Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

VirtuMonde Rebuilds After Disinfection


  • This topic is locked This topic is locked
26 replies to this topic

#1 Wisconsin Charlie

Wisconsin Charlie

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 16 February 2009 - 02:05 PM

Howdy!

I'm running Spyware Doctor with AntiVirus by PC Tools. It detects VirtuMonde (says that I have one threat and six infections). I tell it to "fix it." It fixes it and then tells me that my computer is infection free, but as soon as I run it again, it says it's there again. This goes on and on. AND, it happenes even when I don't restart the computer, and when I AM NOT on the internet. So, it seems to me that there is something hidden that is rebuilding the virus.

When I actually start to browse, windows pop up directing me to various software sites selling, from I saw, mostly anti-virus software, etc. The computer runs really slow and locks up occasionally. This has only happened since I got the virus. Computer speed was OK until then (less than one week).

Charlie
-----------------------------------------

DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 12:39:02.34 on Mon 02/16/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.65 [GMT -6:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://srch-us8.hpwis.com/
uDefault_Page_URL = hxxp://us8.hpwis.com/
uDefault_Search_URL = hxxp://srch-us8.hpwis.com/
uSearch Bar =
mSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = localhost
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {b0461c72-b482-4f1f-bd17-3e5cac0ce400} - c:\windows\system32\sinodisi.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {8F4902B6-6C04-4ade-8052-AA58578A21BD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\WCESCOMM.EXE"
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
mRun: [EPSON Stylus Photo R220 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB002" /M "Stylus Photo R220"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [wevasujovo] Rundll32.exe "c:\windows\system32\wufewoga.dll",s
mRun: [CPM7bce3a8a] Rundll32.exe "c:\windows\system32\hekeyapi.dll",a
uPolicies-explorer: NoSMMyDocs = 01000000
uPolicies-explorer: NoSMMyPictures = 01000000
uPolicies-explorer: NoNetworkConnections = 01000000
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...arch.jhtml?p=ZN
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\update
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000045-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/sg726acm.cab
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/FunBuddyIconsFWBInitialSetup1.0.0.8-2.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203088712171
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38110.9756481481
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {107F91F4-81FB-4BAD-8A60-000C88C6CDCA} = 209.94.172.166 209.94.172.167
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\AATP.DLL
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
Notify: geBqPJDv - geBqPJDv.dll
Notify: igfxcui - igfxsrvc.dll
Notify: tuvwuuu - tuvwuuu.dll
AppInit_DLLs: yudybg.dll jyspqn.dll c:\windows\system32\sinodisi.dll rwvoop.dll c:\windows\system32\hekeyapi.dll uqbhgs.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\hekeyapi.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\hekeyapi.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\jkkIYrRk
LSA: Notification Packages = scecli c:\windows\system32\sinodisi.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\g0m0w9d9.default\
FF - prefs.js: browser.startup.homepage - hxxp://secretplaces.net
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2009-2-7 40840]
R1 BpCdrVsd;BpCdrVsd;c:\windows\system32\drivers\bpcdrvsd.sys [2003-8-6 8736]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2009-2-7 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2009-2-7 81288]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2009-2-7 160792]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-2-7 356920]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-2-7 1079176]
R3 bpusbflt;BACKPACK USB Filter;c:\windows\system32\drivers\BPUSBFLT.SYS [2004-6-10 9661]
S2 AFinding;AFinding Service;c:\windows\system32\afinding.exe --> c:\windows\system32\afinding.exe [?]
S2 afisicx;afisicx;c:\windows\system32\afisicx.exe --> c:\windows\system32\afisicx.exe [?]
S2 mabidwe;mabidwe Service;c:\windows\system32\mabidwe.exe --> c:\windows\system32\mabidwe.exe [?]
S2 macidwe;macidwe Service;c:\windows\system32\macidwe.exe --> c:\windows\system32\macidwe.exe [?]
S2 mshlpkd;Microsoft File Mapping Service;c:\windows\system32\mshlp.exe --> c:\windows\system32\mshlp.exe [?]
S2 NOBICYT;NOBICYT Service;c:\windows\system32\nobicyt.exe --> c:\windows\system32\Nobicyt.exe [?]
S2 noytcyr;noytcyr Service;c:\windows\system32\noytcyr.exe --> c:\windows\system32\noytcyr.exe [?]
S2 Routing;Routing Service;c:\windows\system32\routing.exe --> c:\windows\system32\routing.exe [?]
S2 roytctm;roytctm Service;c:\windows\system32\roytctm.exe --> c:\windows\system32\roytctm.exe [?]
S2 sobicyt;sobicyt Service;c:\windows\system32\sobicyt.exe --> c:\windows\system32\sobicyt.exe [?]
S2 soxpeca;soxpeca;c:\windows\system32\soxpeca.exe --> c:\windows\system32\soxpeca.exe [?]
S2 tdxdowkc;tdxdowkc Service;c:\windows\system32\tdxdowkc.exe --> c:\windows\system32\tdxdowkc.exe [?]
S2 tdydowkc;tdydowkc;c:\windows\system32\tdydowkc.exe --> c:\windows\system32\tdydowkc.exe [?]
S2 WServing;WServing Service;c:\windows\system32\wserving.exe --> c:\windows\system32\wserving.exe [?]
S2 wsldoekd;wsldoekd;c:\windows\system32\wsldoekd.exe --> c:\windows\system32\wsldoekd.exe [?]
S3 A4S2600;A4S2600;c:\windows\system32\drivers\a4s2600.sys --> c:\windows\system32\drivers\A4S2600.sys [?]
S3 CEUSBAUD;Lexicon USB MIDI Driver1;c:\windows\system32\drivers\ceusbaud.sys [2005-3-3 17920]
S3 JL2005;JL2005A Toy Camera;c:\windows\system32\drivers\toywdm.sys [2004-6-4 70888]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\pc-doc~1\diagno~1\pcdrdrv.sys --> c:\progra~1\pc-doc~1\diagno~1\PCDRDRV.sys [?]
S3 SDVC05;USB SDVC05;c:\windows\system32\drivers\sdvc05.sys --> c:\windows\system32\drivers\SDVC05.sys [?]
S3 wskrnlc;wskrnlc; [x]
S4 MSControlService;Microsoft cache control;c:\windows\system32\windows --> c:\windows\system32\windows [?]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe --> c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [?]

=============== Created Last 30 ================

2009-02-13 18:36 <DIR> --d----- c:\program files\InterActual
2009-02-13 18:28 1,529,243 ---sh--- c:\windows\system32\obapufed.ini
2009-02-13 13:14 <DIR> --d----- C:\VundoFix Backups
2009-02-13 10:53 <DIR> --d----- c:\program files\PROC_EXP
2009-02-12 12:27 1,516,964 ---sh--- c:\windows\system32\udujekom.ini
2009-02-11 23:25 2,713 ---sh--- c:\windows\system32\sofokujo.exe
2009-02-11 04:23 2,713 ---sh--- c:\windows\system32\rimododi.exe
2009-02-10 10:21 2,713 ---sh--- c:\windows\system32\tuvulezi.exe
2009-02-09 16:41 1,615,547 ---sh--- c:\windows\system32\ebivekab.ini
2009-02-09 09:37 20,992 ac------ c:\windows\system32\dllcache\dshowext.ax
2009-02-09 09:37 20,992 a------- c:\windows\system32\dshowext.ax
2009-02-09 09:30 <DIR> --d----- c:\program files\JL2005A
2009-02-09 09:28 419 a------- c:\windows\videomvp.ini
2009-02-09 09:27 21 a------- c:\windows\CS_SETUP.ini
2009-02-07 16:18 160,792 a------- c:\windows\system32\drivers\pctfw2.sys
2009-02-07 16:18 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2009-02-07 16:18 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2009-02-07 16:18 40,840 a------- c:\windows\system32\drivers\ikfilesec.sys
2009-02-07 16:18 29,576 a------- c:\windows\system32\drivers\kcom.sys
2009-02-07 16:18 <DIR> --d----- c:\program files\Spyware Doctor
2009-02-07 16:18 <DIR> --d----- c:\docume~1\owner\applic~1\PC Tools
2009-02-06 20:00 <DIR> --d----- c:\program files\AVG
2009-02-06 19:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-02-06 11:36 120 a--sh--- c:\windows\system32\tepanxib.ini
2009-02-05 17:22 5,856 a--sh--- c:\windows\system32\fuhibite.exe
2009-02-05 11:07 72,192 a------- c:\windows\system32\a.exe
2009-02-05 10:22 1,536,827 a--sh--- c:\windows\system32\txuobqob.ini
2009-02-04 09:31 1,536,827 a--sh--- c:\windows\system32\idkluxbd.ini
2009-02-03 12:50 31,810 a--sh--- c:\windows\system32\kRrYIkkj.ini2
2009-02-03 12:50 31,810 a--sh--- c:\windows\system32\kRrYIkkj.ini
2009-02-03 10:53 302,592 a------- c:\windows\system32\xxyvurst.dll
2009-02-03 07:51 302,592 a------- c:\windows\system32\fccywuSk.dll
2009-02-03 06:50 302,592 a------- c:\windows\system32\opnlMeBs.dll
2009-01-28 12:16 <DIR> --d----- c:\program files\GoldWave525

==================== Find3M ====================

2009-02-13 18:28 144,089 a--sh--- c:\windows\system32\fijiveni.dll
2009-02-13 18:28 108,256 a--sh--- c:\windows\system32\hekeyapi.dll
2009-02-12 12:27 142,940 a--sh--- c:\windows\system32\nereteva.dll
2009-02-12 12:26 109,676 a--sh--- c:\windows\system32\huwakalu.dll
2009-02-12 11:26 71,416 a--sh--- c:\windows\system32\ronigofu.dll
2009-02-09 16:22 140,558 a--sh--- c:\windows\system32\julasati.dll
2009-02-09 16:22 109,392 a--sh--- c:\windows\system32\vezipoyo.dll
2009-02-07 11:37 34 a------- c:\documents and settings\owner\jagex_runescape_preferences.dat
2009-02-06 23:16 73,915 a--sh--- c:\windows\system32\kokihove.dll
2007-11-06 11:19 92,064 a------- c:\documents and settings\owner\mqdmmdm.sys
2007-11-06 11:19 79,328 a------- c:\documents and settings\owner\mqdmserd.sys
2007-11-06 11:19 66,656 a------- c:\documents and settings\owner\mqdmbus.sys
2007-11-06 11:19 25,600 a------- c:\documents and settings\owner\usbsermptxp.sys
2007-11-06 11:19 22,768 a------- c:\documents and settings\owner\usbsermpt.sys
2007-11-06 11:19 9,232 a------- c:\documents and settings\owner\mqdmmdfl.sys
2007-11-06 11:19 6,208 a------- c:\documents and settings\owner\mqdmcmnt.sys
2007-11-06 11:19 5,936 a------- c:\documents and settings\owner\mqdmwhnt.sys
2007-11-06 11:19 4,048 a------- c:\documents and settings\owner\mqdmcr.sys
2004-12-03 11:50 67 a------- c:\program files\rem_cdk.bat
0000-00-00 00:00 73,728 a--sh--- c:\windows\system32\pimimoso.dll
2008-02-14 18:16 305,869 a--sh--- c:\windows\system32\ppqss.ini2
0000-00-00 00:00 71,416 a--sh--- c:\windows\system32\wufewoga.dll
2008-10-22 14:59 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2008-10-22 14:59 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2008-10-22 14:59 16,384 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 12:41:34.84 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 17 February 2009 - 05:03 AM

WARNING!
Looking at your system now, one or more of the identified infections is a backdoor Trojan. If this computer is ever used for on-line banking, I suggest you do the following IMMEDIATELY:

  • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.
Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information. Please refrain from using this computer for online-banking/financial purpose until we give it all clear




Please download SDFix by Andy Manchesta and save it to your desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please reboot into Safe Mode
  • In Safe Mode, right click the SDFix.zip folder and choose Extract All,
  • A new folder will be extracted to your %systemdrive%, typically C:\SDFix
  • Open the extracted folder and double click RunThis.bat to start the script.
  • Type Y to begin the script.
  • It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • Your system will take longer that normal to restart as the fixtool will be running and removing files.
  • When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
  • Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt along with any other requested logs at the end of these instructions.



NEXT


Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




NEXT


Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..



Post me these logs in your next reply.. Post each log in separate post..

1. SDFix
2. Malwarebytes'
3. ComboFix

Edited by fenzodahl512, 17 February 2009 - 05:04 AM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 Wisconsin Charlie

Wisconsin Charlie
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 17 February 2009 - 12:31 PM

Well, yesterday I was impatient, and so, before you wrote back to me (quickly, I might add), I did some reseacrh and it looked like SUPERAntiSpyware could help, so I downloaded it and it did remove what was bothering my computer. Now, PC Tools SpywareDoctor does not find the virus, so it seems that it is good. SHould I still do what you told me? I mean, I'll change my numbers and passwords, etc, but should I still run the software you told me to run? Or should I do a HijackThis again?

I hope I didn't waste your time.

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 17 February 2009 - 01:04 PM

Run DDS again and post the log here :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 Wisconsin Charlie

Wisconsin Charlie
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 17 February 2009 - 02:04 PM

DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 13:00:44.73 on Tue 02/17/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.146 [GMT -6:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://srch-us8.hpwis.com/
uDefault_Page_URL = hxxp://us8.hpwis.com/
uDefault_Search_URL = hxxp://srch-us8.hpwis.com/
uSearch Bar =
mSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {8F4902B6-6C04-4ade-8052-AA58578A21BD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\WCESCOMM.EXE"
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [EPSON Stylus Photo R220 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB002" /M "Stylus Photo R220"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
uPolicies-explorer: NoSMMyDocs = 01000000
uPolicies-explorer: NoSMMyPictures = 01000000
uPolicies-explorer: NoNetworkConnections = 01000000
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...arch.jhtml?p=ZN
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\update
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000045-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/sg726acm.cab
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/FunBuddyIconsFWBInitialSetup1.0.0.8-2.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203088712171
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38110.9756481481
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\AATP.DLL
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: geBqPJDv - geBqPJDv.dll
Notify: igfxcui - igfxsrvc.dll
Notify: tuvwuuu - tuvwuuu.dll
AppInit_DLLs: yudybg.dll jyspqn.dll c:\windows\system32\sinodisi.dll rwvoop.dll c:\windows\system32\hekeyapi.dll uqbhgs.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\jkkIYrRk
LSA: Notification Packages = scecli c:\windows\system32\sinodisi.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\g0m0w9d9.default\
FF - prefs.js: browser.startup.homepage - hxxp://secretplaces.net
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2009-2-7 40840]
R1 BpCdrVsd;BpCdrVsd;c:\windows\system32\drivers\bpcdrvsd.sys [2003-8-6 8736]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2009-2-7 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2009-2-7 81288]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2009-2-7 160792]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-1-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-1-15 55024]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-2-7 356920]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-2-7 1079176]
R3 bpusbflt;BACKPACK USB Filter;c:\windows\system32\drivers\BPUSBFLT.SYS [2004-6-10 9661]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-1-15 7408]
S2 afisicx;afisicx;c:\windows\system32\afisicx.exe --> c:\windows\system32\afisicx.exe [?]
S2 mabidwe;mabidwe Service;c:\windows\system32\mabidwe.exe --> c:\windows\system32\mabidwe.exe [?]
S2 mshlpkd;Microsoft File Mapping Service;c:\windows\system32\mshlp.exe --> c:\windows\system32\mshlp.exe [?]
S2 noytcyr;noytcyr Service;c:\windows\system32\noytcyr.exe --> c:\windows\system32\noytcyr.exe [?]
S2 roytctm;roytctm Service;c:\windows\system32\roytctm.exe --> c:\windows\system32\roytctm.exe [?]
S2 soxpeca;soxpeca;c:\windows\system32\soxpeca.exe --> c:\windows\system32\soxpeca.exe [?]
S2 tdydowkc;tdydowkc;c:\windows\system32\tdydowkc.exe --> c:\windows\system32\tdydowkc.exe [?]
S2 wsldoekd;wsldoekd;c:\windows\system32\wsldoekd.exe --> c:\windows\system32\wsldoekd.exe [?]
S3 A4S2600;A4S2600;c:\windows\system32\drivers\a4s2600.sys --> c:\windows\system32\drivers\A4S2600.sys [?]
S3 CEUSBAUD;Lexicon USB MIDI Driver1;c:\windows\system32\drivers\ceusbaud.sys [2005-3-3 17920]
S3 JL2005;JL2005A Toy Camera;c:\windows\system32\drivers\toywdm.sys [2004-6-4 70888]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\pc-doc~1\diagno~1\pcdrdrv.sys --> c:\progra~1\pc-doc~1\diagno~1\PCDRDRV.sys [?]
S3 SDVC05;USB SDVC05;c:\windows\system32\drivers\sdvc05.sys --> c:\windows\system32\drivers\SDVC05.sys [?]
S3 wskrnlc;wskrnlc; [x]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe --> c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [?]

=============== Created Last 30 ================

2009-02-17 12:01 <DIR> --d----- c:\windows\ERUNT
2009-02-17 11:59 <DIR> --d----- C:\SDFix
2009-02-16 15:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-16 15:16 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-02-16 15:16 <DIR> --d----- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2009-02-16 15:15 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-02-13 18:36 <DIR> --d----- c:\program files\InterActual
2009-02-13 18:28 1,529,243 ---sh--- c:\windows\system32\obapufed.ini
2009-02-13 13:14 <DIR> --d----- C:\VundoFix Backups
2009-02-13 10:53 <DIR> --d----- c:\program files\PROC_EXP
2009-02-12 12:27 1,516,964 ---sh--- c:\windows\system32\udujekom.ini
2009-02-11 23:25 2,713 ---sh--- c:\windows\system32\sofokujo.exe
2009-02-11 04:23 2,713 ---sh--- c:\windows\system32\rimododi.exe
2009-02-10 10:21 2,713 ---sh--- c:\windows\system32\tuvulezi.exe
2009-02-09 16:41 1,615,547 ---sh--- c:\windows\system32\ebivekab.ini
2009-02-09 09:37 20,992 ac------ c:\windows\system32\dllcache\dshowext.ax
2009-02-09 09:37 20,992 a------- c:\windows\system32\dshowext.ax
2009-02-09 09:30 <DIR> --d----- c:\program files\JL2005A
2009-02-09 09:28 419 a------- c:\windows\videomvp.ini
2009-02-09 09:27 21 a------- c:\windows\CS_SETUP.ini
2009-02-07 16:18 160,792 a------- c:\windows\system32\drivers\pctfw2.sys
2009-02-07 16:18 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2009-02-07 16:18 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2009-02-07 16:18 40,840 a------- c:\windows\system32\drivers\ikfilesec.sys
2009-02-07 16:18 29,576 a------- c:\windows\system32\drivers\kcom.sys
2009-02-07 16:18 <DIR> --d----- c:\program files\Spyware Doctor
2009-02-07 16:18 <DIR> --d----- c:\docume~1\owner\applic~1\PC Tools
2009-02-06 20:00 <DIR> --d----- c:\program files\AVG
2009-02-06 19:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-02-06 11:36 120 a--sh--- c:\windows\system32\tepanxib.ini
2009-02-05 17:22 5,856 a--sh--- c:\windows\system32\fuhibite.exe
2009-02-05 10:22 1,536,827 a--sh--- c:\windows\system32\txuobqob.ini
2009-02-04 09:31 1,536,827 a--sh--- c:\windows\system32\idkluxbd.ini
2009-02-03 12:50 31,810 a--sh--- c:\windows\system32\kRrYIkkj.ini2
2009-02-03 12:50 31,810 a--sh--- c:\windows\system32\kRrYIkkj.ini
2009-01-28 12:16 <DIR> --d----- c:\program files\GoldWave525

==================== Find3M ====================

2009-02-13 18:28 144,089 a--sh--- c:\windows\system32\fijiveni.dll
2009-02-12 12:27 142,940 a--sh--- c:\windows\system32\nereteva.dll
2009-02-12 12:26 109,676 a--sh--- c:\windows\system32\huwakalu.dll
2009-02-09 16:22 140,558 a--sh--- c:\windows\system32\julasati.dll
2009-02-07 11:37 34 a------- c:\documents and settings\owner\jagex_runescape_preferences.dat
2007-11-06 11:19 92,064 a------- c:\documents and settings\owner\mqdmmdm.sys
2007-11-06 11:19 79,328 a------- c:\documents and settings\owner\mqdmserd.sys
2007-11-06 11:19 66,656 a------- c:\documents and settings\owner\mqdmbus.sys
2007-11-06 11:19 25,600 a------- c:\documents and settings\owner\usbsermptxp.sys
2007-11-06 11:19 22,768 a------- c:\documents and settings\owner\usbsermpt.sys
2007-11-06 11:19 9,232 a------- c:\documents and settings\owner\mqdmmdfl.sys
2007-11-06 11:19 6,208 a------- c:\documents and settings\owner\mqdmcmnt.sys
2007-11-06 11:19 5,936 a------- c:\documents and settings\owner\mqdmwhnt.sys
2007-11-06 11:19 4,048 a------- c:\documents and settings\owner\mqdmcr.sys
2004-12-03 11:50 67 a------- c:\program files\rem_cdk.bat
0000-00-00 00:00 73,728 a--sh--- c:\windows\system32\pimimoso.dll
2008-02-14 18:16 305,869 a--sh--- c:\windows\system32\ppqss.ini2
2008-10-22 14:59 16,384 a--sh--- c:\windows\temp\cookies\index.dat
2008-10-22 14:59 16,384 a--sh--- c:\windows\temp\history\history.ie5\index.dat
2008-10-22 14:59 16,384 a--sh--- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 13:01:17.28 ===============

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 18 February 2009 - 01:25 AM

Ok.. run all steps from my previous instruction and post the logs here.. That computer is still infected.. :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 Wisconsin Charlie

Wisconsin Charlie
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 18 February 2009 - 12:35 PM

Malwarebytes' Anti-Malware 1.34
Database version: 1749
Windows 5.1.2600 Service Pack 2

2/18/2009 11:29:39 AM
mbam-log-2009-02-18 (11-29-39).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 206995
Time elapsed: 44 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 13
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 29

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) ->

Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) ->

Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug)

-> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug)

-> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug)

-> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution

Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and

deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wskrnlc (Spyware.Agent) ->

Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and

deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and

deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and

deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and

deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and

deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss

(Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\

(Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5

\6260EIVX\divx20[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5

\W1UXTPSI\divx20[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5

\6ZCJAJ8D\index[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5

\DCFHNGNU\upd105320[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5

\ELWJ4BM5\img[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP159

\A0031102.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP165

\A0032473.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP184

\A0038626.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP186

\A0038818.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP187

\A0038821.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP189

\A0038862.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP190

\A0038913.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP191

\A0038940.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP192

\A0038979.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP193

\A0039029.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP194

\A0039118.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP195

\A0039119.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP196

\A0039125.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP197

\A0039183.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP198

\A0039184.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP199

\A0039210.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP200

\A0039274.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP201

\A0039323.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP203

\A0040240.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP229

\A0050301.sys (RootKit.Clicker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP229

\A0050317.exe (Trojan.Refpron) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fduvfct.sys (RootKit.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tcexfst.sys (RootKit.Clicker) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pimimoso.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

#8 Wisconsin Charlie

Wisconsin Charlie
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 18 February 2009 - 01:42 PM

ComboFix 09-02-17.02 - Owner 2009-02-18 12:02:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.207 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Local Settings\Temporary Internet Files\tpg.ico
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\Install.txt
c:\windows\patch.exe
c:\windows\system32\dekoleha.dll.tmp
c:\windows\system32\ebivekab.ini
c:\windows\system32\fijiveni.dll
c:\windows\system32\huwakalu.dll
c:\windows\system32\iAlmcoin.dll
c:\windows\system32\idkluxbd.ini
c:\windows\system32\judinoyo.dll.tmp
c:\windows\system32\julasati.dll
c:\windows\system32\kRrYIkkj.ini
c:\windows\system32\kRrYIkkj.ini2
c:\windows\system32\nereteva.dll
c:\windows\system32\obapufed.ini
c:\windows\system32\ppqss.ini2
c:\windows\system32\sltfhcvo.ini
c:\windows\system32\tepanxib.ini
c:\windows\system32\tmp0_161185398294.bk
c:\windows\system32\tmp0_55427584155.bk
c:\windows\system32\tmp1_562571212646.bk
c:\windows\system32\txuobqob.ini
c:\windows\system32\udujekom.ini
c:\windows\Tasks\yemlcegh.job
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AFISICX
-------\Legacy_MABIDWE
-------\Legacy_MSCONTROLSERVICE
-------\Legacy_NOXTCYR
-------\Legacy_NOYTCYR
-------\Legacy_PERFMONS
-------\Legacy_PERFS
-------\Legacy_ROXTCTM
-------\Legacy_ROYTCTM
-------\Legacy_SOTPECA
-------\Legacy_SOXPECA
-------\Legacy_TDYDOWKC
-------\Legacy_WSLDOEKD
-------\Service_afisicx
-------\Service_mabidwe
-------\Service_noytcyr
-------\Service_roytctm
-------\Service_soxpeca
-------\Service_tdydowkc
-------\Service_wsldoekd


((((((((((((((((((((((((( Files Created from 2009-01-18 to 2009-02-18 )))))))))))))))))))))))))))))))
.

2009-02-17 15:16 . 2009-02-17 15:16 <DIR> d-------- c:\program files\Malwarebytes
2009-02-17 15:16 . 2009-02-17 15:16 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-02-17 15:16 . 2009-02-17 15:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-17 15:16 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-17 15:16 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-17 12:01 . 2009-02-17 12:01 <DIR> d-------- c:\windows\ERUNT
2009-02-17 11:59 . 2009-02-17 12:48 <DIR> d-------- C:\SDFix
2009-02-16 15:17 . 2009-02-16 15:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-16 15:16 . 2009-02-16 15:16 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-16 15:16 . 2009-02-16 15:16 <DIR> d-------- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-02-16 15:15 . 2009-02-16 15:15 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-02-13 18:36 . 2009-02-13 18:37 <DIR> d-------- c:\program files\InterActual
2009-02-13 13:14 . 2009-02-15 23:24 <DIR> d-------- C:\VundoFix Backups
2009-02-13 10:53 . 2009-02-13 10:53 <DIR> d-------- c:\program files\PROC_EXP
2009-02-11 23:25 . 2009-02-11 23:25 2,713 ---hs---- c:\windows\system32\sofokujo.exe
2009-02-11 04:23 . 2009-02-11 04:23 2,713 ---hs---- c:\windows\system32\rimododi.exe
2009-02-10 10:21 . 2009-02-10 10:21 2,713 ---hs---- c:\windows\system32\tuvulezi.exe
2009-02-09 09:43 . 2009-02-09 09:43 <DIR> d-------- c:\documents and settings\Owner\Application Data\ArcSoft
2009-02-09 09:37 . 2004-08-04 01:56 20,992 --a------ c:\windows\system32\dshowext.ax
2009-02-09 09:37 . 2004-08-04 01:56 20,992 --a--c--- c:\windows\system32\dllcache\dshowext.ax
2009-02-09 09:30 . 2009-02-09 09:30 <DIR> d-------- c:\program files\JL2005A
2009-02-09 09:28 . 2009-02-09 09:43 419 --a------ c:\windows\videomvp.ini
2009-02-09 09:27 . 2009-02-09 09:27 <DIR> d-------- c:\program files\ArcSoft
2009-02-09 09:27 . 1998-07-21 20:29 21 --a------ c:\windows\CS_SETUP.ini
2009-02-07 16:18 . 2009-02-18 08:22 <DIR> d-------- c:\program files\Spyware Doctor
2009-02-07 16:18 . 2009-02-07 16:18 <DIR> d-------- c:\documents and settings\Owner\Application Data\PC Tools
2009-02-07 16:18 . 2008-07-28 12:29 160,792 --a------ c:\windows\system32\drivers\pctfw2.sys
2009-02-07 16:18 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-02-07 16:18 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-02-07 16:18 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-02-07 16:18 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2009-02-06 20:00 . 2009-02-06 20:00 <DIR> d-------- c:\program files\AVG
2009-02-06 19:59 . 2009-02-07 16:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-02-05 17:22 . 2009-02-05 17:22 5,856 --ahs---- c:\windows\system32\fuhibite.exe
2009-01-28 12:16 . 2009-01-28 12:18 <DIR> d-------- c:\program files\GoldWave525

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-18 17:31 --------- d-----w c:\program files\Mozilla Thunderbird
2009-02-18 14:23 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-16 22:43 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-14 16:20 --------- d-----w c:\program files\invoice
2009-02-14 00:31 --------- d-----w c:\program files\CyberLink
2009-02-07 22:18 --------- d-----w c:\program files\Common Files\PC Tools
2009-02-07 17:37 34 ----a-w c:\documents and settings\Owner\jagex_runescape_preferences.dat
2009-02-06 18:58 --------- d-----w c:\program files\WinXMedia
2009-02-06 18:52 --------- d-----w c:\documents and settings\All Users\Application Data\BVRP Software
2009-01-16 22:19 --------- d-----w c:\program files\QuickTime
2009-01-16 22:18 --------- d-----w c:\program files\Common Files\Apple
2009-01-16 22:18 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-02 18:08 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2007-11-06 17:19 92,064 ----a-w c:\documents and settings\Owner\mqdmmdm.sys
2007-11-06 17:19 9,232 ----a-w c:\documents and settings\Owner\mqdmmdfl.sys
2007-11-06 17:19 79,328 ----a-w c:\documents and settings\Owner\mqdmserd.sys
2007-11-06 17:19 66,656 ----a-w c:\documents and settings\Owner\mqdmbus.sys
2007-11-06 17:19 6,208 ----a-w c:\documents and settings\Owner\mqdmcmnt.sys
2007-11-06 17:19 5,936 ----a-w c:\documents and settings\Owner\mqdmwhnt.sys
2007-11-06 17:19 4,048 ----a-w c:\documents and settings\Owner\mqdmcr.sys
2007-11-06 17:19 25,600 ----a-w c:\documents and settings\Owner\usbsermptxp.sys
2007-11-06 17:19 22,768 ----a-w c:\documents and settings\Owner\usbsermpt.sys
2004-12-03 17:50 67 ----a-w c:\program files\rem_cdk.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\WCESCOMM.EXE" [2003-04-22 413775]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-15 1830128]
"NVIEW"="nview.dll" [2003-03-03 c:\windows\system32\nview.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R220 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-03-03 4595712]
"nwiz"="nwiz.exe" [2003-03-03 c:\windows\system32\nwiz.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv31"= c:\windows\system32\ir32_32.dll
"vidc.iv32"= c:\windows\system32\ir32_32.dll
"MSACM.CEGSM"= mobilev.acm
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"msacm.mpegacm"= mpegacm.acm
"msacm.ulmp3acm"= ulmp3acm.acm
"VIDC.MJPG"= jl_mjpg2.drv

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax 4.1.lnk]
backup=c:\windows\pss\eFax 4.1.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MySoftware NewsFlash.lnk]
backup=c:\windows\pss\MySoftware NewsFlash.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
backup=c:\windows\pss\MyWebSearch Email Plugin.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
backup=c:\windows\pss\MyWebSearch Email Plugin.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Omega ASIO Control Panel.lnk]
backup=c:\windows\pss\Omega ASIO Control Panel.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^TextBridge Instant Access OCR.lnk]
backup=c:\windows\pss\TextBridge Instant Access OCR.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Update InstaCode.lnk]
backup=c:\windows\pss\Update InstaCode.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\E-Color Registration
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Doctor

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 01:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.1]
--a------ 2005-12-16 17:59 107008 c:\program files\eFax Messenger 4.1\J2GDllCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2003-04-22 03:43 413775 c:\program files\Microsoft ActiveSync\WCESCOMM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-03-11 18:11 114688 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--------- 1998-05-07 17:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
--a------ 2008-08-25 12:36 1168264 c:\program files\Spyware Doctor\pctsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2003-03-03 10:44 4595712 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
--a------ 2006-06-08 15:22 208941 c:\program files\Real\RealOne Player\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--------- 2002-09-13 22:42 212992 c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
--a------ 2005-01-24 18:58 81920 c:\progra~1\Sony\SONICS~1\SSAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 01:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 13:47 57344 c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2003-03-03 10:44 323584 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"SPBBCSvc"=2 (0x2)
"SBService"=2 (0x2)
"SAVScan"=3 (0x3)
"NPFMntor"=2 (0x2)
"navapsvc"=2 (0x2)
"LiveUpdate"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"UleadBurningHelper"=2 (0x2)
"Symantec Core LC"=2 (0x2)
"SSScsiSV"=3 (0x3)
"SPTISRV"=3 (0x3)
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)
"PACSPTISVR"=3 (0x3)
"NVSvc"=2 (0x2)
"NetMDSB"=2 (0x2)
"MSCSPTISRV"=3 (0x3)
"MSControlService"=3 (0x3)
"IDriverT"=3 (0x3)
"GearSecurity"=2 (0x2)
"Brother XP spl Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Mythology\\aomx.exe"=
"c:\\Program Files\\NovaLogic\\Delta Force\\Df.exe"=
"c:\\Program Files\\invoice\\EasyInv.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\WS_FTP\\FTP95PRO.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\userinit.exe"=
"c:\\Program Files\\Spyware Doctor\\pctsGui.exe"=
"c:\\Program Files\\Spyware Doctor\\pctsTray.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\msconfig.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=

R1 BpCdrVsd;BpCdrVsd;c:\windows\system32\drivers\bpcdrvsd.sys [2003-08-06 8736]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2009-02-07 160792]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-01-15 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-01-15 55024]
R3 bpusbflt;BACKPACK USB Filter;c:\windows\system32\drivers\BPUSBFLT.SYS [2004-06-10 9661]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-01-15 7408]
S2 mshlpkd;Microsoft File Mapping Service;c:\windows\system32\mshlp.exe --> c:\windows\system32\mshlp.exe [?]
S3 CEUSBAUD;Lexicon USB MIDI Driver1;c:\windows\system32\drivers\ceusbaud.sys [2005-03-03 17920]
S3 JL2005;JL2005A Toy Camera;c:\windows\system32\drivers\toywdm.sys [2004-06-04 70888]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys --> c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-02-07 356920]
S3 SDVC05;USB SDVC05;c:\windows\system32\Drivers\SDVC05.sys --> c:\windows\system32\Drivers\SDVC05.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-02-13 c:\windows\Tasks\{132C39E2-E0A9-4C18-A8FD-6A05C5288B5E}_HP-PAVILION_Owner.job
- c:\windows\system32\mobsync.exe [2004-08-04 01:56]

2009-02-17 c:\windows\Tasks\{CA7DE196-E1FE-4D6E-AD96-EBAFDD73008A}_HP-PAVILION_Owner.job
- c:\windows\system32\mobsync.exe [2004-08-04 01:56]

2009-02-18 c:\windows\Tasks\{F4696203-B1A3-4059-9990-394EB8715248}_HP-PAVILION_Owner.job
- c:\windows\system32\mobsync.exe [2004-08-04 01:56]
.
- - - - ORPHANS REMOVED - - - -

Notify-geBqPJDv - geBqPJDv.dll
Notify-tuvwuuu - tuvwuuu.dll


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://srch-us8.hpwis.com/
mSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
IE: &Search
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\update
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\g0m0w9d9.default\
FF - prefs.js: browser.startup.homepage - hxxp://secretplaces.net
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-18 12:11:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(480)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(536)
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-02-18 12:23:34 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-18 18:22:46

Pre-Run: 83,106,062,336 bytes free
Post-Run: 83,078,979,584 bytes free

333 --- E O F --- 2008-05-17 12:20:13

#9 Wisconsin Charlie

Wisconsin Charlie
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 18 February 2009 - 01:51 PM

DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 12:48:37.53 on Wed 02/18/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.183 [GMT -6:00]

AV: Spyware Doctor with AntiVirus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = about:blank
uDefault_Search_URL = hxxp://srch-us8.hpwis.com/
mSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {8F4902B6-6C04-4ade-8052-AA58578A21BD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\WCESCOMM.EXE"
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
mRun: [EPSON Stylus Photo R220 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB002" /M "Stylus Photo R220"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
uPolicies-explorer: NoSMMyDocs = 01000000
uPolicies-explorer: NoSMMyPictures = 01000000
uPolicies-explorer: NoNetworkConnections = 01000000
IE: &Search
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\update
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000045-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/sg726acm.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203088712171
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38110.9756481481
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {107F91F4-81FB-4BAD-8A60-000C88C6CDCA} = 209.94.172.166 209.94.172.167
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\AATP.DLL
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
Notify: igfxcui - igfxsrvc.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\g0m0w9d9.default\
FF - prefs.js: browser.startup.homepage - hxxp://secretplaces.net
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2009-2-7 40840]
R1 BpCdrVsd;BpCdrVsd;c:\windows\system32\drivers\bpcdrvsd.sys [2003-8-6 8736]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2009-2-7 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2009-2-7 81288]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2009-2-7 160792]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-2-7 356920]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-2-7 1079176]
R3 bpusbflt;BACKPACK USB Filter;c:\windows\system32\drivers\BPUSBFLT.SYS [2004-6-10 9661]
RUnknown SASDIFSV;SASDIFSV; [x]
RUnknown SASENUM;SASENUM; [x]
RUnknown SASKUTIL;SASKUTIL; [x]
S2 mshlpkd;Microsoft File Mapping Service;c:\windows\system32\mshlp.exe --> c:\windows\system32\mshlp.exe [?]
S3 A4S2600;A4S2600;c:\windows\system32\drivers\a4s2600.sys --> c:\windows\system32\drivers\A4S2600.sys [?]
S3 CEUSBAUD;Lexicon USB MIDI Driver1;c:\windows\system32\drivers\ceusbaud.sys [2005-3-3 17920]
S3 JL2005;JL2005A Toy Camera;c:\windows\system32\drivers\toywdm.sys [2004-6-4 70888]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\pc-doc~1\diagno~1\pcdrdrv.sys --> c:\progra~1\pc-doc~1\diagno~1\PCDRDRV.sys [?]
S3 SDVC05;USB SDVC05;c:\windows\system32\drivers\sdvc05.sys --> c:\windows\system32\drivers\SDVC05.sys [?]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe --> c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [?]

=============== Created Last 30 ================

2009-02-18 12:01 161,792 a------- c:\windows\SWREG.exe
2009-02-18 12:01 98,816 a------- c:\windows\sed.exe
2009-02-17 15:16 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-02-17 15:16 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-17 15:16 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-17 15:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-17 15:16 <DIR> --d----- c:\program files\Malwarebytes
2009-02-17 12:01 <DIR> --d----- c:\windows\ERUNT
2009-02-17 11:59 <DIR> --d----- C:\SDFix
2009-02-16 15:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-16 15:16 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-02-16 15:16 <DIR> --d----- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2009-02-13 18:36 <DIR> --d----- c:\program files\InterActual
2009-02-13 13:14 <DIR> --d----- C:\VundoFix Backups
2009-02-13 10:53 <DIR> --d----- c:\program files\PROC_EXP
2009-02-11 23:25 2,713 ---sh--- c:\windows\system32\sofokujo.exe
2009-02-11 04:23 2,713 ---sh--- c:\windows\system32\rimododi.exe
2009-02-10 10:21 2,713 ---sh--- c:\windows\system32\tuvulezi.exe
2009-02-09 09:37 20,992 ac------ c:\windows\system32\dllcache\dshowext.ax
2009-02-09 09:37 20,992 a------- c:\windows\system32\dshowext.ax
2009-02-09 09:30 <DIR> --d----- c:\program files\JL2005A
2009-02-09 09:28 419 a------- c:\windows\videomvp.ini
2009-02-09 09:27 21 a------- c:\windows\CS_SETUP.ini
2009-02-07 16:18 160,792 a------- c:\windows\system32\drivers\pctfw2.sys
2009-02-07 16:18 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2009-02-07 16:18 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2009-02-07 16:18 40,840 a------- c:\windows\system32\drivers\ikfilesec.sys
2009-02-07 16:18 29,576 a------- c:\windows\system32\drivers\kcom.sys
2009-02-07 16:18 <DIR> --d----- c:\program files\Spyware Doctor
2009-02-07 16:18 <DIR> --d----- c:\docume~1\owner\applic~1\PC Tools
2009-02-06 20:00 <DIR> --d----- c:\program files\AVG
2009-02-06 19:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-02-05 17:22 5,856 a--sh--- c:\windows\system32\fuhibite.exe
2009-01-28 12:16 <DIR> --d----- c:\program files\GoldWave525

==================== Find3M ====================

2009-02-07 11:37 34 a------- c:\documents and settings\owner\jagex_runescape_preferences.dat
2007-11-06 11:19 92,064 a------- c:\documents and settings\owner\mqdmmdm.sys
2007-11-06 11:19 79,328 a------- c:\documents and settings\owner\mqdmserd.sys
2007-11-06 11:19 66,656 a------- c:\documents and settings\owner\mqdmbus.sys
2007-11-06 11:19 25,600 a------- c:\documents and settings\owner\usbsermptxp.sys
2007-11-06 11:19 22,768 a------- c:\documents and settings\owner\usbsermpt.sys
2007-11-06 11:19 9,232 a------- c:\documents and settings\owner\mqdmmdfl.sys
2007-11-06 11:19 6,208 a------- c:\documents and settings\owner\mqdmcmnt.sys
2007-11-06 11:19 5,936 a------- c:\documents and settings\owner\mqdmwhnt.sys
2007-11-06 11:19 4,048 a------- c:\documents and settings\owner\mqdmcr.sys
2004-12-03 11:50 67 a------- c:\program files\rem_cdk.bat

============= FINISH: 12:49:55.18 ===============

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 18 February 2009 - 04:10 PM

1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
c:\windows\system32\sofokujo.exe
c:\windows\system32\rimododi.exe
c:\windows\system32\tuvulezi.exe
c:\windows\system32\fuhibite.exe

DDS::
TB: {A057A204-BACC-4D26-9990-79A187E2698E} -
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} -
EB: {8F4902B6-6C04-4ade-8052-AA58578A21BD} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} -

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 Wisconsin Charlie

Wisconsin Charlie
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 18 February 2009 - 05:40 PM

ComboFix 09-02-17.02 - Owner 2009-02-18 15:50:36.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.217 [GMT -6:00]
Running from: c:\documents and settings\Owner\Desktop\Security & Repair\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\Security & Repair\CFScript.txt
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\fuhibite.exe
c:\windows\system32\rimododi.exe
c:\windows\system32\sofokujo.exe
c:\windows\system32\tuvulezi.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\fuhibite.exe
c:\windows\system32\rimododi.exe
c:\windows\system32\sofokujo.exe
c:\windows\system32\tuvulezi.exe

.
((((((((((((((((((((((((( Files Created from 2009-01-18 to 2009-02-18 )))))))))))))))))))))))))))))))
.

2009-02-17 15:16 . 2009-02-17 15:16 <DIR> d-------- c:\program files\Malwarebytes
2009-02-17 15:16 . 2009-02-17 15:16 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-02-17 15:16 . 2009-02-17 15:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-17 15:16 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-17 15:16 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-17 12:01 . 2009-02-17 12:01 <DIR> d-------- c:\windows\ERUNT
2009-02-17 11:59 . 2009-02-17 12:48 <DIR> d-------- C:\SDFix
2009-02-16 15:17 . 2009-02-16 15:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-16 15:16 . 2009-02-16 15:16 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-16 15:16 . 2009-02-18 12:29 <DIR> d-------- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com
2009-02-13 18:36 . 2009-02-13 18:37 <DIR> d-------- c:\program files\InterActual
2009-02-13 13:14 . 2009-02-15 23:24 <DIR> d-------- C:\VundoFix Backups
2009-02-13 10:53 . 2009-02-13 10:53 <DIR> d-------- c:\program files\PROC_EXP
2009-02-09 09:43 . 2009-02-09 09:43 <DIR> d-------- c:\documents and settings\Owner\Application Data\ArcSoft
2009-02-09 09:37 . 2004-08-04 01:56 20,992 --a------ c:\windows\system32\dshowext.ax
2009-02-09 09:37 . 2004-08-04 01:56 20,992 --a--c--- c:\windows\system32\dllcache\dshowext.ax
2009-02-09 09:30 . 2009-02-09 09:30 <DIR> d-------- c:\program files\JL2005A
2009-02-09 09:28 . 2009-02-09 09:43 419 --a------ c:\windows\videomvp.ini
2009-02-09 09:27 . 2009-02-09 09:27 <DIR> d-------- c:\program files\ArcSoft
2009-02-09 09:27 . 1998-07-21 20:29 21 --a------ c:\windows\CS_SETUP.ini
2009-02-07 16:18 . 2009-02-18 15:41 <DIR> d-------- c:\program files\Spyware Doctor
2009-02-07 16:18 . 2009-02-07 16:18 <DIR> d-------- c:\documents and settings\Owner\Application Data\PC Tools
2009-02-07 16:18 . 2008-07-28 12:29 160,792 --a------ c:\windows\system32\drivers\pctfw2.sys
2009-02-07 16:18 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-02-07 16:18 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-02-07 16:18 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-02-07 16:18 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2009-02-06 20:00 . 2009-02-06 20:00 <DIR> d-------- c:\program files\AVG
2009-02-06 19:59 . 2009-02-07 16:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-01-28 12:16 . 2009-01-28 12:18 <DIR> d-------- c:\program files\GoldWave525

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-18 21:42 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-18 21:09 --------- d-----w c:\program files\Mozilla Thunderbird
2009-02-16 22:43 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-14 16:20 --------- d-----w c:\program files\invoice
2009-02-14 00:31 --------- d-----w c:\program files\CyberLink
2009-02-07 22:18 --------- d-----w c:\program files\Common Files\PC Tools
2009-02-07 17:37 34 ----a-w c:\documents and settings\Owner\jagex_runescape_preferences.dat
2009-02-06 18:58 --------- d-----w c:\program files\WinXMedia
2009-02-06 18:52 --------- d-----w c:\documents and settings\All Users\Application Data\BVRP Software
2009-01-16 22:19 --------- d-----w c:\program files\QuickTime
2009-01-16 22:18 --------- d-----w c:\program files\Common Files\Apple
2009-01-16 22:18 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-02 18:08 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2007-11-06 17:19 92,064 ----a-w c:\documents and settings\Owner\mqdmmdm.sys
2007-11-06 17:19 9,232 ----a-w c:\documents and settings\Owner\mqdmmdfl.sys
2007-11-06 17:19 79,328 ----a-w c:\documents and settings\Owner\mqdmserd.sys
2007-11-06 17:19 66,656 ----a-w c:\documents and settings\Owner\mqdmbus.sys
2007-11-06 17:19 6,208 ----a-w c:\documents and settings\Owner\mqdmcmnt.sys
2007-11-06 17:19 5,936 ----a-w c:\documents and settings\Owner\mqdmwhnt.sys
2007-11-06 17:19 4,048 ----a-w c:\documents and settings\Owner\mqdmcr.sys
2007-11-06 17:19 25,600 ----a-w c:\documents and settings\Owner\usbsermptxp.sys
2007-11-06 17:19 22,768 ----a-w c:\documents and settings\Owner\usbsermpt.sys
2004-12-03 17:50 67 ----a-w c:\program files\rem_cdk.bat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\WCESCOMM.EXE" [2003-04-22 413775]
"NVIEW"="nview.dll" [2003-03-03 c:\windows\system32\nview.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus Photo R220 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE" [2005-03-09 98304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-03-03 4595712]
"nwiz"="nwiz.exe" [2003-03-03 c:\windows\system32\nwiz.exe]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv31"= c:\windows\system32\ir32_32.dll
"vidc.iv32"= c:\windows\system32\ir32_32.dll
"MSACM.CEGSM"= mobilev.acm
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"msacm.mpegacm"= mpegacm.acm
"msacm.ulmp3acm"= ulmp3acm.acm
"VIDC.MJPG"= jl_mjpg2.drv

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax 4.1.lnk]
backup=c:\windows\pss\eFax 4.1.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MySoftware NewsFlash.lnk]
backup=c:\windows\pss\MySoftware NewsFlash.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
backup=c:\windows\pss\MyWebSearch Email Plugin.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^MyWebSearch Email Plugin.lnk]
backup=c:\windows\pss\MyWebSearch Email Plugin.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Omega ASIO Control Panel.lnk]
backup=c:\windows\pss\Omega ASIO Control Panel.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^TextBridge Instant Access OCR.lnk]
backup=c:\windows\pss\TextBridge Instant Access OCR.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Update InstaCode.lnk]
backup=c:\windows\pss\Update InstaCode.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 01:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.1]
--a------ 2005-12-16 17:59 107008 c:\program files\eFax Messenger 4.1\J2GDllCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2003-04-22 03:43 413775 c:\program files\Microsoft ActiveSync\WCESCOMM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-03-11 18:11 114688 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
--------- 1998-05-07 17:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
--a------ 2008-08-25 12:36 1168264 c:\program files\Spyware Doctor\pctsTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2003-03-03 10:44 4595712 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
--a------ 2006-06-08 15:22 208941 c:\program files\Real\RealOne Player\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--------- 2002-09-13 22:42 212992 c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
--a------ 2005-01-24 18:58 81920 c:\progra~1\Sony\SONICS~1\SSAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
--a------ 2003-08-19 01:01 110592 c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 13:47 57344 c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2003-03-03 10:44 323584 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"SPBBCSvc"=2 (0x2)
"SBService"=2 (0x2)
"SAVScan"=3 (0x3)
"NPFMntor"=2 (0x2)
"navapsvc"=2 (0x2)
"LiveUpdate"=3 (0x3)
"ccSetMgr"=2 (0x2)
"ccPwdSvc"=3 (0x3)
"ccEvtMgr"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"UleadBurningHelper"=2 (0x2)
"Symantec Core LC"=2 (0x2)
"SSScsiSV"=3 (0x3)
"SPTISRV"=3 (0x3)
"sdCoreService"=2 (0x2)
"sdAuxService"=2 (0x2)
"PACSPTISVR"=3 (0x3)
"NVSvc"=2 (0x2)
"NetMDSB"=2 (0x2)
"MSCSPTISRV"=3 (0x3)
"MSControlService"=3 (0x3)
"IDriverT"=3 (0x3)
"GearSecurity"=2 (0x2)
"Brother XP spl Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Microsoft ActiveSync\\WCESMGR.EXE"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Mythology\\aomx.exe"=
"c:\\Program Files\\NovaLogic\\Delta Force\\Df.exe"=
"c:\\Program Files\\invoice\\EasyInv.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\WS_FTP\\FTP95PRO.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\WINDOWS\\system32\\userinit.exe"=
"c:\\Program Files\\Spyware Doctor\\pctsGui.exe"=
"c:\\Program Files\\Spyware Doctor\\pctsTray.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\msconfig.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=

R1 BpCdrVsd;BpCdrVsd;c:\windows\system32\drivers\bpcdrvsd.sys [2003-08-06 8736]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2009-02-07 160792]
R3 bpusbflt;BACKPACK USB Filter;c:\windows\system32\drivers\BPUSBFLT.SYS [2004-06-10 9661]
S2 mshlpkd;Microsoft File Mapping Service;c:\windows\system32\mshlp.exe --> c:\windows\system32\mshlp.exe [?]
S3 CEUSBAUD;Lexicon USB MIDI Driver1;c:\windows\system32\drivers\ceusbaud.sys [2005-03-03 17920]
S3 JL2005;JL2005A Toy Camera;c:\windows\system32\drivers\toywdm.sys [2004-06-04 70888]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys --> c:\progra~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-02-07 356920]
S3 SDVC05;USB SDVC05;c:\windows\system32\Drivers\SDVC05.sys --> c:\windows\system32\Drivers\SDVC05.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-02-13 c:\windows\Tasks\{132C39E2-E0A9-4C18-A8FD-6A05C5288B5E}_HP-PAVILION_Owner.job
- c:\windows\system32\mobsync.exe [2004-08-04 01:56]

2009-02-18 c:\windows\Tasks\{CA7DE196-E1FE-4D6E-AD96-EBAFDD73008A}_HP-PAVILION_Owner.job
- c:\windows\system32\mobsync.exe [2004-08-04 01:56]

2009-02-18 c:\windows\Tasks\{F4696203-B1A3-4059-9990-394EB8715248}_HP-PAVILION_Owner.job
- c:\windows\system32\mobsync.exe [2004-08-04 01:56]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uDefault_Search_URL = hxxp://srch-us8.hpwis.com/
mSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
IE: &Search
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\update
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\g0m0w9d9.default\
FF - prefs.js: browser.startup.homepage - hxxp://secretplaces.net
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealOne Player\Netscape6\nprpjplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-18 15:58:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(480)
c:\windows\system32\COMRes.dll

- - - - - - - > 'lsass.exe'(536)
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-02-18 16:09:53 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-18 22:09:09
ComboFix2.txt 2009-02-18 18:23:35

Pre-Run: 83,020,472,320 bytes free
Post-Run: 83,003,457,536 bytes free

273 --- E O F --- 2008-05-17 12:20:13



DDS (Ver_09-02-01.01) - NTFSx86
Run by Owner at 16:34:32.76 on Wed 02/18/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.447.202 [GMT -6:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAIA.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\Security & Repair\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uDefault_Search_URL = hxxp://srch-us8.hpwis.com/
mSearch Bar =
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {8F4902B6-6C04-4ade-8052-AA58578A21BD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\WCESCOMM.EXE"
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
mRun: [EPSON Stylus Photo R220 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAIA.EXE /P30 "EPSON Stylus Photo R220 Series" /O6 "USB002" /M "Stylus Photo R220"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
uPolicies-explorer: NoSMMyDocs = 01000000
uPolicies-explorer: NoSMMyPictures = 01000000
uPolicies-explorer: NoNetworkConnections = 01000000
IE: &Search
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
Trusted Zone: microsoft.com\download.windowsupdate
Trusted Zone: microsoft.com\update
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {00000045-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/sg726acm.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1203088712171
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38110.9756481481
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: ic32pp - {BBCA9F81-8F4F-11D2-90FF-0080C83D3571} - c:\windows\wc98pp.dll
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\AATP.DLL
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
Notify: igfxcui - igfxsrvc.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\g0m0w9d9.default\
FF - prefs.js: browser.startup.homepage - hxxp://secretplaces.net
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll

============= SERVICES / DRIVERS ===============

R1 BpCdrVsd;BpCdrVsd;c:\windows\system32\drivers\bpcdrvsd.sys [2003-8-6 8736]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2009-2-7 160792]
R3 bpusbflt;BACKPACK USB Filter;c:\windows\system32\drivers\BPUSBFLT.SYS [2004-6-10 9661]
S2 mshlpkd;Microsoft File Mapping Service;c:\windows\system32\mshlp.exe --> c:\windows\system32\mshlp.exe [?]
S3 A4S2600;A4S2600;c:\windows\system32\drivers\a4s2600.sys --> c:\windows\system32\drivers\A4S2600.sys [?]
S3 CEUSBAUD;Lexicon USB MIDI Driver1;c:\windows\system32\drivers\ceusbaud.sys [2005-3-3 17920]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2009-2-7 40840]
S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2009-2-7 66952]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2009-2-7 81288]
S3 JL2005;JL2005A Toy Camera;c:\windows\system32\drivers\toywdm.sys [2004-6-4 70888]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\progra~1\pc-doc~1\diagno~1\pcdrdrv.sys --> c:\progra~1\pc-doc~1\diagno~1\PCDRDRV.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-2-7 356920]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-2-7 1079176]
S3 SDVC05;USB SDVC05;c:\windows\system32\drivers\sdvc05.sys --> c:\windows\system32\drivers\SDVC05.sys [?]
S4 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe --> c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [?]

=============== Created Last 30 ================

2009-02-18 12:01 161,792 a------- c:\windows\SWREG.exe
2009-02-18 12:01 98,816 a------- c:\windows\sed.exe
2009-02-17 15:16 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-02-17 15:16 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-17 15:16 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-17 15:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-17 15:16 <DIR> --d----- c:\program files\Malwarebytes
2009-02-17 12:01 <DIR> --d----- c:\windows\ERUNT
2009-02-17 11:59 <DIR> --d----- C:\SDFix
2009-02-16 15:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-02-16 15:16 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-02-16 15:16 <DIR> --d----- c:\docume~1\owner\applic~1\SUPERAntiSpyware.com
2009-02-13 18:36 <DIR> --d----- c:\program files\InterActual
2009-02-13 13:14 <DIR> --d----- C:\VundoFix Backups
2009-02-13 10:53 <DIR> --d----- c:\program files\PROC_EXP
2009-02-09 09:37 20,992 ac------ c:\windows\system32\dllcache\dshowext.ax
2009-02-09 09:37 20,992 a------- c:\windows\system32\dshowext.ax
2009-02-09 09:30 <DIR> --d----- c:\program files\JL2005A
2009-02-09 09:28 419 a------- c:\windows\videomvp.ini
2009-02-09 09:27 21 a------- c:\windows\CS_SETUP.ini
2009-02-07 16:18 160,792 a------- c:\windows\system32\drivers\pctfw2.sys
2009-02-07 16:18 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2009-02-07 16:18 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2009-02-07 16:18 40,840 a------- c:\windows\system32\drivers\ikfilesec.sys
2009-02-07 16:18 29,576 a------- c:\windows\system32\drivers\kcom.sys
2009-02-07 16:18 <DIR> --d----- c:\program files\Spyware Doctor
2009-02-07 16:18 <DIR> --d----- c:\docume~1\owner\applic~1\PC Tools
2009-02-06 20:00 <DIR> --d----- c:\program files\AVG
2009-02-06 19:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-01-28 12:16 <DIR> --d----- c:\program files\GoldWave525

==================== Find3M ====================

2009-02-07 11:37 34 a------- c:\documents and settings\owner\jagex_runescape_preferences.dat
2007-11-06 11:19 92,064 a------- c:\documents and settings\owner\mqdmmdm.sys
2007-11-06 11:19 79,328 a------- c:\documents and settings\owner\mqdmserd.sys
2007-11-06 11:19 66,656 a------- c:\documents and settings\owner\mqdmbus.sys
2007-11-06 11:19 25,600 a------- c:\documents and settings\owner\usbsermptxp.sys
2007-11-06 11:19 22,768 a------- c:\documents and settings\owner\usbsermpt.sys
2007-11-06 11:19 9,232 a------- c:\documents and settings\owner\mqdmmdfl.sys
2007-11-06 11:19 6,208 a------- c:\documents and settings\owner\mqdmcmnt.sys
2007-11-06 11:19 5,936 a------- c:\documents and settings\owner\mqdmwhnt.sys
2007-11-06 11:19 4,048 a------- c:\documents and settings\owner\mqdmcr.sys
2004-12-03 11:50 67 a------- c:\program files\rem_cdk.bat

============= FINISH: 16:34:42.85 ===============

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 19 February 2009 - 02:48 AM

Please download Dr.Web CureIt to the Desktop:
  • Please reboot into Safe Mode
  • Once you are in Safe Mode, double-click the launch.exe or cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, please do a re-scan.. This time, choose Complete Scan
  • Click the green arrow button at the right, and the scan will start.
  • After the scan finished, click Select all
  • Click on Cure and choose Move incurable
  • When the scan has finished, in the menu, click File and choose Save report list
  • Save the report to your Desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit. Reboot your PC in Normal Mode, and post DrWeb.csv in your next reply (Open it as Notepad)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 Wisconsin Charlie

Wisconsin Charlie
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:53 PM

Posted 19 February 2009 - 08:51 PM

Hi,

When DrWeb was done scanning, I pressed "cure" and "move" as you said. Then, the buttons went gray. After awhiloe, there was still no action, and nothing saying it was done, so I closed it and here's the log file:

------------------------------

Install_AIM.exe\data041;C:\Documents and Settings\Owner\Desktop\FILES\Stephanies Stuff\Install_AIM.exe;Adware.Aws;;
Install_AIM.exe;C:\Documents and Settings\Owner\Desktop\FILES\Stephanies Stuff;Archive contains infected objects;Moved.;
ComboFix.exe/data002\32788R22FWJFW\c.bat;C:\Documents and Settings\Owner\Desktop\Security & Repair\ComboFix.exe/data002;Probably BATCH.Virus;;
ComboFix.exe/data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\Owner\Desktop\Security & Repair\ComboFix.exe/data002;Program.PsExec.171;;
data002;C:\Documents and Settings\Owner\Desktop\Security & Repair;Archive contains infected objects;;
ComboFix.exe;C:\Documents and Settings\Owner\Desktop\Security & Repair;Container contains infected objects;Moved.;
SDFix.exe\SDFix\apps\Process.exe;C:\Documents and Settings\Owner\Desktop\Security & Repair\SDFix.exe;Tool.Prockill;;
SDFix.exe;C:\Documents and Settings\Owner\Desktop\Security & Repair;Archive contains infected objects;Moved.;
6D952C06d01/data002\32788R22FWJFW\c.bat;C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\g0m0w9d9.default\Cache\6D952C06d01/dat;Probably BATCH.Virus;;
6D952C06d01/data002\32788R22FWJFW\psexec.cfexe;C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\g0m0w9d9.default\Cache\6D952C06d01/dat;Program.PsExec.171;;
data002;C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\g0m0w9d9.default\Cache;Archive contains infected objects;;
6D952C06d01;C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\g0m0w9d9.default\Cache;Container contains infected objects;Moved.;
KillWind.exe;C:\hp\bin;Tool.ProcessKill;Incurable.Moved.;
dekoleha.dll.tmp.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Trojan.DownLoad.12946;Deleted.;
fijiveni.dll.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Trojan.Juan.80;Deleted.;
huwakalu.dll.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod.1615;Deleted.;
judinoyo.dll.tmp.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Trojan.DownLoad.12946;Deleted.;
julasati.dll.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Trojan.Juan.77;Deleted.;
nereteva.dll.vir;C:\Qoobox\Quarantine\C\WINDOWS\system32;Trojan.Juan.80;Deleted.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;
A0095784.dll;C:\System Volume Information\_restore{DBBE7F6B-5F4B-4AFC-B885-DF8304597503}\RP1182;Adware.nCase;Incurable.Moved.;
A0031368.exe\data008;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP165\A0031368.exe;Program.FamKeylog;;
A0031368.exe\data010;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP165\A0031368.exe;Program.FamKeylog;;
A0031368.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP165;Archive contains infected objects;Moved.;
A0031369.exe\data008;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP165\A0031369.exe;Program.FamKeylog;;
A0031369.exe\data010;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP165\A0031369.exe;Program.FamKeylog;;
A0031369.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP165;Archive contains infected objects;Moved.;
A0040930.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP217;Trojan.PWS.Ageloc.15;Deleted.;
A0050290.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP229;Trojan.KillApp.30208;Deleted.;
A0050296.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP229;Trojan.DownLoader.origin;Incurable.Moved.;
A0050298.sys;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP229;BackDoor.Nobrain.origin;Incurable.Moved.;
A0050302.sys;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP229;Trojan.Click.19776;Deleted.;
A0050308.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP229;Trojan.DownLoad.4688;Deleted.;
A0050311.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP229;Trojan.DownLoad.3499;Deleted.;
A0050314.sys;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP229;BackDoor.Nobrain.origin;Incurable.Moved.;
A0050320.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP229;Trojan.DownLoad.4689;Deleted.;
A0050322.sys;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP229;BackDoor.Nobrain.284;Deleted.;
A0050326.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP229;Trojan.DownLoad.7517;Deleted.;
A0050328.sys;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP229;Trojan.Click.20221;Deleted.;
A0050330.dll;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP229;Trojan.Virtumod.1534;Deleted.;
A0050331.dll;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP229;Trojan.Virtumod.1534;Deleted.;
A0050332.dll;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP229;Trojan.Virtumod.1534;Deleted.;
A0052634.dll;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP235;Trojan.Virtumod.1628;Deleted.;
A0052635.dll;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP235;Trojan.Juan.77;Deleted.;
A0054665.dll;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP244;Trojan.Siggen.568;Deleted.;
A0054666.dll;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP244;Trojan.Juan.80;Deleted.;
A0055836.dll;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP252;Trojan.Siggen.568;Deleted.;
A0055839.dll;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP252;Trojan.Juan.80;Deleted.;
A0056876.dll;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP258;Trojan.Virtumod.1615;Deleted.;
A0057976.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP260;Trojan.Virtumod.1534;Deleted.;
A0057982.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP260;Trojan.Virtumod.1534;Deleted.;
A0058988.sys;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP260;Trojan.Click.19776;Deleted.;
A0058989.dll;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP260;Trojan.Virtumod.1615;Deleted.;
A0059041.dll;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP261;Trojan.Juan.80;Deleted.;
A0059042.dll;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP261;Trojan.Virtumod.1615;Deleted.;
A0059044.dll;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP261;Trojan.Juan.77;Deleted.;
A0059046.dll;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP261;Trojan.Juan.80;Deleted.;
A0059062.bat;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP261;Probably BATCH.Virus;Incurable.Moved.;
A0059077.EXE;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP261;Program.PsExec.170;Incurable.Moved.;
A0059212.bat;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP264;Probably BATCH.Virus;Incurable.Moved.;
A0059227.EXE;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP264;Program.PsExec.170;Incurable.Moved.;
A0059299.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP264;Tool.Prockill;Incurable.Moved.;
A0060225.exe\data041;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP264\A0060225.exe;Adware.Aws;;
A0060225.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP264;Archive contains infected objects;Moved.;
A0060227.exe\SDFix\apps\Process.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP264\A0060227.exe;Tool.Prockill;;
A0060227.exe;C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP264;Archive contains infected objects;Moved.;
tmp0_174968693134.bk.old;C:\WINDOWS\system32;BackDoor.Nobrain.origin;Incurable.Moved.;
tmp0_192363621840.bk.old;C:\WINDOWS\system32;BackDoor.Nobrain.origin;Incurable.Moved.;
tmp0_233677361238.bk.old;C:\WINDOWS\system32;BackDoor.Nobrain.356;Deleted.;
tmp0_234838657779.bk.old;C:\WINDOWS\system32;BackDoor.Nobrain.356;Deleted.;
tmp0_272949148517.bk.old;C:\WINDOWS\system32;Trojan.Siggen.377;Deleted.;
tmp0_347377730155.bk.old;C:\WINDOWS\system32;BackDoor.Nobrain.105;Deleted.;
tmp0_409450619989.bk.old;C:\WINDOWS\system32;BackDoor.Nobrain.105;Deleted.;
tmp0_45343851636.bk.old;C:\WINDOWS\system32;BackDoor.Nobrain.356;Deleted.;
tmp0_45960865707.bk.old;C:\WINDOWS\system32;BackDoor.Nobrain.origin;Incurable.Moved.;
tmp0_469827152632.bk.old;C:\WINDOWS\system32;BackDoor.Nobrain.356;Deleted.;
tmp0_49344536063.bk.old;C:\WINDOWS\system32;BackDoor.Nobrain.356;Deleted.;
tmp0_4996571459.bk.old;C:\WINDOWS\system32;BackDoor.Nobrain.origin;Incurable.Moved.;
tmp0_501690253596.bk.old;C:\WINDOWS\system32;BackDoor.Nobrain.origin;Incurable.Moved.;
tmp0_548162516231.bk.old;C:\WINDOWS\system32;BackDoor.Nobrain.origin;Incurable.Moved.;
tmp0_557210827258.bk.old;C:\WINDOWS\system32;BackDoor.Nobrain.356;Deleted.;
tmp0_585123473109.bk.old;C:\WINDOWS\system32;Trojan.Click.20458;Deleted.;
tmp0_61106661221.bk.old;C:\WINDOWS\system32;BackDoor.Nobrain.origin;Incurable.Moved.;
tmp0_614262658913.bk.old;C:\WINDOWS\system32;Trojan.Click.20458;Deleted.;
tmp0_684048387965.bk.old;C:\WINDOWS\system32;BackDoor.Nobrain.356;Deleted.;
tmp0_789438215656.bk.old;C:\WINDOWS\system32;BackDoor.Nobrain.origin;Incurable.Moved.;
tmp0_82996844275.bk.old;C:\WINDOWS\system32;Trojan.Click.23396;Deleted.;
tmp0_832524331541.bk.old;C:\WINDOWS\system32;BackDoor.Nobrain.origin;Incurable.Moved.;
tmp0_865984187794.bk.old;C:\WINDOWS\system32;BackDoor.Nobrain.356;Deleted.;
tmp0_898630322588.bk.old;C:\WINDOWS\system32;BackDoor.Nobrain.356;Deleted.;
tmp2_428013515393.bk.old;C:\WINDOWS\system32;Trojan.Click.23396;Deleted.;
KillWind.exe;M:\DATA BACKUP\hp\bin;Tool.ProcessKill;Incurable.Moved.;
Install_AIM.exe\data041;M:\DATA BACKUP\I386\Desktop\FILES\Stephanies Stuff\Install_AIM.exe;Adware.Aws;;
Install_AIM.exe;M:\DATA BACKUP\I386\Desktop\FILES\Stephanies Stuff;Archive contains infected objects;Moved.;
A0060253.exe\data041;M:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP264\A0060253.exe;Adware.Aws;;
A0060253.exe;M:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP264;Archive contains infected objects;Moved.;

#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 20 February 2009 - 05:26 AM

Lets do another scan.. Just to make sure we got them all :thumbup2:

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

How's the computer now? :)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 20 February 2009 - 05:27 AM

Lets do another scan.. Just to make sure we got them all :thumbup2:

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

How's the computer now? :)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users