Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Some Viruses affecting computer! HELP <log>


  • This topic is locked This topic is locked
8 replies to this topic

#1 NBarkan

NBarkan

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 16 February 2009 - 03:17 PM

I'm not exactly sure which viruses I have. I read that Virtumond/e causes random pop-ups and google/search engine issues. As well spybot keeps popping up with a browser helper object: Entry: {656956f4-40f8-9294-129d25bf2104}(as well with other ones). If anybody could assist me, here is my Combofix txt file. Thanks in advance!

ComboFix 09-02-15.01 - Nick 2009-02-16 13:58:11.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.556 [GMT -6:00]
Running from: c:\documents and settings\Nick\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\BM4f2c9ecb.txt
c:\windows\BM4f2c9ecb.xml
c:\windows\IE4 Error Log.txt
c:\windows\system32\998.exe
c:\windows\system32\aopmfs.dll
c:\windows\system32\awtqnomm.dll
c:\windows\system32\awtsQjHa.dll
c:\windows\system32\awtutroM.dll
c:\windows\system32\beeroz.dll
c:\windows\system32\bhzwnv.dll
c:\windows\system32\bmoxyh.dll
c:\windows\system32\byXPFYOE.dll
c:\windows\system32\byXPHbCV.dll
c:\windows\system32\byXQJDsR.dll
c:\windows\system32\cbXPfETk.dll
c:\windows\system32\cbXPJAQj.dll
c:\windows\system32\cbXRIxVP.dll
c:\windows\system32\cbXRJDVN.dll
c:\windows\system32\cgndbu.dll
c:\windows\system32\dbxwoq.dll
c:\windows\system32\ddcAssQj.dll
c:\windows\system32\drivers\senekajphdkxew.sys
c:\windows\system32\drivers\senekaswjylmfw.sys
c:\windows\system32\efcBrSKD.dll
c:\windows\system32\efcCuRlM.dll
c:\windows\system32\ekgxdg.dll
c:\windows\system32\fccaApMd.dll
c:\windows\system32\fccaBQJd.dll
c:\windows\system32\fmxkqd.dll
c:\windows\system32\fpnpux.dll
c:\windows\system32\frmwrk32.exe
c:\windows\system32\fxyenx.dll
c:\windows\system32\geBqPIyX.dll
c:\windows\system32\geBRiigd.dll
c:\windows\system32\geBuUlKA.dll
c:\windows\system32\gohhby.dll
c:\windows\system32\gveuig.dll
c:\windows\system32\hczzni.dll
c:\windows\system32\hgGVppNg.dll
c:\windows\system32\hgGvwvWm.dll
c:\windows\system32\hgGwTlKe.dll
c:\windows\system32\hgGwVLDu.dll
c:\windows\system32\hgGwXnNe.dll
c:\windows\system32\hgGyyvsr.dll
c:\windows\system32\hjaijg.dll
c:\windows\system32\hnhuaj.dll
c:\windows\system32\iibkel.dll
c:\windows\system32\iifebXPj.dll
c:\windows\system32\iiffCsRI.dll
c:\windows\system32\jkkIAsPI.dll
c:\windows\system32\jkkKbBRI.dll
c:\windows\system32\jkkLFvvv.dll
c:\windows\system32\jnaeni.dll
c:\windows\system32\jonvgh.dll
c:\windows\system32\khfEwtQk.dll
c:\windows\system32\khfFYSll.dll
c:\windows\system32\kmifae.dll
c:\windows\system32\ljJCsrSi.dll
c:\windows\system32\ljJYSjHB.dll
c:\windows\system32\lsvgon.dll
c:\windows\system32\ltxcto.dll
c:\windows\system32\mcnrqb.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\mlJCUkLc.dll
c:\windows\system32\mrxtlb.dll
c:\windows\system32\msxllz.dll
c:\windows\system32\mwspje.dll
c:\windows\system32\mzsnkb.dll
c:\windows\system32\mzzwek.dll
c:\windows\system32\ndnysi.dll
c:\windows\system32\nhsxaz.dll
c:\windows\system32\nnraln.dll
c:\windows\system32\npripn.dll
c:\windows\system32\nuylcq.dll
c:\windows\system32\ojfthr.dll
c:\windows\system32\opnlIabx.dll
c:\windows\system32\opnlJaXO.dll
c:\windows\system32\opnlLDVo.dll
c:\windows\system32\opnMfdbA.dll
c:\windows\system32\oqgwel.dll
c:\windows\system32\pmnOFYpn.dll
c:\windows\system32\pmnoMecc.dll
c:\windows\system32\pmnoNFvV.dll
c:\windows\system32\ptthdy.dll
c:\windows\system32\qfumot.dll
c:\windows\system32\qljupp.dll
c:\windows\system32\qwsmvs.dll
c:\windows\system32\qznolk.dll
c:\windows\system32\rahall.dll
c:\windows\system32\rbbrtt.dll
c:\windows\system32\rkykik.dll
c:\windows\system32\rrjgbc.dll
c:\windows\system32\senekabommtqod.dll
c:\windows\system32\senekajeyuyteb.dat
c:\windows\system32\senekamrmyiqxo.dll
c:\windows\system32\senekaorjbitbu.dat
c:\windows\system32\senekavyxjkvdk.dat
c:\windows\system32\senekaybbyreaq.dat
c:\windows\system32\senekayxuwqpsm.dll
c:\windows\system32\sjrjjk.dll
c:\windows\system32\swpzpd.dll
c:\windows\system32\tuvTmNdA.dll
c:\windows\system32\tuvUMeEX.dll
c:\windows\system32\tuvvTLFw.dll
c:\windows\system32\txerth.dll
c:\windows\system32\ulkhvv.dll
c:\windows\system32\urqNFvuU.dll
c:\windows\system32\urqOHXqO.dll
c:\windows\system32\urqPhiIC.dll
c:\windows\system32\urqPiFXO.dll
c:\windows\system32\vfviwh.dll
c:\windows\system32\vlipwv.dll
c:\windows\system32\vqdmwm.dll
c:\windows\system32\vtUnomjh.dll
c:\windows\system32\winlogon2.exe
c:\windows\system32\wljvja.dll
c:\windows\system32\wvUlkLFw.dll
c:\windows\system32\wvUlmLCs.dll
c:\windows\system32\wvUmjJby.dll
c:\windows\system32\wvUmkiHW.dll
c:\windows\system32\wvUmklmJ.dll
c:\windows\system32\xehxfx.dll
c:\windows\system32\xlfhuz.dll
c:\windows\system32\xosxck.dll
c:\windows\system32\xrmkip.dll
c:\windows\system32\xxatri.dll
c:\windows\system32\xxyvtrQG.dll
c:\windows\system32\xxyxWQGw.dll
c:\windows\system32\yayvTlmN.dll
c:\windows\system32\yayvWpqQ.dll
c:\windows\system32\yayyXOeb.dll
c:\windows\system32\yayyYRIA.dll
c:\windows\system32\yxocsn.dll
c:\windows\system32\yxybfv.dll
c:\windows\system32\zlxflj.dll
c:\windows\system32\zvbith.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_seneka


((((((((((((((((((((((((( Files Created from 2009-01-16 to 2009-02-16 )))))))))))))))))))))))))))))))
.

2009-02-16 01:35 . 2009-02-16 01:35 <DIR> d--hs---- C:\found.000
2009-02-14 20:01 . 2009-02-14 20:01 36,352 --a------ c:\windows\system32\byXPGwvu.dll
2009-02-11 17:39 . 2009-02-11 17:39 <DIR> d-------- C:\VundoFix Backups
2009-02-11 12:56 . 2009-02-11 12:56 46,080 --------- c:\windows\system32\clickfile.exe
2009-02-11 12:56 . 2009-02-11 12:56 35,328 --a------ c:\windows\system32\geBuRKcy.dll
2009-02-11 11:33 . 2009-02-11 11:33 <DIR> d--h----- c:\windows\system32\GroupPolicy
2009-02-10 15:12 . 2009-02-10 15:12 456 --ah----- C:\aaw7boot.cmd
2009-02-10 14:37 . 2009-02-10 14:37 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-02-10 14:36 . 2009-02-10 14:36 <DIR> d-------- c:\program files\Lavasoft
2009-02-10 14:36 . 2009-02-10 14:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-10 14:36 . 2009-02-16 10:05 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-10 14:23 . 2009-02-10 14:40 <DIR> d-------- c:\program files\Windows Defender
2009-02-10 13:11 . 2009-02-10 13:12 121 ---hs---- c:\windows\system32\bggruocw.ini
2009-02-09 17:48 . 2009-02-09 17:50 123,952 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2009-02-09 17:48 . 2009-02-09 17:50 60,800 --a------ c:\windows\system32\S32EVNT1.DLL
2009-02-09 17:48 . 2009-02-09 17:50 10,563 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2009-02-09 17:48 . 2009-02-09 17:50 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2009-02-09 17:45 . 2009-02-09 17:50 <DIR> d-------- c:\program files\Symantec
2009-02-09 17:45 . 2009-02-09 17:53 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2009-02-09 17:45 . 2009-02-09 17:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2009-02-05 11:41 . 2002-08-13 06:09 684,032 --a------ c:\windows\system32\libeay32.dll
2009-02-05 11:41 . 2002-08-13 06:10 155,648 --a------ c:\windows\system32\ssleay32.dll
2009-02-04 20:58 . 2009-02-04 20:58 <DIR> d-------- C:\sp100v450
2009-02-04 19:12 . 2009-02-04 19:12 <DIR> d-------- c:\documents and settings\Nick\Application Data\SUPERAntiSpyware.com
2009-02-04 19:12 . 2009-02-04 19:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-04 19:08 . 2009-02-04 21:24 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-04 13:32 . 2009-02-16 14:04 4 --a------ c:\windows\zuiepkgp
2009-02-04 12:53 . 2009-02-04 13:06 1,716 --a------ c:\windows\vfnklaoz
2009-02-04 02:44 . 2009-02-04 02:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Last.fm
2009-02-04 02:43 . 2009-02-04 02:43 <DIR> d-------- c:\program files\Last.fm
2009-02-04 02:33 . 2009-02-04 02:44 <DIR> d-------- c:\program files\iTunes
2009-02-04 02:33 . 2009-02-04 02:33 <DIR> d-------- c:\program files\iPod
2009-02-04 02:33 . 2009-02-04 02:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-04 02:30 . 2009-02-04 02:30 <DIR> d-------- c:\program files\QuickTime
2009-02-03 01:00 . 2009-02-03 01:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\BlazeVideo
2009-02-03 00:59 . 2009-02-10 15:12 <DIR> d-------- c:\windows\HDTVPlayer
2009-02-03 00:59 . 2009-02-03 01:01 <DIR> d-------- c:\program files\HDTVPlayer
2009-01-21 16:19 . 2008-04-14 10:42 363,520 --a------ c:\windows\system32\psisdecd.dll
2009-01-21 16:19 . 2008-04-14 10:42 363,520 --a--c--- c:\windows\system32\dllcache\psisdecd.dll
2009-01-21 16:19 . 2008-04-14 10:42 56,832 --a------ c:\windows\system32\msdvbnp.ax
2009-01-21 16:19 . 2008-04-14 10:42 56,832 --a--c--- c:\windows\system32\dllcache\msdvbnp.ax
2009-01-21 16:19 . 2008-04-14 10:42 33,280 --a------ c:\windows\system32\psisrndr.ax
2009-01-21 16:19 . 2008-04-14 10:42 33,280 --a--c--- c:\windows\system32\dllcache\psisrndr.ax
2009-01-18 17:06 . 2009-01-18 17:06 123 --a------ c:\windows\rar_crck.ini
2009-01-18 17:05 . 2009-01-18 17:05 <DIR> d-------- c:\program files\Information Packaging
2009-01-18 17:05 . 1997-11-19 14:49 303,616 --a------ c:\windows\IsUninst.exe
2009-01-18 17:04 . 2009-01-18 17:04 <DIR> d-------- c:\documents and settings\Nick\WINDOWS
2009-01-18 17:02 . 2009-01-18 17:03 <DIR> d-------- c:\program files\RAR Password Cracker

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-16 20:09 --------- d-----w c:\documents and settings\Nick\Application Data\Skype
2009-02-16 16:03 --------- d-----w c:\program files\Amazon
2009-02-16 16:03 --------- d-----w c:\documents and settings\Nick\Application Data\Amazon
2009-02-16 15:17 --------- d-----w c:\documents and settings\Nick\Application Data\skypePM
2009-02-06 17:11 --------- d-----w c:\documents and settings\Nick\Application Data\LimeWire
2009-02-05 03:25 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-25 23:14 --------- d-----w c:\program files\LimeWire
2008-12-09 03:43 107,848 ----a-w c:\windows\system32\SymVPN.dll
2008-12-09 03:42 49,480 ----a-w c:\windows\system32\FwsVpn.dll
2008-08-17 17:49 724,984 ----a-w c:\documents and settings\Nick\gotomypc_437.exe
2008-08-19 06:42 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081920080820\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
2009-02-11 12:56 35328 --a------ c:\windows\system32\geBuRKcy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2006-12-03 16:03 2854912 --a------ c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2006-12-03 16:03 2854912 --a------ c:\program files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"Sticky Pad"="c:\program files\StickyPad\StickyPad.exe" [2007-04-23 528441]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-08-11 21741864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-03 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-03 77824]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2006-12-03 49168]
"Toshiba Hotkey Utility"="c:\program files\Toshiba\Windows Utilities\Hotkey.exe" [2006-01-05 1589248]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-08-14 115560]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= "c:\windows\system32\geBuRKcy.dll" [2009-02-11 35328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-12-03 15:50 90112 c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBuRKcy]
2009-02-11 12:56 35328 c:\windows\system32\geBuRKcy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2008-05-24 14:08 289088 c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2009-01-06 13:06 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2003-07-13 01:49 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2009-01-05 16:18 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2005-12-29 13:21 61952 c:\windows\system32\CHDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-10 64160]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-04-09 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-16 99376]
S0 zuiepkgp;zuiepkgp;c:\windows\system32\drivers\izdjkwvb.sys []
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2008-04-09 20160]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-11-18 23888]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
S3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [2008-08-27 31872]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-02-06 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-04-27 05:51]

2009-02-10 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-01-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-02-11 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-01-28 10:43]
.
- - - - ORPHANS REMOVED - - - -

BHO-{663F13FA-DAE0-4E53-A6D2-EE26F2DF9568} - (no file)
BHO-{9634313B-B23D-41C0-A09C-7A10E8E97C69} - (no file)
BHO-{9a4766a4-f07d-4bfc-acc4-64f865ffd70d} - (no file)
BHO-{D310DF36-DCA9-477A-8B21-EE20A3EF7272} - (no file)
BHO-{EAB15366-0E81-476D-83CC-1052FDF017C8} - (no file)
BHO-{F305D0A7-3230-4915-B5F5-8655D7F37841} - (no file)
HKLM-Run-Ad-Watch - c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
Notify-ddcCSMeE - ddcCSMeE.dll
Notify-khfEVPHb - khfEVPHb.dll
SafeBoot-Symantec Antvirus
MSConfigStartUp-Ad-Watch - c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
MSConfigStartUp-AppleSyncNotifier - c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
MSConfigStartUp-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Nick\Application Data\Mozilla\Firefox\Profiles\wo87wems.default\
FF - prefs.js: browser.startup.homepage - www.msn.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&query=
FF - component: c:\documents and settings\Nick\Application Data\Mozilla\Firefox\Profiles\wo87wems.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-16 14:06:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\izdjkwvb.sys 25088 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(884)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\windows\system32\geBuRKcy.dll
c:\program files\Protector Suite QL\crypto.dll

- - - - - - - > 'lsass.exe'(944)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll

- - - - - - - > 'explorer.exe'(644)
c:\program files\Protector Suite QL\farchns.dll
c:\program files\Protector Suite QL\infra.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\program files\Protector Suite QL\psqltray.exe
c:\windows\system32\igfxext.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-02-16 14:13:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-16 20:13:27

Pre-Run: 64,905,338,880 bytes free
Post-Run: 65,094,541,312 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=2 Default=2 Failed=4 LastKnownGood=3 Sets=1,2,3,4
412 --- E O F --- 2009-01-15 09:02:54

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 18 February 2009 - 07:10 AM

1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
zuiepkgp

Rootkit::
c:\windows\system32\drivers\izdjkwvb.sys

File::
c:\windows\system32\byXPGwvu.dll
c:\windows\system32\geBuRKcy.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBuRKcy]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 NBarkan

NBarkan
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 18 February 2009 - 11:13 AM

ComboFix 09-02-17.02 - Nick 2009-02-18 10:01:50.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.291 [GMT -6:00]
Running from: c:\documents and settings\Nick\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Nick\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\byXPGwvu.dll
c:\windows\system32\geBuRKcy.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\aumxvi.dll
c:\windows\system32\awtrSkHB.dll
c:\windows\system32\bggruocw.ini
c:\windows\system32\drivers\izdjkwvb.sys
c:\windows\system32\endmjx.dll
c:\windows\system32\rqRHaXRi.dll
c:\windows\system32\tmlaxm.dll
c:\windows\system32\ttrgfq.dll
c:\windows\system32\ubvtfz.dll
c:\windows\system32\urqNDSIC.dll
c:\windows\system32\vhvfxm.dll
c:\windows\system32\wvUnMdCv.dll
c:\windows\system32\xxyxYppo.dll
c:\windows\system32\yayaWPHb.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ZUIEPKGP
-------\Service_zuiepkgp


((((((((((((((((((((((((( Files Created from 2009-01-18 to 2009-02-18 )))))))))))))))))))))))))))))))
.

2009-02-16 20:28 . 2008-04-13 19:11 52,224 --a------ c:\windows\system32\dmutil.dll
2009-02-16 20:28 . 2008-04-13 19:11 52,224 --a--c--- c:\windows\system32\dllcache\dmutil.dll
2009-02-16 20:28 . 2008-04-13 19:12 35,328 --a------ c:\windows\system32\pid.dll
2009-02-16 20:28 . 2008-04-13 19:12 35,328 --a--c--- c:\windows\system32\dllcache\pid.dll
2009-02-16 14:10 . 2009-02-16 14:10 <DIR> d-------- c:\windows\system32\LogFiles
2009-02-16 01:35 . 2009-02-16 01:35 <DIR> d--hs---- C:\found.000
2009-02-11 17:39 . 2009-02-11 17:39 <DIR> d-------- C:\VundoFix Backups
2009-02-11 12:56 . 2009-02-11 12:56 46,080 --------- c:\windows\system32\clickfile.exe
2009-02-11 12:56 . 2009-02-11 12:56 35,328 --a------ c:\windows\system32\geBuRKcy.dll_old
2009-02-11 11:33 . 2009-02-11 11:33 <DIR> d--h----- c:\windows\system32\GroupPolicy
2009-02-10 15:12 . 2009-02-10 15:12 456 --ah----- C:\aaw7boot.cmd
2009-02-10 14:37 . 2009-02-10 14:37 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-02-10 14:36 . 2009-02-10 14:36 <DIR> d-------- c:\program files\Lavasoft
2009-02-10 14:36 . 2009-02-10 14:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-10 14:36 . 2009-02-16 10:05 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-10 14:23 . 2009-02-10 14:40 <DIR> d-------- c:\program files\Windows Defender
2009-02-09 17:48 . 2009-02-09 17:50 123,952 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2009-02-09 17:48 . 2009-02-09 17:50 60,800 --a------ c:\windows\system32\S32EVNT1.DLL
2009-02-09 17:48 . 2009-02-09 17:50 10,563 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2009-02-09 17:48 . 2009-02-09 17:50 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2009-02-09 17:45 . 2009-02-09 17:50 <DIR> d-------- c:\program files\Symantec
2009-02-09 17:45 . 2009-02-09 17:53 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2009-02-09 17:45 . 2009-02-09 17:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2009-02-05 11:41 . 2002-08-13 06:09 684,032 --a------ c:\windows\system32\libeay32.dll
2009-02-05 11:41 . 2002-08-13 06:10 155,648 --a------ c:\windows\system32\ssleay32.dll
2009-02-04 20:58 . 2009-02-04 20:58 <DIR> d-------- C:\sp100v450
2009-02-04 19:12 . 2009-02-04 19:12 <DIR> d-------- c:\documents and settings\Nick\Application Data\SUPERAntiSpyware.com
2009-02-04 19:12 . 2009-02-04 19:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-04 19:08 . 2009-02-04 21:24 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-04 13:32 . 2009-02-18 10:05 4 --a------ c:\windows\zuiepkgp
2009-02-04 12:53 . 2009-02-04 13:06 1,716 --a------ c:\windows\vfnklaoz
2009-02-04 02:44 . 2009-02-04 02:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Last.fm
2009-02-04 02:43 . 2009-02-04 02:43 <DIR> d-------- c:\program files\Last.fm
2009-02-04 02:33 . 2009-02-04 02:44 <DIR> d-------- c:\program files\iTunes
2009-02-04 02:33 . 2009-02-04 02:33 <DIR> d-------- c:\program files\iPod
2009-02-04 02:33 . 2009-02-04 02:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-02-04 02:30 . 2009-02-04 02:30 <DIR> d-------- c:\program files\QuickTime
2009-02-03 01:00 . 2009-02-03 01:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\BlazeVideo
2009-02-03 00:59 . 2009-02-10 15:12 <DIR> d-------- c:\windows\HDTVPlayer
2009-02-03 00:59 . 2009-02-03 01:01 <DIR> d-------- c:\program files\HDTVPlayer
2009-01-21 16:19 . 2008-04-14 10:42 363,520 --a------ c:\windows\system32\psisdecd.dll
2009-01-21 16:19 . 2008-04-14 10:42 363,520 --a--c--- c:\windows\system32\dllcache\psisdecd.dll
2009-01-21 16:19 . 2008-04-14 10:42 56,832 --a------ c:\windows\system32\msdvbnp.ax
2009-01-21 16:19 . 2008-04-14 10:42 56,832 --a--c--- c:\windows\system32\dllcache\msdvbnp.ax
2009-01-21 16:19 . 2008-04-14 10:42 33,280 --a------ c:\windows\system32\psisrndr.ax
2009-01-21 16:19 . 2008-04-14 10:42 33,280 --a--c--- c:\windows\system32\dllcache\psisrndr.ax
2009-01-18 17:06 . 2009-01-18 17:06 123 --a------ c:\windows\rar_crck.ini
2009-01-18 17:05 . 2009-01-18 17:05 <DIR> d-------- c:\program files\Information Packaging
2009-01-18 17:05 . 1997-11-19 14:49 303,616 --a------ c:\windows\IsUninst.exe
2009-01-18 17:04 . 2009-01-18 17:04 <DIR> d-------- c:\documents and settings\Nick\WINDOWS
2009-01-18 17:02 . 2009-01-18 17:03 <DIR> d-------- c:\program files\RAR Password Cracker

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-18 16:09 --------- d-----w c:\documents and settings\Nick\Application Data\skypePM
2009-02-18 15:49 --------- d-----w c:\documents and settings\Nick\Application Data\Skype
2009-02-17 04:25 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-17 02:51 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-02-17 02:44 --------- d-----w c:\program files\StickyPad
2009-02-16 16:03 --------- d-----w c:\program files\Amazon
2009-02-16 16:03 --------- d-----w c:\documents and settings\Nick\Application Data\Amazon
2009-02-06 17:11 --------- d-----w c:\documents and settings\Nick\Application Data\LimeWire
2009-02-05 03:25 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-25 23:14 --------- d-----w c:\program files\LimeWire
2008-08-17 17:49 724,984 ----a-w c:\documents and settings\Nick\gotomypc_437.exe
2008-08-19 06:42 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008081920080820\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-02-16_14.11.23.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-16 20:38:34 124,928 -c----w c:\windows\ie7updates\KB961260-IE7\advpack.dll
+ 2008-10-16 20:38:34 347,136 -c----w c:\windows\ie7updates\KB961260-IE7\dxtmsft.dll
+ 2008-10-16 20:38:34 214,528 -c----w c:\windows\ie7updates\KB961260-IE7\dxtrans.dll
+ 2008-10-16 20:38:35 133,120 -c----w c:\windows\ie7updates\KB961260-IE7\extmgr.dll
+ 2008-10-16 20:38:35 63,488 -c----w c:\windows\ie7updates\KB961260-IE7\icardie.dll
+ 2008-10-16 13:11:09 70,656 -c----w c:\windows\ie7updates\KB961260-IE7\ie4uinit.exe
+ 2008-10-16 20:38:35 153,088 -c----w c:\windows\ie7updates\KB961260-IE7\ieakeng.dll
+ 2008-10-16 20:38:35 230,400 -c----w c:\windows\ie7updates\KB961260-IE7\ieaksie.dll
+ 2008-10-15 07:04:53 161,792 -c----w c:\windows\ie7updates\KB961260-IE7\ieakui.dll
+ 2008-10-16 20:38:35 383,488 -c----w c:\windows\ie7updates\KB961260-IE7\ieapfltr.dll
+ 2008-10-16 20:38:35 384,512 -c----w c:\windows\ie7updates\KB961260-IE7\iedkcs32.dll
+ 2008-10-16 20:38:37 6,066,176 -c----w c:\windows\ie7updates\KB961260-IE7\ieframe.dll
+ 2008-10-16 20:38:37 44,544 -c----w c:\windows\ie7updates\KB961260-IE7\iernonce.dll
+ 2008-10-16 20:38:37 267,776 -c----w c:\windows\ie7updates\KB961260-IE7\iertutil.dll
+ 2008-10-16 13:11:09 13,824 -c----w c:\windows\ie7updates\KB961260-IE7\ieudinit.exe
+ 2008-10-15 07:06:26 633,632 -c----w c:\windows\ie7updates\KB961260-IE7\iexplore.exe
+ 2008-10-16 20:38:37 27,648 -c----w c:\windows\ie7updates\KB961260-IE7\jsproxy.dll
+ 2008-10-16 20:38:37 459,264 -c----w c:\windows\ie7updates\KB961260-IE7\msfeeds.dll
+ 2008-10-16 20:38:37 52,224 -c----w c:\windows\ie7updates\KB961260-IE7\msfeedsbs.dll
+ 2008-12-13 06:40:02 3,593,216 -c----w c:\windows\ie7updates\KB961260-IE7\mshtml.dll
+ 2008-10-16 20:38:38 477,696 -c----w c:\windows\ie7updates\KB961260-IE7\mshtmled.dll
+ 2008-10-16 20:38:38 193,024 -c----w c:\windows\ie7updates\KB961260-IE7\msrating.dll
+ 2008-10-16 20:38:39 671,232 -c----w c:\windows\ie7updates\KB961260-IE7\mstime.dll
+ 2008-10-16 20:38:39 102,912 -c----w c:\windows\ie7updates\KB961260-IE7\occache.dll
+ 2008-10-16 20:38:39 44,544 -c----w c:\windows\ie7updates\KB961260-IE7\pngfilt.dll
+ 2007-03-06 01:22:41 213,216 -c----w c:\windows\ie7updates\KB961260-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w c:\windows\ie7updates\KB961260-IE7\spuninst\updspapi.dll
+ 2008-10-16 20:38:39 105,984 -c----w c:\windows\ie7updates\KB961260-IE7\url.dll
+ 2008-10-16 20:38:39 1,160,192 -c----w c:\windows\ie7updates\KB961260-IE7\urlmon.dll
+ 2008-10-16 20:38:39 233,472 -c----w c:\windows\ie7updates\KB961260-IE7\webcheck.dll
+ 2008-10-16 20:38:40 826,368 -c----w c:\windows\ie7updates\KB961260-IE7\wininet.dll
- 2008-09-29 05:26:50 50,968 ----a-r c:\windows\Installer\{4AC3BEAD-0906-4676-BF85-12306330A66C}\_6FEFF9B68218417F98F549.exe
+ 2009-02-17 02:44:09 50,968 ----a-r c:\windows\Installer\{4AC3BEAD-0906-4676-BF85-12306330A66C}\_6FEFF9B68218417F98F549.exe
- 2008-09-29 05:26:50 50,968 ----a-r c:\windows\Installer\{4AC3BEAD-0906-4676-BF85-12306330A66C}\_BB8B2E7BA4AE3BD94F3F1E.exe
+ 2009-02-17 02:44:09 50,968 ----a-r c:\windows\Installer\{4AC3BEAD-0906-4676-BF85-12306330A66C}\_BB8B2E7BA4AE3BD94F3F1E.exe
- 2008-10-16 20:38:34 124,928 ----a-w c:\windows\system32\advpack.dll
+ 2008-12-20 23:15:11 124,928 ----a-w c:\windows\system32\advpack.dll
- 2008-10-16 20:38:34 124,928 -c----w c:\windows\system32\dllcache\advpack.dll
+ 2008-12-20 23:15:11 124,928 -c----w c:\windows\system32\dllcache\advpack.dll
+ 2008-04-14 00:11:51 35,328 -c--a-w c:\windows\system32\dllcache\corpol.dll
+ 2008-04-14 00:12:16 15,360 -c--a-w c:\windows\system32\dllcache\ctfmon.exe
+ 2008-04-14 00:11:52 57,856 -c--a-w c:\windows\system32\dllcache\dot3cfg.dll
+ 2008-04-14 00:11:52 35,328 -c--a-w c:\windows\system32\dllcache\dpnhpast.dll
- 2008-10-16 20:38:34 347,136 -c----w c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-12-20 23:15:12 347,136 -c----w c:\windows\system32\dllcache\dxtmsft.dll
- 2008-10-16 20:38:34 214,528 -c----w c:\windows\system32\dllcache\dxtrans.dll
+ 2008-12-20 23:15:13 214,528 -c----w c:\windows\system32\dllcache\dxtrans.dll
- 2008-10-16 20:38:35 133,120 -c----w c:\windows\system32\dllcache\extmgr.dll
+ 2008-12-20 23:15:13 133,120 -c----w c:\windows\system32\dllcache\extmgr.dll
- 2008-10-16 20:38:35 63,488 -c----w c:\windows\system32\dllcache\icardie.dll
+ 2008-12-20 23:15:13 63,488 -c----w c:\windows\system32\dllcache\icardie.dll
- 2008-10-16 13:11:09 70,656 -c----w c:\windows\system32\dllcache\ie4uinit.exe
+ 2008-12-19 09:10:15 70,656 -c----w c:\windows\system32\dllcache\ie4uinit.exe
- 2008-10-16 20:38:35 153,088 -c----w c:\windows\system32\dllcache\ieakeng.dll
+ 2008-12-20 23:15:14 153,088 -c----w c:\windows\system32\dllcache\ieakeng.dll
- 2008-10-16 20:38:35 230,400 -c----w c:\windows\system32\dllcache\ieaksie.dll
+ 2008-12-20 23:15:14 230,400 -c----w c:\windows\system32\dllcache\ieaksie.dll
- 2008-10-15 07:04:53 161,792 -c----w c:\windows\system32\dllcache\ieakui.dll
+ 2008-12-19 05:23:56 161,792 -c----w c:\windows\system32\dllcache\ieakui.dll
- 2008-10-16 20:38:35 383,488 -c----w c:\windows\system32\dllcache\ieapfltr.dll
+ 2008-12-20 23:15:15 383,488 -c----w c:\windows\system32\dllcache\ieapfltr.dll
- 2008-10-16 20:38:35 384,512 -c----w c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-12-20 23:15:16 384,512 -c----w c:\windows\system32\dllcache\iedkcs32.dll
- 2008-10-16 20:38:37 6,066,176 -c----w c:\windows\system32\dllcache\ieframe.dll
+ 2008-12-20 23:15:21 6,066,688 -c----w c:\windows\system32\dllcache\ieframe.dll
- 2008-10-16 20:38:37 44,544 -c----w c:\windows\system32\dllcache\iernonce.dll
+ 2008-12-20 23:15:21 44,544 -c----w c:\windows\system32\dllcache\iernonce.dll
- 2008-10-16 20:38:37 267,776 -c----w c:\windows\system32\dllcache\iertutil.dll
+ 2008-12-20 23:15:22 267,776 -c----w c:\windows\system32\dllcache\iertutil.dll
- 2008-10-16 13:11:09 13,824 -c----w c:\windows\system32\dllcache\ieudinit.exe
+ 2008-12-19 09:10:15 13,824 -c----w c:\windows\system32\dllcache\ieudinit.exe
- 2008-10-15 07:06:26 633,632 -c----w c:\windows\system32\dllcache\iexplore.exe
+ 2008-12-19 05:25:25 634,024 -c----w c:\windows\system32\dllcache\iexplore.exe
- 2008-10-16 20:38:37 27,648 -c----w c:\windows\system32\dllcache\jsproxy.dll
+ 2008-12-20 23:15:23 27,648 -c----w c:\windows\system32\dllcache\jsproxy.dll
+ 2008-04-14 00:11:56 35,328 -c--a-w c:\windows\system32\dllcache\mciqtz32.dll
- 2008-10-16 20:38:37 459,264 -c----w c:\windows\system32\dllcache\msfeeds.dll
+ 2008-12-20 23:15:23 459,264 -c----w c:\windows\system32\dllcache\msfeeds.dll
- 2008-10-16 20:38:37 52,224 -c----w c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-12-20 23:15:24 52,224 -c----w c:\windows\system32\dllcache\msfeedsbs.dll
- 2008-12-13 06:40:02 3,593,216 -c----w c:\windows\system32\dllcache\mshtml.dll
+ 2009-01-17 03:35:14 3,594,752 -c----w c:\windows\system32\dllcache\mshtml.dll
- 2008-10-16 20:38:38 477,696 -c----w c:\windows\system32\dllcache\mshtmled.dll
+ 2008-12-20 23:15:30 477,696 -c----w c:\windows\system32\dllcache\mshtmled.dll
- 2008-10-16 20:38:38 193,024 -c----w c:\windows\system32\dllcache\msrating.dll
+ 2008-12-20 23:15:31 193,024 -c----w c:\windows\system32\dllcache\msrating.dll
- 2008-10-16 20:38:39 671,232 -c----w c:\windows\system32\dllcache\mstime.dll
+ 2008-12-20 23:15:32 671,232 -c----w c:\windows\system32\dllcache\mstime.dll
- 2008-10-16 20:38:39 102,912 -c----w c:\windows\system32\dllcache\occache.dll
+ 2008-12-20 23:15:38 102,912 -c----w c:\windows\system32\dllcache\occache.dll
- 2008-10-16 20:38:39 44,544 -c----w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-12-20 23:15:38 44,544 -c----w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-04-14 00:12:07 34,816 -c--a-w c:\windows\system32\dllcache\ssdpapi.dll
+ 2008-04-14 00:12:07 57,856 -c--a-w c:\windows\system32\dllcache\synceng.dll
+ 2008-04-14 00:12:07 57,856 -c--a-w c:\windows\system32\dllcache\twext.dll
- 2008-10-16 20:38:39 105,984 -c----w c:\windows\system32\dllcache\url.dll
+ 2008-12-20 23:15:39 105,984 -c----w c:\windows\system32\dllcache\url.dll
- 2008-10-16 20:38:39 1,160,192 -c----w c:\windows\system32\dllcache\urlmon.dll
+ 2008-12-20 23:15:40 1,160,192 -c----w c:\windows\system32\dllcache\urlmon.dll
- 2008-10-16 20:38:39 233,472 -c----w c:\windows\system32\dllcache\webcheck.dll
+ 2008-12-20 23:15:40 233,472 -c----w c:\windows\system32\dllcache\webcheck.dll
- 2008-10-16 20:38:40 826,368 -c----w c:\windows\system32\dllcache\wininet.dll
+ 2008-12-20 23:15:41 826,368 -c----w c:\windows\system32\dllcache\wininet.dll
+ 2008-04-14 00:12:11 50,176 -c--a-w c:\windows\system32\dllcache\xmlprovi.dll
- 2008-10-16 20:38:34 347,136 ----a-w c:\windows\system32\dxtmsft.dll
+ 2008-12-20 23:15:12 347,136 ----a-w c:\windows\system32\dxtmsft.dll
- 2008-10-16 20:38:34 214,528 ----a-w c:\windows\system32\dxtrans.dll
+ 2008-12-20 23:15:13 214,528 ----a-w c:\windows\system32\dxtrans.dll
- 2008-10-16 20:38:35 133,120 ------w c:\windows\system32\extmgr.dll
+ 2008-12-20 23:15:13 133,120 ------w c:\windows\system32\extmgr.dll
- 2008-10-16 20:38:35 63,488 ----a-w c:\windows\system32\icardie.dll
+ 2008-12-20 23:15:13 63,488 ----a-w c:\windows\system32\icardie.dll
- 2008-10-16 13:11:09 70,656 ------w c:\windows\system32\ie4uinit.exe
+ 2008-12-19 09:10:15 70,656 ------w c:\windows\system32\ie4uinit.exe
- 2008-10-16 20:38:35 153,088 ------w c:\windows\system32\ieakeng.dll
+ 2008-12-20 23:15:14 153,088 ------w c:\windows\system32\ieakeng.dll
- 2008-10-16 20:38:35 230,400 ------w c:\windows\system32\ieaksie.dll
+ 2008-12-20 23:15:14 230,400 ------w c:\windows\system32\ieaksie.dll
- 2008-10-15 07:04:53 161,792 ------w c:\windows\system32\ieakui.dll
+ 2008-12-19 05:23:56 161,792 ------w c:\windows\system32\ieakui.dll
- 2008-10-16 20:38:35 383,488 ----a-w c:\windows\system32\ieapfltr.dll
+ 2008-12-20 23:15:15 383,488 ----a-w c:\windows\system32\ieapfltr.dll
- 2008-10-16 20:38:35 384,512 ------w c:\windows\system32\iedkcs32.dll
+ 2008-12-20 23:15:16 384,512 ------w c:\windows\system32\iedkcs32.dll
- 2008-10-16 20:38:37 6,066,176 ----a-w c:\windows\system32\ieframe.dll
+ 2008-12-20 23:15:21 6,066,688 ----a-w c:\windows\system32\ieframe.dll
- 2008-10-16 20:38:37 44,544 ------w c:\windows\system32\iernonce.dll
+ 2008-12-20 23:15:21 44,544 ------w c:\windows\system32\iernonce.dll
- 2008-10-16 20:38:37 267,776 ----a-w c:\windows\system32\iertutil.dll
+ 2008-12-20 23:15:22 267,776 ----a-w c:\windows\system32\iertutil.dll
- 2008-10-16 13:11:09 13,824 ----a-w c:\windows\system32\ieudinit.exe
+ 2008-12-19 09:10:15 13,824 ----a-w c:\windows\system32\ieudinit.exe
- 2008-10-16 20:38:37 27,648 ----a-w c:\windows\system32\jsproxy.dll
+ 2008-12-20 23:15:23 27,648 ----a-w c:\windows\system32\jsproxy.dll
- 2008-10-16 20:38:37 459,264 ----a-w c:\windows\system32\msfeeds.dll
+ 2008-12-20 23:15:23 459,264 ----a-w c:\windows\system32\msfeeds.dll
- 2008-12-13 06:40:02 3,593,216 ----a-w c:\windows\system32\mshtml.dll
+ 2009-01-17 03:35:14 3,594,752 ----a-w c:\windows\system32\mshtml.dll
- 2008-10-16 20:38:38 477,696 ----a-w c:\windows\system32\mshtmled.dll
+ 2008-12-20 23:15:30 477,696 ----a-w c:\windows\system32\mshtmled.dll
- 2008-10-16 20:38:38 193,024 ------w c:\windows\system32\msrating.dll
+ 2008-12-20 23:15:31 193,024 ------w c:\windows\system32\msrating.dll
- 2008-10-16 20:38:39 671,232 ------w c:\windows\system32\mstime.dll
+ 2008-12-20 23:15:32 671,232 ------w c:\windows\system32\mstime.dll
- 2008-10-16 20:38:39 102,912 ------w c:\windows\system32\occache.dll
+ 2008-12-20 23:15:38 102,912 ------w c:\windows\system32\occache.dll
- 2008-10-16 20:38:39 44,544 ----a-w c:\windows\system32\pngfilt.dll
+ 2008-12-20 23:15:38 44,544 ----a-w c:\windows\system32\pngfilt.dll
- 2006-07-01 19:24:26 711,220 ----a-w c:\windows\system32\Restore\rstrlog.dat
+ 2009-02-17 02:33:04 357,976 ----a-w c:\windows\system32\Restore\rstrlog.dat
- 2007-11-30 12:39:22 17,272 ------w c:\windows\system32\spmsg.dll
+ 2008-07-09 07:38:24 17,272 ------w c:\windows\system32\spmsg.dll
- 2008-10-16 20:38:39 105,984 ----a-w c:\windows\system32\url.dll
+ 2008-12-20 23:15:39 105,984 ----a-w c:\windows\system32\url.dll
- 2008-10-16 20:38:39 1,160,192 ----a-w c:\windows\system32\urlmon.dll
+ 2008-12-20 23:15:40 1,160,192 ----a-w c:\windows\system32\urlmon.dll
- 2008-10-16 20:38:39 233,472 ----a-w c:\windows\system32\webcheck.dll
+ 2008-12-20 23:15:40 233,472 ----a-w c:\windows\system32\webcheck.dll
- 2008-10-16 20:38:40 826,368 ----a-w c:\windows\system32\wininet.dll
+ 2008-12-20 23:15:41 826,368 ----a-w c:\windows\system32\wininet.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]
@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"
[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]
2006-12-03 16:03 2854912 --a------ c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]
@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"
[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]
2006-12-03 16:03 2854912 --a------ c:\program files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-08-06 50472]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-08-11 21741864]
"Sticky Pad"="c:\program files\StickyPad\StickyPad.exe" [2007-04-23 528441]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2006-12-03 49168]
"Toshiba Hotkey Utility"="c:\program files\Toshiba\Windows Utilities\Hotkey.exe" [2006-01-05 1589248]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-01-06 290088]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-08-14 115560]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-12-03 15:50 90112 c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=ttrgfq.dll aumxvi.dll ubvtfz.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2008-05-24 14:08 289088 c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2009-01-06 13:06 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
--a------ 2003-07-13 01:49 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2009-01-05 16:18 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 03:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2005-12-29 13:21 61952 c:\windows\system32\CHDAudPropShortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\BitLord\\BitLord.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-10 64160]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-04-09 24652]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-16 99376]
R3 QCEmerald;Logitech QuickCam Web;c:\windows\system32\drivers\OVCE.sys [2008-08-27 31872]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2008-04-09 20160]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-11-18 23888]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-02-06 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2007\SystemOptimizer.exe [2007-04-27 05:51]

2009-01-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-02-18 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-01-26 15:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Nick\Application Data\Mozilla\Firefox\Profiles\wo87wems.default\
FF - prefs.js: browser.startup.homepage - www.msn.com
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&query=
FF - component: c:\documents and settings\Nick\Application Data\Mozilla\Firefox\Profiles\wo87wems.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-18 10:08:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(880)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
c:\program files\Protector Suite QL\crypto.dll

- - - - - - - > 'lsass.exe'(936)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\program files\Protector Suite QL\infra.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\Synaptics\SynTP\Toshiba.exe
c:\program files\Protector Suite QL\psqltray.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
.
**************************************************************************
.
Completion time: 2009-02-18 10:12:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-18 16:11:41
ComboFix2.txt 2009-02-16 20:13:52

Pre-Run: 64,958,365,696 bytes free
Post-Run: 64,989,761,536 bytes free

427 --- E O F --- 2009-02-17 02:40:49

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 18 February 2009 - 11:42 AM

Please uninstall these program so they won't interfere with our fixes.. You can reinstall them later if you wish..

1. Lavasoft Ad-Aware
2. Spybot S&D
3. Viewpoint (all of them)..




Please download the OTMoveIt3 by OldTimer
  • Save it to your Desktop.
  • Please double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Let the Unregister Dll's and Ocx's remain ticked and Zip Files After Moves remain unticked..
  • Copy the codebox contents and paste it to the "Paste List of Files/Folders to Move" window (under the light Yellow bar)

    :reg
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=""
    
    :commands
    [purity]
    [emptytemp]
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.




Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


Post me these logs in your next reply..

1. OTMoveIt3
2. ESET Online Scanner
3. Tell me, how's the computer now? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 NBarkan

NBarkan
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 18 February 2009 - 05:38 PM

========== REGISTRY ==========
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows\\"AppInit_DLLs"|"" /E : value set successfully!
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Nick\LOCALS~1\Temp\etilqs_0Bhz8F78CBuupX1EmRlQ scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Nick\LOCALS~1\Temp\~DF598F.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Nick\LOCALS~1\Temp\~DF9E51.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Nick\Local Settings\Application Data\Mozilla\Firefox\Profiles\wo87wems.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Nick\Local Settings\Application Data\Mozilla\Firefox\Profiles\wo87wems.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Nick\Local Settings\Application Data\Mozilla\Firefox\Profiles\wo87wems.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Nick\Local Settings\Application Data\Mozilla\Firefox\Profiles\wo87wems.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Nick\Local Settings\Application Data\Mozilla\Firefox\Profiles\wo87wems.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Nick\Local Settings\Application Data\Mozilla\Firefox\Profiles\wo87wems.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02182009_125508

Files moved on Reboot...
File C:\DOCUME~1\Nick\LOCALS~1\Temp\etilqs_0Bhz8F78CBuupX1EmRlQ not found!
C:\DOCUME~1\Nick\LOCALS~1\Temp\~DF598F.tmp moved successfully.
C:\DOCUME~1\Nick\LOCALS~1\Temp\~DF9E51.tmp moved successfully.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
C:\Documents and Settings\Nick\Local Settings\Application Data\Mozilla\Firefox\Profiles\wo87wems.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Nick\Local Settings\Application Data\Mozilla\Firefox\Profiles\wo87wems.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Nick\Local Settings\Application Data\Mozilla\Firefox\Profiles\wo87wems.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Nick\Local Settings\Application Data\Mozilla\Firefox\Profiles\wo87wems.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Nick\Local Settings\Application Data\Mozilla\Firefox\Profiles\wo87wems.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Nick\Local Settings\Application Data\Mozilla\Firefox\Profiles\wo87wems.default\XUL.mfl moved successfully.


# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3865 (20090218)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=3846b8fb61f4124786bbddaca79986f2
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-02-18 10:31:12
# local_time=2009-02-18 04:31:12 (-0600, Central Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 3
# scanned=547866
# found=2
# scan_time=12400
C:\Qoobox\Quarantine\C\WINDOWS\system32\998.exe.vir Win32/TrojanDownloader.FakeAlert.YV trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\frmwrk32.exe.vir Win32/TrojanDownloader.FakeAlert.YV trojan (unable to clean - deleted) 00000000000000000000000000000000



I seem to still have an issue with google.com. Whenever I click certain links it doesn't go where it should..and i see "clickfraudmanager.com." It's not always, but it definitely happens. Let me know what you think. Other than that my computer is starting to look good!

#6 NBarkan

NBarkan
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 19 February 2009 - 02:07 AM

I just wanted to add on as well, I was looking how to rid of the "clickfraudmanager.com" stuff and I found something telling me to do this.

1. Close Firefox
2. Navigate to the Mozilla firefox folder in program files
3. Go into the extensions folder
4. There will be several folders with funny characters (i.e. {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}). Look for the folder with a modified date on or around the date your noticed firefox acting funny and re-directing you to other pages.
5. Delete this folder. (if there is only one folder here I am not sure what this will do but you might want to consider the possibility of losing firefox specific data or having to re-install firefox if you remove this)
6. Re-open firefox.... and enjoy!

I did this, and its working perfectly. I'm not noticing any problems with missing extensions and what not. Let me know if you feel I shouldn't have done this or if it was the smart move.

#7 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 19 February 2009 - 03:11 AM

Good for you :thumbup2:

Lets do some cleanup...


Please download OTCleanIt and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTCleanIt.exe
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes


Please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware



Read these links about safe internet surfing..

http://www.pcpitstop.com/spycheck/safesurfing.asp
http://bluefive.pair.com/practice_safe_surfing.htm



Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :)



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#8 NBarkan

NBarkan
  • Topic Starter

  • Members
  • 42 posts
  • OFFLINE
  •  
  • Local time:02:34 AM

Posted 19 February 2009 - 09:44 AM

I feel like my computer is finally back to normal! Thank you for all your patience and help. I now don't need to give up on this computer for another year or two!

Have a good day!

#9 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 19 February 2009 - 10:29 AM

You are very welcome, I'm glad that we could help.

I will now close this topic. If you need this topic to be re-open, please pm me or Moderators regarding the matter..

If you have any new malware related questions or issues in the future please start a new topic.

Cheers and Happy Computing !

fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users