Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vimax ads\DNSChanger trojan


  • This topic is locked This topic is locked
12 replies to this topic

#1 xtradeadly

xtradeadly

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 07 February 2009 - 10:02 AM

Since about a week or so I got a nasty trojan that got to my flash drives and infected my other pc. The trojan caused an error while opening a hard drive or flash drive saying: "resycled\ntldr.com is not a vaild win32 application" or something like it, anyway I got rid of the error manually. but it still appears to show those nasty vimax ads instead of other/"normal" ads.
Aswell I cant update most antiviruses/antispyware programs, I cannot download anything from microsoft.com or any antivirus sites. I would like to know how to get it off both of my computers and my flash drives.
Allso both my computers are connected via lan cable, and one of them is connected to an adsl modem.
Recently my computer is gettig slow and loading pages or playing games is slower then usual.

HJT Log:


DDS (Ver_09-02-01.01) - NTFSx86
Run by User at 16:43:59.48 on Tue 12/09/2008
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.972.1033.18.2047.1443 [GMT 2:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
D:\Ad-Aware\aawservice.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\vsnp2uvc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
D:\Avira\AntiVir PersonalEdition Premium\avgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
D:\PSPdisp\bin\app\PSPdisp.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Avira\AntiVir PersonalEdition Premium\sched.exe
D:\Avira\AntiVir PersonalEdition Premium\avguard.exe
D:\Avira\AntiVir PersonalEdition Premium\avesvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
d:\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\Drivers\WTSRV.EXE
D:\Avira\AntiVir PersonalEdition Premium\avmailc.exe
D:\Avira\AntiVir PersonalEdition Premium\AVWEBGRD.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\User\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.il/
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyServer = 195.175.37.70:8080
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: IDMIEHlprObj Class: {0055c089-8582-441b-a0bf-17b458c2a3a8} - d:\internet download manager\IDMIECC.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - d:\flashget\jccatch.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - d:\flashget\getflash.dll
TB: {E0E899AB-F487-11D5-8D29-0050BA6940E3} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {EBE9E2B5-B526-48BC-AD46-687263EDCB0E} - No File
TB: {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\isuspm.exe" -scheduler
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [snp2uvc] c:\windows\vsnp2uvc.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [avgnt] "d:\avira\antivir personaledition premium\avgnt.exe" /min
StartupFolder: c:\docume~1\user\startm~1\programs\startup\pspdisp.lnk - d:\pspdisp\bin\app\PSPdisp.exe
IE: &Download All with FlashGet - d:\flashget\jc_all.htm
IE: &Download All with Rapidshare Downloader - c:\docume~1\user\locals~1\temp\rarsfx1\jc_all.htm
IE: &Download with FlashGet - d:\flashget\jc_link.htm
IE: &Download with Rapidshare Downloader - c:\docume~1\user\locals~1\temp\rarsfx1\jc_link.htm
IE: Add to AMV Converter... - d:\movie converter\amvconverter\grab.html
IE: Download all links with IDM - d:\internet download manager\IEGetAll.htm
IE: Download ALL with IDA
IE: Download FLV video content with IDM - d:\internet download manager\IEGetVL.htm
IE: Download with IDA
IE: Download with IDM - d:\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: MediaManager tool grab multimedia file - d:\movie converter\mediamanager\grab.html
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C}
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - d:\flashget\FlashGet.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: avsda.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=67633
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.srtest.com/srl_bin/sysreqlab_srl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1227101497500
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {99CAAA27-FA0C-4FA4-B88A-4AB1CC7A17FE} - hxxp://ares.netgame.com/download/mglaunch_USAv1002.cab
DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/downloads/activex/YoYo.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 appdrv01;Application Driver (01);c:\windows\system32\drivers\appdrv01.sys [2009-1-19 2997872]
R1 avgio;avgio;d:\avira\antivir personaledition premium\avgio.sys [2008-12-3 11840]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2009-1-27 142592]
R2 aawservice;Lavasoft Ad-Aware Service;d:\ad-aware\aawservice.exe [2008-6-2 611664]
R2 AntiVirMailService;Avira AntiVir Premium MailGuard;d:\avira\antivir personaledition premium\avmailc.exe [2008-12-3 164097]
R2 AntiVirScheduler;Avira AntiVir Premium Scheduler;d:\avira\antivir personaledition premium\sched.exe [2008-12-3 68865]
R2 AntiVirService;Avira AntiVir Premium Guard;d:\avira\antivir personaledition premium\avguard.exe [2008-12-3 151297]
R2 antivirwebservice;Avira AntiVir Premium WebGuard;d:\avira\antivir personaledition premium\avwebgrd.exe [2008-12-3 258305]
R2 AVEService;Avira AntiVir Premium MailGuard helper service;d:\avira\antivir personaledition premium\avesvc.exe [2008-12-3 41217]
R3 avgntflt;avgntflt;d:\avira\antivir personaledition premium\avgntflt.sys [2008-12-3 52032]
R3 FStarForce;FStarForce;c:\windows\system32\drivers\FStarForce.sys [2009-1-19 8192]
R3 pspdisp;pspdisp;c:\windows\system32\drivers\pspdisp.sys [2008-12-25 3072]
S2 appdrvrem01;Application Driver Auto Removal Service (01);c:\windows\system32\appdrvrem01.exe svc --> c:\windows\system32\appdrvrem01.exe svc [?]
S3 CAM1210;SM0121 USB 2.0 Video Camera;c:\windows\system32\drivers\cam1210.sys [2006-7-24 89856]
S3 CamSpaceBus;CamSpace Virtual Joystick Bus device driver;c:\windows\system32\drivers\CamSpaceBus.sys [2008-8-24 14848]
S3 cpuz130;cpuz130;\??\c:\docume~1\user\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\user\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S3 DADriv1;DADriv1;\??\d:\hacks\dak32.sys --> d:\hacks\DAK32.sys [?]
S3 DBKDRVR54;DBKDRVR54;\??\d:\cheat engine\dbk32.sys --> d:\cheat engine\dbk32.sys [?]
S3 DragonZ1;DragonZ1;\??\d:\downloads\dragon engine 1[1].0\dragon engine 1.0\dragonz.sys --> d:\downloads\dragon engine 1[1].0\dragon engine 1.0\DragonZ.sys [?]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-12-4 42376]
S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-12-4 66952]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-12-4 81288]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;c:\windows\system32\drivers\libusb0.sys [2008-10-28 29184]
S3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [2002-8-8 11330]
S3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [2003-6-8 21922]
S3 SaiHFF0C;SaiHFF0C;c:\windows\system32\drivers\SaiHFF0C.sys [2007-6-21 56576]
S3 SaiUFF0C;SaiUFF0C;c:\windows\system32\drivers\saiuFF0C.sys [2007-6-21 19584]
S3 sdAuxService;PC Tools Auxiliary Service;d:\spyware doctor\pctsAuxs.exe [2008-12-4 356920]
S3 sdCoreService;PC Tools Security Service;d:\spyware doctor\pctsSvc.exe [2008-12-4 1073544]
S3 XDva008;XDva008;\??\c:\windows\system32\xdva008.sys --> c:\windows\system32\XDva008.sys [?]
S3 XDva028;XDva028;\??\c:\windows\system32\xdva028.sys --> c:\windows\system32\XDva028.sys [?]
S3 XDva031;XDva031;\??\c:\windows\system32\xdva031.sys --> c:\windows\system32\XDva031.sys [?]
S3 XDva039;XDva039;\??\c:\windows\system32\xdva039.sys --> c:\windows\system32\XDva039.sys [?]
S3 XDva042;XDva042;\??\c:\windows\system32\xdva042.sys --> c:\windows\system32\XDva042.sys [?]
S3 XDva136;XDva136;\??\c:\windows\system32\xdva136.sys --> c:\windows\system32\XDva136.sys [?]
S3 XDva143;XDva143;\??\c:\windows\system32\xdva143.sys --> c:\windows\system32\XDva143.sys [?]
S3 XDva145;XDva145;\??\c:\windows\system32\xdva145.sys --> c:\windows\system32\XDva145.sys [?]
S3 XDva152;XDva152;\??\c:\windows\system32\xdva152.sys --> c:\windows\system32\XDva152.sys [?]
S3 XDva208;XDva208;\??\c:\windows\system32\xdva208.sys --> c:\windows\system32\XDva208.sys [?]

============== File Associations ===============

JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
inifile\shell\notepad\command=Notepad.exe %1

=============== Created Last 30 ================

2008-12-08 15:27 <DIR> --d----- c:\docume~1\user\applic~1\THQ
2008-12-08 14:54 <DIR> --d----- C:\Combo-Fix
2008-12-08 14:43 161,792 a------- c:\windows\SWREG.exe
2008-12-08 14:43 98,816 a------- c:\windows\sed.exe
2008-12-07 20:34 <DIR> --d----- C:\NecroVisioN Demo
2008-12-07 17:47 205,151 a------- c:\windows\system32\nvapps.xml
2008-12-07 17:47 453,152 a------- c:\windows\system32\nvudisp.exe
2008-12-07 17:47 18,696 a------- c:\windows\system32\nvdisp.nvu
2008-12-07 17:47 <DIR> --d----- c:\windows\nview
2008-12-07 17:46 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-12-07 07:45 <DIR> --d----- C:\Burnout Paradise The Ultimate Box
2008-12-06 22:02 <DIR> --d----- c:\windows\system32\ru-RU
2008-12-06 22:01 <DIR> --d----- c:\windows\system32\he-IL
2008-12-06 17:04 2,036,576 a------- c:\windows\system32\D3DCompiler_40.dll
2008-12-06 17:04 452,440 a------- c:\windows\system32\d3dx10_40.dll
2008-12-06 17:04 235,856 a------- c:\windows\system32\xactengine3_3.dll
2008-12-05 20:27 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-05 19:01 <DIR> --d----- c:\windows\ServicePackFiles
2008-12-05 19:01 294,912 -------- c:\windows\system32\dllcache\dlimport.exe
2008-12-05 18:13 <DIR> --d----- C:\dc0771ece84bdc75ed726d7ac0
2008-12-04 12:16 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2008-12-04 12:16 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2008-12-04 12:16 42,376 a------- c:\windows\system32\drivers\ikfilesec.sys
2008-12-04 12:16 29,576 a------- c:\windows\system32\drivers\kcom.sys
2008-12-04 12:16 <DIR> --d----- c:\docume~1\user\applic~1\PC Tools
2008-12-03 20:00 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-03 20:00 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-03 20:00 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-03 19:42 <DIR> --d----- c:\docume~1\user\applic~1\Avira
2008-12-03 18:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2008-12-02 16:05 <DIR> --d----- c:\program files\Skype
2008-12-02 16:01 169 a------- c:\windows\RtlRack.ini
2008-12-02 07:40 <DIR> --d----- C:\TC
2008-11-19 20:20 21,504 a------- c:\windows\system32\hidserv.dll
2008-11-19 14:27 <DIR> --d----- c:\docume~1\user\applic~1\ToadTrip Games Pty Ltd
2008-11-19 14:26 4,096 a------- c:\windows\d3dx.dat
2008-11-15 10:32 <DIR> --d----- c:\program files\Microsoft Games for Windows - LIVE
2008-11-11 12:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NexonEU

==================== Find3M ====================

2008-12-05 19:07 246,583 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-11-13 16:18 599,552 a------- c:\windows\system32\crypt32.dll
2008-11-13 16:18 177,664 a------- c:\windows\system32\wintrust.dll
2008-11-13 16:18 599,552 -------- c:\windows\system32\dllcache\crypt32.dll
2008-11-13 16:18 177,664 -------- c:\windows\system32\dllcache\wintrust.dll
2008-11-11 21:30 22,328 a------- c:\docume~1\user\applic~1\PnkBstrK.sys
2008-11-11 21:30 682,280 a------- c:\windows\system32\pbsvc.exe
2008-11-11 19:03 66,872 a------- c:\windows\system32\PnkBstrA.exe
2008-10-28 17:41 14,303,392 a------- c:\windows\system32\xlive.dll
2008-10-28 17:41 13,643,936 a------- c:\windows\system32\xlivefnt.dll
2008-10-27 10:04 514,384 a------- c:\windows\system32\XAudio2_3.dll
2008-10-27 10:04 23,376 a------- c:\windows\system32\X3DAudio1_5.dll
2008-10-27 10:04 70,992 a------- c:\windows\system32\XAPOFX1_2.dll
2008-10-17 09:29 70,936 a------- c:\windows\system32\PhysXLoader.dll
2008-10-15 09:04 288,024 a------- c:\windows\system32\PhysXCplUI.exe
2008-10-15 09:04 288,024 a------- c:\windows\system32\PhysXCompatCplUI.exe
2008-10-10 04:52 4,379,984 a------- c:\windows\system32\D3DX9_40.dll
2008-10-07 09:13 23,320 a------- c:\windows\system32\PhysXDevice.dll
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelTraditionalChinese.dll
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelSwedish.dll
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelSpanish.dll
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelSimplifiedChinese.dll
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelPortugese.dll
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelKorean.dll
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelJapanese.dll
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelGerman.dll
2008-10-07 09:13 58,648 a------- c:\windows\system32\AgCPanelFrench.dll
2008-09-24 21:45 418,480 a------- c:\windows\system32\wrap_oal.dll
2008-09-24 21:45 115,432 a------- c:\windows\system32\OpenAL32.dll
2008-09-12 12:44 206,256 a------- c:\windows\system32\idmmbc.dll
2008-02-11 22:17 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2007-08-14 07:40 1 a------- c:\documents and settings\user\SI.bin
2008-12-14 17:36 56 ---shr-- c:\windows\system32\A4EEACA93D.sys

============= FINISH: 16:44:13.65 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:50 PM

Posted 07 February 2009 - 10:48 AM

Hello xtradeadly,

Posted Image

Plug your flash drive in when you run this tool and it will clean it too. :thumbup2:

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Please do this:
1. Download HijackThis™ here:
http://www.trendsecure.com/portal/en-US/th.../hijackthis.php

2. Click 'Do a System Scan and Save log'.
The HJT log will open in notepad.

Thanks,
tea

Edited by teacup61, 07 February 2009 - 10:49 AM.
typo

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 xtradeadly

xtradeadly
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 07 February 2009 - 02:45 PM

ComboFix Log:

ComboFix 09-02-06.04 - User 02/09/2009 21:34:42.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1506 [GMT 2:00]
Running from: c:\documents and settings\User\Desktop\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2009-01-09 to 2009-02-09 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-09 19:33 --------- d-----w c:\documents and settings\All Users\Application Data\Avira
2009-01-27 15:14 --------- d-----w c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-01-27 14:16 --------- d-----w c:\program files\Skype
2009-01-27 12:32 142,592 ----a-w c:\windows\system32\drivers\sp_rsdrv2.sys
2009-01-26 14:36 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-01-26 13:01 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-26 11:03 --------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-01-26 10:50 --------- d-----w c:\program files\ESET
2009-01-24 21:31 --------- d-----w c:\program files\Kaspersky Lab
2009-01-24 21:28 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-01-19 21:28 316,816 ----a-w c:\windows\system32\appdrvrem01.exe
2009-01-19 21:28 2,997,872 ----a-w c:\windows\system32\drivers\appdrv01.sys
2009-01-19 19:35 --------- d-----w c:\documents and settings\User\Application Data\DAEMON Tools Pro
2009-01-19 19:35 --------- d-----w c:\documents and settings\User\Application Data\DAEMON Tools Lite
2009-01-19 19:35 --------- d-----w c:\documents and settings\User\Application Data\DAEMON Tools
2009-01-19 19:34 --------- d-----w c:\program files\DAEMON Tools Lite
2009-01-19 19:34 --------- d-----w c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-01-18 18:54 --------- d-----w c:\documents and settings\All Users\Application Data\nView_Profiles
2009-01-16 22:37 --------- d-----w c:\documents and settings\User\Application Data\PSPdisp
2009-01-15 16:30 --------- d-----w c:\documents and settings\All Users\Application Data\Electronic Arts
2009-01-15 16:16 --------- d-----w c:\program files\AGEIA Technologies
2009-01-14 18:45 --------- d-----w c:\documents and settings\User\Application Data\Activision
2009-01-14 18:45 --------- d-----w c:\documents and settings\All Users\Application Data\Activision
2009-01-14 14:11 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-14 14:11 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-01-08 19:28 --------- d-----w c:\documents and settings\User\Application Data\Hamachi
2009-01-08 17:59 17,480 ----a-w c:\windows\system32\drivers\hamachi.sys
2009-01-08 17:42 --------- d-----w c:\documents and settings\User\Application Data\Azureus
2009-01-08 08:08 --------- d-----w c:\documents and settings\User\Application Data\Crayon Physics Deluxe
2009-01-03 08:43 --------- d-----w c:\program files\Microsoft Games for Windows - LIVE
2009-01-01 12:06 8,192 ----a-w c:\windows\system32\drivers\FStarForce.sys
2008-12-30 17:15 138,464 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2008-12-30 17:15 111,928 ----a-w c:\windows\system32\PnkBstrB.exe
2008-12-29 17:34 --------- d-----w c:\documents and settings\User\Application Data\Bioshock
2008-12-28 17:02 6,656 ----a-w c:\windows\system32\pspdisp.dll
2008-12-25 14:24 3,072 ----a-w c:\windows\system32\drivers\pspdisp.sys
2008-12-24 09:00 --------- d-----w c:\program files\Microsoft Games
2008-12-20 18:15 --------- d-----w c:\documents and settings\All Users\Application Data\iolo
2008-12-17 13:20 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Games
2008-12-17 13:19 --------- d-----w c:\documents and settings\User\Application Data\Microsoft Game Studios
2008-12-16 17:31 --------- d-----w c:\documents and settings\User\Application Data\ESET
2008-12-16 17:30 --------- d-----w c:\documents and settings\All Users\Application Data\ESET
2008-12-16 14:02 --------- d-----w c:\documents and settings\User\Application Data\iolo
2008-12-16 14:00 --------- d-----w c:\documents and settings\LocalService\Application Data\iolo
2008-12-16 13:51 74,703 ----a-w c:\windows\system32\mfc45.dll
2008-12-14 15:44 --------- d-----w c:\program files\GENIUS TABLET
2008-12-14 13:36 --------- d-----w c:\program files\TeamViewer
2008-12-14 13:22 --------- d-----w c:\documents and settings\User\Application Data\TeamViewer
2008-12-09 14:19 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-05 18:26 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-02 08:13 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2008-11-13 14:18 599,552 ----a-w c:\windows\system32\crypt32.dll
2008-11-13 14:18 599,552 ------w c:\windows\system32\dllcache\crypt32.dll
2008-11-13 14:18 177,664 ----a-w c:\windows\system32\wintrust.dll
2008-11-13 14:18 177,664 ------w c:\windows\system32\dllcache\wintrust.dll
2008-11-11 19:30 682,280 ----a-w c:\windows\system32\pbsvc.exe
2008-11-11 19:30 22,328 ----a-w c:\documents and settings\User\Application Data\PnkBstrK.sys
2008-11-11 17:03 66,872 ----a-w c:\windows\system32\PnkBstrA.exe
2008-02-11 20:17 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2007-08-14 05:40 1 ----a-w c:\documents and settings\User\SI.bin
.

((((((((((((((((((((((((((((( SnapShot@Mon 12-08-2008_14.47.29.10 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-09 13:01:48 118,784 ----a-w c:\windows\BDOSCAN8\bdupd.dll
+ 2008-01-09 13:01:48 53,248 ----a-w c:\windows\BDOSCAN8\ipsupd.dll
+ 2008-01-09 13:01:48 53,248 ----a-w c:\windows\bdoscandel.exe
+ 2008-01-09 13:01:48 118,784 ----a-w c:\windows\Downloaded Program Files\bdupd.dll
+ 2008-01-09 13:01:48 53,248 ----a-w c:\windows\Downloaded Program Files\ipsupd.dll
- 2008-12-08 09:59:02 15,398 ----a-w c:\windows\SoftwareDistribution\EventCache\{D6DB38BD-ADAE-42FB-8FAF-6A0913F4DA85}.bin
+ 2008-12-08 23:40:35 17,108 ----a-w c:\windows\SoftwareDistribution\EventCache\{D6DB38BD-ADAE-42FB-8FAF-6A0913F4DA85}.bin
+ 2008-12-08 19:09:54 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_3dc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [04/14/2008 05:42 AM 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [04/14/2008 05:42 AM 1695232]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [11/18/2008 04:31 PM 21633320]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [09/10/2006 10:56 PM 218032]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [12/29/2008 12:40 PM 687560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [12/05/2008 08:26 PM 136600]
"snp2uvc"="c:\windows\vsnp2uvc.exe" [07/11/2007 03:31 PM 569344]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [12/02/2008 11:11 PM 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [12/02/2008 11:11 PM 86016]
"nwiz"="nwiz.exe" [12/02/2008 11:11 PM 1657376 c:\windows\system32\nwiz.exe]

c:\documents and settings\User\Start Menu\Programs\Startup\
PSPdisp.lnk - d:\pspdisp\bin\app\PSPdisp.exe [1/5/2009 5:36:54 PM 617472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.imc"= xbadpcm.acm

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" -autorun
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SaiSmart"=c:\program files\Saitek\Software\SaiSmart.exe
"SearchSettings"=c:\program files\Search Settings\SearchSettings.exe
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe"
"Profiler"=c:\program files\Saitek\Software\Profiler.exe
"High Definition Audio Property Page Shortcut"=HDAShCut.exe
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe"
"NeroFilterCheck"=c:\windows\system32\NeroCheck.exe
"AGEIA PhysX SysTray"=c:\program files\AGEIA Technologies\TrayIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Documents and Settings\\All Users\\Documents\\Halo Custom Edition\\haloce.exe"=
"d:\\Duke Nukem 3D\\DuksterX\\DukesterX.exe"=
"d:\\Duke Nukem 3D\\Duke3d_Binary_Only_v19.7.1\\duke3d_w32.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"d:\\Gears Of War\\Binaries\\WarGame-G4WLive.exe"=
"d:\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\RainbowSixVegas2_SADS.exe"=
"d:\\Tom Clancy's Rainbow Six Vegas 2\\Binaries\\R6Vegas2_Launcher.exe"=
"d:\\Call Of Duty 4 Modern Warfare\\Copy of iw3mp.exe"=
"\\\\HOME-B\\SharedDocs\\Conflict Global Storm\\ConflictGlobal.exe"=
"d:\\Call Of Duty 4 Modern Warfare\\iw3mp.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 2009\\English\\setup.exe"=
"c:\\Program Files\\Java\\jre1.6.0_07\\launch4j-tmp\\JDownloader.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"d:\\Far Cry 2\\bin\\FarCry2.exe"=
"d:\\Far Cry 2\\bin\\FC2Launcher.exe"=
"d:\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\Fallout 3\\Fallout3.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonEU\\NGM\\NGM.exe"=
"d:\\Call of Duty - World at War\\Copy of CoDWaW.exe"=
"d:\\Call of Duty - World at War\\CoDWaW.exe"=
"d:\\Call of Duty - World at War\\CoDWaWmp.exe"=
"d:\\Left 4 Dead\\hl2.exe"=
"d:\\Left 4 Dead\\left4dead.exe"=
"d:\\Grand Theft Auto IV\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"d:\\Grand Theft Auto IV\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"d:\\Grand Theft Auto IV\\Grand Theft Auto IV\\GTAIV.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\JDownloader.exe"=
"c:\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"c:\\Lost Planet Extreme Condition CColonies Edition\\LostPlanetColoniesDX9.exe"=
"c:\\Lost Planet Extreme Condition CColonies Edition\\LostPlanetColoniesDX10.exe"=
"\\\\Home-a\\Kane And Lynch\\kaneandlynch.exe"=
"d:\\Kane and Lynch\\kaneandlynch.exe"=
"\\\\home-a\\Tom Clancy's Splinter Cell Chaos Theory\\System\\splintercell3.exe"=
"d:\\Tom Clancy's Splinter Cell Chaos Theroy\\System\\splintercell3.exe"=
"d:\\James Bond Quantum of Solace\\JB_LiveEngine_s.exe"=
"d:\\BlackShot\\System\\BlackShot.exe"=
"d:\\Mirror's Edge\\Binaries\\MirrorsEdge.exe"=
"d:\\Mirror's Edge\\EADM\\Core.exe"=
"d:\\Dark Sector\\DS.exe"=
"d:\\FlatOut Ultimate Carnage\\Fouc.exe"=
"d:\\FlashGet\\flashget.exe"=
"c:\\Documents and Settings\\All Users\\Documents\\Gears Of War\\Binaries\\WarGame-G4WLive.exe"=
"d:\\The Club\\TheClub.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Burnout Paradise The Ultimate Box\\BurnoutLauncher.exe"=
"c:\\Burnout Paradise The Ultimate Box\\BurnoutConfigTool.exe"=
"c:\\Burnout Paradise The Ultimate Box\\BurnoutParadise.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15218:TCP"= 15218:TCP:BitComet 15218 TCP
"15218:UDP"= 15218:UDP:BitComet 15218 UDP
"9842:TCP"= 9842:TCP:*:Disabled:SolidNetworkManager
"9842:UDP"= 9842:UDP:*:Disabled:SolidNetworkManager
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 appdrv01;Application Driver (01);c:\windows\system32\drivers\appdrv01.sys [1/19/2009 11:28:03 PM 2997872]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [1/27/2009 2:32:41 PM 142592]
R3 FStarForce;FStarForce;c:\windows\system32\drivers\FStarForce.sys [1/19/2009 9:26:45 PM 8192]
R3 pspdisp;pspdisp;c:\windows\system32\drivers\pspdisp.sys [12/25/2008 4:24:58 PM 3072]
S2 appdrvrem01;Application Driver Auto Removal Service (01);c:\windows\System32\appdrvrem01.exe svc --> c:\windows\System32\appdrvrem01.exe svc [?]
S3 CAM1210;SM0121 USB 2.0 Video Camera;c:\windows\system32\drivers\cam1210.sys [7/24/2006 5:49:48 PM 89856]
S3 CamSpaceBus;CamSpace Virtual Joystick Bus device driver;c:\windows\system32\drivers\CamSpaceBus.sys [8/24/2008 1:55:48 PM 14848]
S3 cpuz130;cpuz130;\??\c:\docume~1\User\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\User\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 DADriv1;DADriv1;\??\d:\hacks\DAK32.sys --> d:\hacks\DAK32.sys [?]
S3 DBKDRVR54;DBKDRVR54;\??\d:\cheat engine\dbk32.sys --> d:\cheat engine\dbk32.sys [?]
S3 DragonZ1;DragonZ1;\??\d:\downloads\Dragon Engine 1[1].0\Dragon Engine 1.0\DragonZ.sys --> d:\downloads\Dragon Engine 1[1].0\Dragon Engine 1.0\DragonZ.sys [?]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;c:\windows\system32\drivers\libusb0.sys [10/28/2008 4:23:10 PM 29184]
S3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [8/8/2002 5:27:05 PM 11330]
S3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [6/8/2003 1:00:10 PM 21922]
S3 SaiHFF0C;SaiHFF0C;c:\windows\system32\drivers\SaiHFF0C.sys [6/21/2007 11:25:22 AM 56576]
S3 SaiUFF0C;SaiUFF0C;c:\windows\system32\drivers\saiuFF0C.sys [6/21/2007 11:25:32 AM 19584]
S3 sdAuxService;PC Tools Auxiliary Service;d:\spyware doctor\pctsAuxs.exe [12/4/2008 12:16:18 PM 356920]
S3 XDva008;XDva008;\??\c:\windows\system32\XDva008.sys --> c:\windows\system32\XDva008.sys [?]
S3 XDva028;XDva028;\??\c:\windows\system32\XDva028.sys --> c:\windows\system32\XDva028.sys [?]
S3 XDva031;XDva031;\??\c:\windows\system32\XDva031.sys --> c:\windows\system32\XDva031.sys [?]
S3 XDva039;XDva039;\??\c:\windows\system32\XDva039.sys --> c:\windows\system32\XDva039.sys [?]
S3 XDva042;XDva042;\??\c:\windows\system32\XDva042.sys --> c:\windows\system32\XDva042.sys [?]
S3 XDva136;XDva136;\??\c:\windows\system32\XDva136.sys --> c:\windows\system32\XDva136.sys [?]
S3 XDva143;XDva143;\??\c:\windows\system32\XDva143.sys --> c:\windows\system32\XDva143.sys [?]
S3 XDva145;XDva145;\??\c:\windows\system32\XDva145.sys --> c:\windows\system32\XDva145.sys [?]
S3 XDva152;XDva152;\??\c:\windows\system32\XDva152.sys --> c:\windows\system32\XDva152.sys [?]
S3 XDva208;XDva208;\??\c:\windows\system32\XDva208.sys --> c:\windows\system32\XDva208.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - avgio
*Deregistered* - avipbb
*Deregistered* - ssmdrv

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b498bf37-61f0-11dd-925d-001a4d76e67f}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d0eebdbb-7ba6-11db-9165-806d6172696f}]
\Shell\AutoRun\command - setupSNK.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.il/
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyServer = 195.175.37.70:8080
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download All with FlashGet - d:\flashget\jc_all.htm
IE: &Download All with Rapidshare Downloader - c:\docume~1\User\LOCALS~1\Temp\RarSFX1\jc_all.htm
IE: &Download with FlashGet - d:\flashget\jc_link.htm
IE: &Download with Rapidshare Downloader - c:\docume~1\User\LOCALS~1\Temp\RarSFX1\jc_link.htm
IE: Add to AMV Converter... - d:\movie converter\AMVConverter\grab.html
IE: Download all links with IDM - d:\internet download manager\IEGetAll.htm
IE: Download ALL with IDA
IE: Download FLV video content with IDM - d:\internet download manager\IEGetVL.htm
IE: Download with IDA
IE: Download with IDM - d:\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: MediaManager tool grab multimedia file - d:\movie converter\MediaManager\grab.html
DPF: {99CAAA27-FA0C-4FA4-B88A-4AB1CC7A17FE} - hxxp://ares.netgame.com/download/mglaunch_USAv1002.cab
DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} - hxxp://www.yoyogames.com/downloads/activex/YoYo.cab
.
.
------- File Associations -------
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
inifile\shell\notepad\command=Notepad.exe %1
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-09 21:35:51
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ImagePath"="\??\d:\downloads\Dragon Engine 1
[1].0\Dragon Engine 1.0\DragonZ.sys"


[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\DragonZ1]
"ImagePath"="\??\d:\downloads\Dragon Engine 1
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2052111302-838170752-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(788)
c:\windows\system32\avsda.dll
.
Completion time: 02/09/2009 21:36:59
ComboFix-quarantined-files.txt 2009-02-09 19:36:57
ComboFix2.txt 2008-12-08 12:56:48
ComboFix3.txt 2008-12-08 12:48:08

Pre-Run: 22,355,361,792 bytes free
Post-Run: 22,389,825,536 bytes free

278

HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:39:50, on 09/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Ad-Aware\aawservice.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
D:\PSPdisp\bin\app\PSPdisp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
d:\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\Drivers\WTSRV.EXE
C:\WINDOWS\system32\ctfmon.exe
D:\Mirror's Edge\EADM\Core.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.175.37.70:8080
O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\Internet Download Manager\IDMIECC.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\FlashGet\jccatch.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - D:\FlashGet\getflash.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [snp2uvc] C:\WINDOWS\vsnp2uvc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Startup: PSPdisp.lnk = D:\PSPdisp\bin\app\PSPdisp.exe
O8 - Extra context menu item: &Download All with FlashGet - D:\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download All with Rapidshare Downloader - C:\DOCUME~1\User\LOCALS~1\Temp\RarSFX1\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - D:\FlashGet\jc_link.htm
O8 - Extra context menu item: &Download with Rapidshare Downloader - C:\DOCUME~1\User\LOCALS~1\Temp\RarSFX1\jc_link.htm
O8 - Extra context menu item: Add to AMV Converter... - D:\movie converter\AMVConverter\grab.html
O8 - Extra context menu item: Download all links with IDM - D:\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - D:\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - D:\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: MediaManager tool grab multimedia file - D:\movie converter\MediaManager\grab.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1227101497500
O16 - DPF: {99CAAA27-FA0C-4FA4-B88A-4AB1CC7A17FE} (MGLaunch_USAv1001 Class) - http://ares.netgame.com/download/mglaunch_USAv1002.cab
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Ad-Aware\aawservice.exe
O23 - Service: Application Driver Auto Removal Service (01) (appdrvrem01) - Protection Technology - C:\WINDOWS\System32\appdrvrem01.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - d:\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - d:\Spyware Doctor\pctsSvc.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - d:\Spyware Terminator\sp_rsser.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\Drivers\WTSRV.EXE

--
End of file - 8491 bytes


To mention i've deleted avira for the combofix scan, And I can't download the windows recovery console from combofix because I can't download anything from microsoft.com because of the virus.

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:50 PM

Posted 07 February 2009 - 02:52 PM

Hello,

Awwww.....why did you run it so many times? :thumbup2: Did you by chance save the original? I sure would like to see it if you did. :)

Don't worry about the Recovery Console then. If you can't, then you can't.

I see bits of at least 3 AntiVirus programs, plus you mentioned Avira. If you're running all of those, then you're going to run into problems. Make sure you have only one running realtime shields.

Please only run this once and post the report in your reply :

Please download Malwarebytes' Anti-Malware from one of these places:
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

How is it running please?

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 xtradeadly

xtradeadly
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 07 February 2009 - 04:55 PM

Update error: "Update Failed. Make Sure You Are Connected to the internet and your firewall is set to allow malwarebyte's anti-malware to access the internet"
no, my firewall isnt blocking the internet and im connected to the intenet.
i cant update any program!
cant reply till tommrow in my timeline

Edited by xtradeadly, 07 February 2009 - 04:57 PM.


#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:50 PM

Posted 07 February 2009 - 05:13 PM

If you got it installed, then just do a run with it, and we'll go for updates later. :thumbup2:

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 xtradeadly

xtradeadly
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 07 February 2009 - 11:54 PM

i had used malwarebytes' anti-malware before, ill try to get a hold of my first log, for the corrent one there isnt any detections.

Malwarebytes' Anti-Malware Log:
Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 3

10/02/2009 06:47:49
mbam-log-2009-02-10 (06-47-49).txt

Scan type: Quick Scan
Objects scanned: 55150
Time elapsed: 2 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:52:18, on 10/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\vsnp2uvc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
D:\PSPdisp\bin\app\PSPdisp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\Drivers\WTSRV.EXE
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.175.37.70:8080
O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\Internet Download Manager\IDMIECC.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\FlashGet\jccatch.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - D:\FlashGet\getflash.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [snp2uvc] C:\WINDOWS\vsnp2uvc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] D:\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Startup: PSPdisp.lnk = D:\PSPdisp\bin\app\PSPdisp.exe
O8 - Extra context menu item: &Download All with FlashGet - D:\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download All with Rapidshare Downloader - C:\DOCUME~1\User\LOCALS~1\Temp\RarSFX1\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - D:\FlashGet\jc_link.htm
O8 - Extra context menu item: &Download with Rapidshare Downloader - C:\DOCUME~1\User\LOCALS~1\Temp\RarSFX1\jc_link.htm
O8 - Extra context menu item: Add to AMV Converter... - D:\movie converter\AMVConverter\grab.html
O8 - Extra context menu item: Download all links with IDM - D:\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - D:\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - D:\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: MediaManager tool grab multimedia file - D:\movie converter\MediaManager\grab.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1227101497500
O16 - DPF: {99CAAA27-FA0C-4FA4-B88A-4AB1CC7A17FE} (MGLaunch_USAv1001 Class) - http://ares.netgame.com/download/mglaunch_USAv1002.cab
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Ad-Aware\aawservice.exe
O23 - Service: Application Driver Auto Removal Service (01) (appdrvrem01) - Protection Technology - C:\WINDOWS\System32\appdrvrem01.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\Drivers\WTSRV.EXE

--
End of file - 8330 bytes


Im an idiot for the perior useage! :thumbup2:

#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:50 PM

Posted 08 February 2009 - 09:27 AM

Hello,

I'm kind of putting together the story here......you do a ton of downloading, and I think not all of it legit. So you get scared and WAY overdo on the protection in the hopes that nothing bad will happen. Well, not even the best protection is worth a dime when you purposely let the bad stuff in. :thumbup2: From what little I can see, you have/had some really nasty infections. Your computer has likely been compromised. I'll get out what I can find, but since you already ran the tools and I don't know what all was there to begin with I cannot promise I can undo the damage already done.

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat Please save it on your desktop.

@echo off
sc stop appdrvrem01
sc delete appdrvrem01
exit



Double click FixServices.bat. A window will open and close. This is normal.

Please run HijackThis! and click "Scan." Place checks next to the following entries, if present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O8 - Extra context menu item: &Download All with Rapidshare Downloader - C:\DOCUME~1\User\LOCALS~1\Temp\RarSFX1\jc_all.htm
O8 - Extra context menu item: &Download with Rapidshare Downloader - C:\DOCUME~1\User\LOCALS~1\Temp\RarSFX1\jc_link.htm
O23 - Service: Application Driver Auto Removal Service (01) (appdrvrem01) - Protection Technology - C:\WINDOWS\System32\appdrvrem01.exe


Close all browsers and other windows except for HijackThis!, and click "Fix checked".

Navigate to and delete the following file(s)(if they exist):

C:\DOCUME~1\User\LOCALS~1\Temp\RarSFX1\jc_all.htm <---this in in Documents and Settings>User>Local Settings>Temp
C:\DOCUME~1\User\LOCALS~1\Temp\RarSFX1\jc_link.htm<---same as above for this one
C:\WINDOWS\System32\appdrvrem01.exe

Reboot your computer.

If you have a router, disconnect it from your computer and reset it using the reset button. While it's disconnected, please do the follwing:

Click Start>Run> Type in (or copy and paste) ipconfig /flushdns and hit enter. If you see anything at all it'll be a quick flash. This is normal.

Then reconnect and let me know how it's running now and post a new HijackThis log.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 xtradeadly

xtradeadly
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 08 February 2009 - 04:12 PM

Hi, I did what you asked me to, but to make it all clear for you- I did'nt install a bunch of antiviruses at once, these are probably just traces of em' I still have on my computer. Secound of all both my computers got infected by the same **** through my psp's memory stick and from that to my mp4, camera's memory card and all. Both of my computer had the same error (ntldr.com thingy) and in both I somehow got rid of the error by deleting the autorun.inf , the resycled folder and the registry of them and aquaplay (I have no idia what aquaplay means) and both of my computers have the same ****** vimax ads in websites there should'nt be those kinds of ads like in yahoo answers and such.
Both of my computers are connected via lan cable and the other one is connected via a usb modem to the internet.

Back to buisness- I still get the ads. What I want to know is if I need to do all the steps on my other pc and if its going to change anything.

Here is the HJT Log you asked me to post:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:10:38, on 08/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\vsnp2uvc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
D:\PSPdisp\bin\app\PSPdisp.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\Drivers\WTSRV.EXE
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 195.175.37.70:8080
O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - D:\Internet Download Manager\IDMIECC.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - D:\FlashGet\jccatch.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - D:\FlashGet\getflash.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [snp2uvc] C:\WINDOWS\vsnp2uvc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - Startup: PSPdisp.lnk = D:\PSPdisp\bin\app\PSPdisp.exe
O8 - Extra context menu item: &Download All with FlashGet - D:\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - D:\FlashGet\jc_link.htm
O8 - Extra context menu item: Add to AMV Converter... - D:\movie converter\AMVConverter\grab.html
O8 - Extra context menu item: Download all links with IDM - D:\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - D:\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - D:\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: MediaManager tool grab multimedia file - D:\movie converter\MediaManager\grab.html
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=67633
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1227101497500
O16 - DPF: {99CAAA27-FA0C-4FA4-B88A-4AB1CC7A17FE} (MGLaunch_USAv1001 Class) - http://ares.netgame.com/download/mglaunch_USAv1002.cab
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - D:\Ad-Aware\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: WinTab Service (WinTabService) - Tablet Driver - C:\WINDOWS\System32\Drivers\WTSRV.EXE

--
End of file - 7625 bytes

#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:50 PM

Posted 08 February 2009 - 08:11 PM

Hello,

Disconnect all the computers from each other and clean them all, including yours again, and don't use that memory stick any more. After you're done, if you like, post a HijackThis log for each of them and I'll have a look. If you don't do this they'll just keep reinfecting each other.

Regards,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 xtradeadly

xtradeadly
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:50 AM

Posted 09 February 2009 - 08:43 AM

Ok, so I scaned on my other pc with combofix and................ NO MORE VIMAX. :thumbup2:
THANK YOU VERY MUCH!!!! Cant tell you how much im greatfull for what you've done for me, but I hope a Thank You would be enoth.
You're the best! :)

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:50 PM

Posted 09 February 2009 - 08:56 AM

Excellent! :thumbup2:

You're most welcome. :step1:

Please delete ComboFix and its accompanying folder C:\Qoobox. Empty your Recycle bin and reboot your computer. Both computers. :) Seriously....don't use that memory card any more or this will happen again. :step4:

http://mvps.org/winhelp2002/unwanted.htm
Please also read Tony Klein's excellent article: How I got Infected in the First Place

Take care!
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:06:50 PM

Posted 20 February 2009 - 12:42 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users