:38
ComboFix2.txt 2009-01-29 18:44:54
ComboFix3.txt 2009-01-29 02:03:53
ComboFix4.txt 2009-01-28 23:31:54

Pre-Run: 149,311,565,824 bytes free
Post-Run: 149,350,776,832 bytes free

180 --- E O F --- 2009-01-15 06:28:42




DDS Log




DDS (Ver_09-01-19.01) - NTFSx86
Run by Kerry at 23:13:20.45 on Thu 01/29/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.777 [GMT -6:00]

AV: AVG 7.5.552 *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Kerry\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\kerry\startm~1\programs\startup\p2pmax.lnk - c:\program files\p2pmax\p2pmax.exe
StartupFolder: c:\docume~1\kerry\startm~1\programs\startup\runit_32.lnk - c:\program files\runit\runit_32.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1197910716578
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1197996084921
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kerry\applic~1\mozilla\firefox\profiles\yz8dyhh7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www9.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: browser.startup.homepage - hxxp://seattle.digitaldreaming.org/
FF - prefs.js: keyword.URL - hxxp://www9.yoog.com/search.php?q=
FF - HiddenExtension: XUL Cache: {56BEEA16-1A63-4D22-9301-20E3702904DF} - c:\documents and settings\kerry\local settings\application data\{56BEEA16-1A63-4D22-9301-20E3702904DF}

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www9.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www9.yoog.com/search.php?q=

============= SERVICES / DRIVERS ===============

R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2007-12-17 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2007-12-17 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2007-12-17 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-12-17 10760]
R4 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2007-12-17 418816]
R4 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2007-12-17 49664]
R4 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2007-12-17 406528]
R4 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2007-12-17 4960]

=============== Created Last 30 ================

2009-01-29 17:52 <DIR> --d----- C:\ComboFix
2009-01-28 17:29 <DIR> a-dshr-- C:\cmdcons
2009-01-28 17:28 161,792 a------- c:\windows\SWREG.exe
2009-01-28 17:28 98,816 a------- c:\windows\sed.exe
2009-01-28 17:18 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-28 17:18 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-25 14:58 <DIR> --d----- C:\VundoFix Backups
2009-01-25 14:20 <DIR> --d----- c:\docume~1\kerry\applic~1\Malwarebytes
2009-01-25 13:03 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-25 13:03 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-25 13:03 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-25 13:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-25 12:57 <DIR> --d----- c:\program files\Trend Micro
2009-01-25 12:31 145 a------- c:\windows\wininit.ini
2009-01-25 00:03 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-01-24 18:47 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-01-24 18:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-01-24 18:46 <DIR> --d----- c:\program files\Lavasoft
2009-01-24 18:41 <DIR> --d-hr-- C:\$VAULT$.AVG
2009-01-24 18:30 <DIR> --d----- c:\docume~1\kerry\applic~1\cogad
2009-01-23 21:40 268 a---h--- C:\sqmdata08.sqm
2009-01-23 21:40 244 a---h--- C:\sqmnoopt08.sqm
2009-01-22 19:10 232 a---h--- C:\sqmdata07.sqm
2009-01-22 19:10 244 a---h--- C:\sqmnoopt07.sqm
2009-01-06 11:50 683,008 a------- c:\windows\system32\nsl169.dll

==================== Find3M ====================

2008-12-14 17:19 1,474 a------- c:\docume~1\kerry\applic~1\SAS7_000.DAT
2008-12-11 04:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-05 11:12 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-11-12 13:45 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-04-13 19:39 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat

============= FINISH: 23:13:46.59 ===============




Seek.bat report



----a-w 577,024 2005-03-02 18:19:56 C:\Windows\$hf_mig$\KB890859\SP2QFE\user32.dll
----a-w 578,048 2007-03-08 15:48:36 C:\Windows\$hf_mig$\KB925902\SP2QFE\user32.dll
-c----w 577,536 2007-03-08 15:36:28 C:\Windows\$NtServicePackUninstall$\user32.dll
-c----w 577,024 2004-08-04 12:00:00 C:\Windows\$NtUninstallKB890859$\user32.dll
-c----w 577,024 2005-03-02 18:09:30 C:\Windows\$NtUninstallKB925902$\user32.dll
------w 578,560 2008-04-14 00:12:08 C:\Windows\ServicePackFiles\i386\user32.dll
----a-w 578,560 2008-04-14 00:12:08 C:\Windows\system32\user32.dll
-c--a-w 578,560 2009-01-25 06:03:01 C:\Windows\system32\dllcache\user32.dll

Entries: 8 (8)
Directories: 0 Files: 8
Bytes: 4,622,336 Blocks: 9,028

#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:53 PM

Posted 30 January 2009 - 10:58 AM

Hi, Peivalke :thumbup2:
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
File::c:\windows\wininit.iniFCopy::C:\Windows\ServicePackFiles\i386\user32.dll | C:\Windows\system32\dllcache\user32.dll

Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

Show me another Seek.bat report.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 Peivalke

Peivalke
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:02:53 PM

Posted 01 February 2009 - 12:57 PM

Sorry for the long wait. Havnet had time to get back to the computer. I updated CFScript when it asked me to prior to running this. Here are the two logs you asked for.


CFScript Log


ComboFix 09-01-31.01 - Kerry 2009-01-31 19:34:42.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.672 [GMT -6:00]
Running from: c:\documents and settings\Kerry\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kerry\Desktop\CFScript.txt
AV: AVG 7.5.552 *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\wininit.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\wininit.ini

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\user32.dll --> c:\windows\system32\dllcache\user32.dll
.
((((((((((((((((((((((((( Files Created from 2009-01-01 to 2009-02-01 )))))))))))))))))))))))))))))))
.

2009-01-28 17:18 . 2009-01-28 17:18 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-28 17:18 . 2009-01-28 17:18 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-25 14:58 . 2009-01-25 14:58 <DIR> d-------- C:\VundoFix Backups
2009-01-25 14:20 . 2009-01-25 14:20 <DIR> d-------- c:\documents and settings\Kerry\Application Data\Malwarebytes
2009-01-25 13:03 . 2009-01-25 13:03 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-25 13:03 . 2009-01-25 13:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-25 13:03 . 2009-01-25 13:03 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-01-25 13:03 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-25 13:03 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-25 12:57 . 2009-01-25 12:57 <DIR> d-------- c:\program files\Trend Micro
2009-01-25 00:03 . 2008-04-13 18:12 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-01-24 18:47 . 2009-01-24 18:55 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-24 18:47 . 2009-01-25 12:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-24 18:46 . 2009-01-25 12:09 <DIR> d-------- c:\program files\Lavasoft
2009-01-24 18:46 . 2009-01-25 12:09 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-24 18:41 . 2009-01-29 10:00 <DIR> dr-h----- C:\$VAULT$.AVG
2009-01-24 18:30 . 2009-01-24 18:47 <DIR> d-------- c:\documents and settings\Kerry\Application Data\cogad
2009-01-23 21:40 . 2009-01-23 21:40 268 --ah----- C:\sqmdata08.sqm
2009-01-23 21:40 . 2009-01-23 21:40 244 --ah----- C:\sqmnoopt08.sqm
2009-01-22 19:10 . 2009-01-22 19:10 244 --ah----- C:\sqmnoopt07.sqm
2009-01-22 19:10 . 2009-01-22 19:10 232 --ah----- C:\sqmdata07.sqm
2009-01-06 11:50 . 2009-01-06 11:50 683,008 --a------ c:\windows\system32\nsl169.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-01 01:28 --------- d-----w c:\documents and settings\Kerry\Application Data\Skype
2009-02-01 00:53 --------- d-----w c:\documents and settings\Kerry\Application Data\skypePM
2009-01-31 18:12 --------- d-----w c:\program files\Trillian
2009-01-31 14:00 --------- d-----w c:\documents and settings\All Users\Application Data\avg7
2009-01-29 16:00 --------- d-----w c:\documents and settings\Kerry\Application Data\AVG7
2009-01-28 23:18 --------- d-----w c:\program files\Java
2008-12-23 22:35 --------- d-----w c:\program files\Ventrilo
2008-12-23 22:35 --------- d-----w c:\documents and settings\Kerry\Application Data\Ventrilo
2008-12-23 22:33 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-23 20:16 --------- d-----w c:\program files\Driver Sweeper
2008-12-14 23:23 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-14 23:19 1,474 ----a-w c:\documents and settings\Kerry\Application Data\SAS7_000.DAT
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-12 19:45 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-04-14 01:39 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-28_17.31.22.73 )))))))))))))))))))))))))))))))))))))))))
.
- 2000-08-31 14:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 14:00:00 286,720 ----a-w c:\windows\SWREG.exe
+ 2009-02-01 00:47:00 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6d0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-02-01 21898024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-28 136600]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-11-12 13672448]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-12-17 219136]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

.
Contents of the 'Scheduled Tasks' folder

2009-02-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-01-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-11-20 c:\windows\Tasks\NatSpeak Periodic Acoustic Optimization.job
- f:\program\schedmgr.exe [2008-07-27 22:07]

2009-01-31 c:\windows\Tasks\NatSpeak Periodic Language Model Optimization.job
- f:\program\schedmgr.exe [2008-07-27 22:07]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Kerry\Application Data\Mozilla\Firefox\Profiles\yz8dyhh7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www9.yoog.com/search.php?q=
FF - prefs.js: browser.search.selectedEngine - Yoog Search
FF - prefs.js: browser.startup.homepage - hxxp://seattle.digitaldreaming.org/
FF - prefs.js: keyword.URL - hxxp://www9.yoog.com/search.php?q=

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Yoog Search
FF - user.js: keyword.URL - hxxp://www9.yoog.com/search.php?q=
FF - user.js: keyword.enabled - true
FF - user.js: browser.search.defaultenginename - Yoog Search
FF - user.js: browser.search.defaulturl - hxxp://www9.yoog.com/search.php?q=
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-31 19:36:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-01-31 19:37:00
ComboFix-quarantined-files.txt 2009-02-01 01:36:59
ComboFix2.txt 2009-01-29 23:55:41
ComboFix3.txt 2009-01-29 18:44:54
ComboFix4.txt 2009-01-29 02:03:53
ComboFix5.txt 2009-02-01 01:31:44

Pre-Run: 149,274,537,984 bytes free
Post-Run: 149,263,560,704 bytes free

144 --- E O F --- 2009-01-15 06:28:42



And the Seek.bat log


----a-w 577,024 2005-03-02 18:19:56 C:\Windows\$hf_mig$\KB890859\SP2QFE\user32.dll
----a-w 578,048 2007-03-08 15:48:36 C:\Windows\$hf_mig$\KB925902\SP2QFE\user32.dll
-c----w 577,536 2007-03-08 15:36:28 C:\Windows\$NtServicePackUninstall$\user32.dll
-c----w 577,024 2004-08-04 12:00:00 C:\Windows\$NtUninstallKB890859$\user32.dll
-c----w 577,024 2005-03-02 18:09:30 C:\Windows\$NtUninstallKB925902$\user32.dll
------w 578,560 2008-04-14 00:12:08 C:\Windows\ServicePackFiles\i386\user32.dll
----a-w 578,560 2008-04-14 00:12:08 C:\Windows\system32\user32.dll
-c--a-w 578,560 2008-04-14 00:12:08 C:\Windows\system32\dllcache\user32.dll

Entries: 8 (8)
Directories: 0 Files: 8
Bytes: 4,622,336 Blocks: 9,028

#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:53 PM

Posted 01 February 2009 - 01:33 PM

Hi, Peivalke :thumbup2:

Logs look clear. How is the computer doing?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,759 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:53 PM

Posted 12 February 2009 - 11:29 PM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users