Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Adware stuck on toolbar.


  • Please log in to reply
16 replies to this topic

#1 Jesse.James

Jesse.James

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 23 February 2009 - 06:01 PM

I'm pretty sure I have a virus because in my toolbar there is a red circle that is trying to mock a windows security alert. I know it's fake because I have real security alert beside it. Every now and then an ad will pop up asking me to sign up for a credit card or anti-virus. I tried running Avast! which didn't pick up a thing.
Posted Image
Here's a screen shot.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Danny Rodenburg at 17:37:46.95 on Mon 02/23/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_03
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.41 [GMT -5:00]

AV: avast! antivirus 4.7.1098 [VPS 081024-1] *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Dynex Wireless Enhanced G Desktop card - DX-WGPDTC\WLService.exe
C:\Program Files\Dynex Wireless Enhanced G Desktop card - DX-WGPDTC\WLanCfgG.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dynex Enhanced G Desktop Card Adapter\DynexWCUI.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jan Fair\Desktop\runescape.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\JANFAI~1\LOCALS~1\Temp\winlognn.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\DOCUME~1\JANFAI~1\LOCALS~1\Temp\249C.tmp
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\DOCUME~1\JANFAI~1\LOCALS~1\Temp\isnlcy8.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\notepad.exe
C:\DOCUME~1\JANFAI~1\LOCALS~1\Temp\249C.tmp
C:\Documents and Settings\Jan Fair\Desktop\dds.scr
C:\Documents and Settings\Jan Fair\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.daemon-search.com/startpage
mDefault_Page_URL = hxxp://www.dellnet.com/
mStart Page = hxxp://www.dellnet.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = hxxp://www.google.com;;*.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: c:\windows\system32\hhs3ijndfd.dll: {c5bf49a2-94f3-42bd-f434-3604812c8955} - c:\windows\system32\hhs3ijndfd.dll
TB: {D7F30B62-8269-41AF-9539-B2697FA7D77E} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
uRun: [jsf8uiw3jnjgffght] c:\docume~1\janfai~1\locals~1\temp\winlognn.exe
uRun: [ldv7gm7771yskgi4kfnec5s232] c:\docume~1\janfai~1\locals~1\temp\y2hi65jpmyrml.exe
uRun: [e1t7e8vowg0vjo2mvipzlt8nah81b5n2] c:\docume~1\janfai~1\locals~1\temp\uef8i37ni6olf.exe
uRun: [q6cr8qdg6kgoaa6raffbftijnjjvg] c:\docume~1\janfai~1\locals~1\temp\dt8qhh.exe
uRun: [bu6gh82eno3sdwujsklaiwatxvd6shzuu4o2ejxckj] c:\docume~1\janfai~1\locals~1\temp\o09qu7gwxm.exe
uRun: [mm3rkalbat68bpxkqqasqyev3ufup1srn01vld698] c:\docume~1\janfai~1\locals~1\temp\q6bnqh.exe
uRun: [gyv19a7eisbrepjkr76] c:\docume~1\janfai~1\locals~1\temp\rb78dp.exe
uRun: [umdorvoqbtqn8tgyw5o80jp] c:\docume~1\janfai~1\locals~1\temp\afr9gqlqntq4.exe
uRun: [ufnh4tjzfj78upp4im04m8h6905utmvihhbwtkxsejbg] c:\docume~1\janfai~1\locals~1\temp\nw01tzvfxrxa.exe
uRun: [pkbm2oq8ff019ad3v127] c:\docume~1\janfai~1\locals~1\temp\hwon17.exe
uRun: [cwnvo07ebt95mtvxc9vzy] c:\docume~1\janfai~1\locals~1\temp\tt4haxr4iik.exe
uRun: [zk5c56hk8] c:\docume~1\janfai~1\locals~1\temp\f0d8uhymfs.exe
uRun: [wgn29s3td05abp4pew8tjq6o1d9ypw3] c:\docume~1\janfai~1\locals~1\temp\u7h2z95h7.exe
uRun: [p5w74weohz98btrdvi3pd22vo] c:\docume~1\janfai~1\locals~1\temp\isnlcy8.exe
uRun: [nffy6tn0ahvw29ikt6gx2trbrn7rnl5ojl66r445b0] c:\docume~1\janfai~1\locals~1\temp\f3keil7.exe
mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_03\bin\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [PCLEUSBTip] c:\program files\pinnacle\shared files\programs\usbtip\USBTip.exe
mRun: [USB2Check] RUNDLL32.EXE "c:\windows\system32\PCLECoInst.dll",CheckUSBController
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [Ufiluzupija] rundll32.exe "c:\windows\Ejefuj.dll",e
mRun: [jsf8uiw3jnjgffght] c:\docume~1\janfai~1\locals~1\temp\winlognn.exe
mRun: [Framework Windows] frmwrk32.exe
mRun: [Fduvuhoxa] rundll32.exe "c:\windows\owelaqocu.dll",e
StartupFolder: c:\docume~1\janfai~1\startm~1\programs\startup\roller~1.lnk - c:\documents and settings\jan fair\local settings\temp\{182f785a-73bc-4ba4-8273-3ca7cf57f483}\{907b4640-266b-4a21-92fb-cd1a86cd0f63}\ATR1.exe
StartupFolder: c:\docume~1\janfai~1\startm~1\programs\startup\roller~2.lnk - c:\documents and settings\jan fair\local settings\temp\{87fc98bd-98bd-499a-90de-540d4201f0d5}\{45653847-497f-47bb-a878-46fbde34a3e0}\ATR1.exe
StartupFolder: c:\docume~1\janfai~1\startm~1\programs\startup\youtring.lnk - c:\program files\youtring\YouTring.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dynexw~1.lnk - c:\program files\dynex enhanced g desktop card adapter\DynexWCUI.exe
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-explorer: <NO NAME> =
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021}
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} - hxxp://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1083879460250
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38111.2312731482
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: crypt - crypts.dll
Notify: utsync - utsync.dll
AppInit_DLLs: tdshex.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: c:\windows\system32\hhs3ijndfd.dll: {c5bf49a2-94f3-42bd-f434-3604812c8955} - c:\windows\system32\hhs3ijndfd.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\yaywUKcA

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\janfai~1\applic~1\mozilla\firefox\profiles\davhpuz8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&query={searchTerms}&invocationType=tb50fftrie7
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=tb50fftrab&query=
FF - component: c:\documents and settings\jan fair\application data\mozilla\firefox\profiles\davhpuz8.default\extensions\{463f6ca5-ee3c-4be1-b7e6-7fee11953374}\platform\winnt\components\FoxyTunes.dll
FF - component: c:\documents and settings\jan fair\application data\mozilla\firefox\profiles\davhpuz8.default\extensions\{7378b8c2-fc38-41b8-a8c9-875d1f5b0a24}\components\NativeComponent.dll
FF - component: c:\documents and settings\jan fair\application data\mozilla\firefox\profiles\davhpuz8.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\WinampPlayer.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: XUL Cache: {0138605A-8FBA-4AFF-82E1-D904B7ED777A} - c:\documents and settings\jan fair\local settings\application data\{0138605a-8fba-4aff-82e1-d904b7ed777a}\

============= SERVICES / DRIVERS ===============

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2007-8-16 140664]
R2 Dynex DX-WGPDTC WLService;Dynex Wireless Enhanced G Desktop card - DX-WGPDTC Service;c:\program files\dynex wireless enhanced g desktop card - dx-wgpdtc\WLService.exe [2009-1-13 49152]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-11-12 24652]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2007-8-16 247160]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2007-8-16 345464]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;c:\windows\system32\drivers\libusb0.sys [2008-6-2 29184]
S3 NaiFiltr;NaiFiltr;c:\windows\system32\drivers\NaiFiltr.sys [2003-2-3 23296]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys --> c:\windows\system32\drivers\wg111v2.sys [?]

============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2009-02-23 17:00 <DIR> --d----- c:\program files\Trend Micro
2009-02-23 16:40 134,656 a------- c:\windows\owelaqocu.dll
2009-02-23 16:29 100,590 a------- c:\windows\system32\drivers\d0a39fef.sys
2009-02-23 16:27 72,704 a------- c:\windows\system32\oxamhfft.dll
2009-02-23 16:24 129,024 a------- c:\windows\system32\tdshex.dll
2009-02-23 16:24 129,024 a------- c:\windows\system32\lrlxlryl.dll
2009-02-23 04:27 129,024 a------- c:\windows\system32\kkwgbp.dll
2009-02-23 04:27 129,024 a------- c:\windows\system32\ahmlesnh.dll
2009-02-23 04:24 1,607,788 ---sh--- c:\windows\system32\iylmiaei.ini
2009-02-23 04:24 72,704 -------- c:\windows\system32\ieaimlyi.dll
2009-02-22 16:24 129,024 a------- c:\windows\system32\iyqevv.dll
2009-02-22 16:24 129,024 a------- c:\windows\system32\iqhcljnq.dll
2009-02-22 16:23 1,607,788 ---sh--- c:\windows\system32\spejvvbr.ini
2009-02-22 16:23 72,704 -------- c:\windows\system32\rbvvjeps.dll
2009-02-21 12:55 129,024 a------- c:\windows\system32\ouwmgd.dll
2009-02-21 12:55 129,024 a------- c:\windows\system32\vnxvwrlf.dll
2009-02-21 12:52 1,607,788 ---sh--- c:\windows\system32\fevvegod.ini
2009-02-21 12:52 72,704 -------- c:\windows\system32\dogevvef.dll
2009-02-21 00:52 129,024 a------- c:\windows\system32\xhffsz.dll
2009-02-21 00:52 129,024 a------- c:\windows\system32\guvdrvum.dll
2009-02-21 00:49 1,607,788 ---sh--- c:\windows\system32\mjausxuj.ini
2009-02-20 12:48 129,024 a------- c:\windows\system32\kzcvnk.dll
2009-02-20 12:48 129,024 a------- c:\windows\system32\bvqstxkr.dll
2009-02-20 12:48 1,598,385 ---sh--- c:\windows\system32\ouoojjrj.ini
2009-02-20 12:48 72,704 a------- c:\windows\system32\jrjjoouo.dll
2009-02-20 00:51 1,586,779 ---sh--- c:\windows\system32\ttillkrc.ini
2009-02-20 00:48 129,024 a------- c:\windows\system32\mzpmqq.dll
2009-02-20 00:48 129,024 a------- c:\windows\system32\myrsjypl.dll
2009-02-19 12:50 1,616,764 ---sh--- c:\windows\system32\tukpwkox.ini
2009-02-19 12:50 72,704 a------- c:\windows\system32\xokwpkut.dll
2009-02-19 12:50 129,024 a------- c:\windows\system32\fxcadh.dll
2009-02-19 12:50 129,024 a------- c:\windows\system32\lthmkwnx.dll
2009-02-19 00:50 129,024 a------- c:\windows\system32\tlwaeo.dll
2009-02-19 00:50 129,024 a------- c:\windows\system32\aumcvrxy.dll
2009-02-19 00:47 1,611,600 ---sh--- c:\windows\system32\mwqaaxbo.ini
2009-02-18 12:52 129,024 a------- c:\windows\system32\jtgqlcht.dll
2009-02-18 12:52 129,024 a------- c:\windows\system32\cmfqak.dll
2009-02-18 12:49 1,611,600 ---sh--- c:\windows\system32\wdqfrvsd.ini
2009-02-18 00:52 129,024 a------- c:\windows\system32\gdnhdn.dll
2009-02-18 00:52 129,024 a------- c:\windows\system32\bjxarncf.dll
2009-02-18 00:49 1,603,855 ---sh--- c:\windows\system32\sndxwgtm.ini
2009-02-17 12:50 1,603,855 ---sh--- c:\windows\system32\tvngqsnq.ini
2009-02-17 12:47 129,024 a------- c:\windows\system32\rucgpnfw.dll
2009-02-17 12:47 129,024 a------- c:\windows\system32\msszuk.dll
2009-02-17 00:50 1,589,969 ---sh--- c:\windows\system32\dgcugtls.ini
2009-02-17 00:50 129,024 a------- c:\windows\system32\ctasiq.dll
2009-02-17 00:47 129,024 a------- c:\windows\system32\ggipujfo.dll
2009-02-16 12:50 1,589,985 ---sh--- c:\windows\system32\nnoiptmf.ini
2009-02-16 12:47 129,024 a------- c:\windows\system32\qpwrtjdk.dll
2009-02-16 12:47 129,024 a------- c:\windows\system32\leejxj.dll
2009-02-16 00:50 129,024 a------- c:\windows\system32\iseyhb.dll
2009-02-16 00:50 129,024 a------- c:\windows\system32\gprnrqsw.dll
2009-02-16 00:47 1,583,467 ---sh--- c:\windows\system32\tphkuqkk.ini
2009-02-15 00:47 1,583,467 ---sh--- c:\windows\system32\cilnflon.ini
2009-02-15 00:45 129,024 a------- c:\windows\system32\wzysfp.dll
2009-02-15 00:45 129,024 a------- c:\windows\system32\lqnfaeon.dll
2009-02-15 00:44 2,639 a--sh--- c:\windows\system32\AcKUwyay.ini2
2009-02-15 00:44 2,882 a--sh--- c:\windows\system32\AcKUwyay.ini
2009-02-15 00:44 302,592 a------- c:\windows\system32\yaywUKcA.dll.vir
2009-02-15 00:38 48,128 a------- c:\windows\system32\wvUkJyAQ.dll
2009-02-15 00:37 36,352 a------- c:\windows\system32\wvUoPjij.dll
2009-02-06 18:02 <DIR> --d----- c:\program files\YouTring
2009-02-01 00:34 265,041 a------- C:\AnalysisLog.sr0
2009-01-28 20:33 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ArcSoft
2009-01-28 20:32 18,688 a------- c:\windows\system32\drivers\afc.sys
2009-01-28 20:30 <DIR> --d----- c:\program files\Kodak

==================== Find3M ====================

2009-02-23 16:28 32,256 a------- c:\windows\system32\crypts.dll
2009-02-23 16:28 705 a------- C:\desae.exe
2009-02-23 16:28 81,920 a------- C:\itamcndf.exe
2009-02-23 16:28 27,136 a------- c:\windows\system32\frmwrk32.exe
2009-02-23 16:28 27,136 a------- C:\pfkik.exe
2009-02-23 16:28 23,660 a------- c:\windows\system32\utsync.dll
2009-02-23 16:28 8,688 a------- c:\windows\system32\uvsync.sys
2009-02-23 16:28 40,448 a------- C:\cxfagn.exe
2009-02-23 16:28 15,000 a------- c:\windows\system32\hhs3ijndfd.dll
2009-02-23 16:28 39,936 a------- c:\windows\Ejefuj.dll
2009-02-23 16:28 39,936 a------- C:\cwxwwgtl.exe
2009-02-23 07:12 34 a------- c:\documents and settings\jan fair\jagex_runescape_preferences.dat
2008-12-12 12:33 3,060,224 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 06:57 333,184 -------- c:\windows\system32\dllcache\srv.sys
2008-02-20 21:53 67,168 ac------ c:\docume~1\janfai~1\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 17:40:27.57 ===============

Attached Files


Edited by Jesse.James, 23 February 2009 - 06:05 PM.


BC AdBot (Login to Remove)

 


#2 Jesse.James

Jesse.James
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 24 February 2009 - 12:48 PM

This is urgent! My computer crashed a few hours ago. I got a blue screen but it wasn't the blue screen of death. I don't know what I should do help!!!! Edit:It's not in my toolbar it's my taskbar my bad.

Edited by Jesse.James, 24 February 2009 - 12:50 PM.


#3 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 03 March 2009 - 10:55 AM

Jesse.James

Are you able to access the PC so we can see if we can get it cleaned up?
Do you have a desktop, file access etc?
Posted Image
Microsoft MVP - Windows Security

#4 Jesse.James

Jesse.James
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 03 March 2009 - 12:49 PM

I do have access for about 15 minutes before it crashes and I get a blue screen with an error (not the BSoD). I would also like to metion the fact that my browser won't let me log in on this website or any other websites. I also can't see pictures or see javascript. Even though on my options in Firefox it says I can use javascript.

Edited by Jesse.James, 03 March 2009 - 12:50 PM.


#5 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 03 March 2009 - 03:11 PM

Jesse.James

But you do have IE access with a working computer that you can download tools to and then transfer them to the infected PC. By USB key or disk?
Posted Image
Microsoft MVP - Windows Security

#6 Jesse.James

Jesse.James
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 03 March 2009 - 03:32 PM

Jesse.James

But you do have IE access with a working computer that you can download tools to and then transfer them to the infected PC. By USB key or disk?


Yes I do. Thanks!

Edited by Jesse.James, 03 March 2009 - 08:03 PM.


#7 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 03 March 2009 - 05:50 PM

Jesse.James

You are most welcome

Since you are working between 2 PC's then I would Suggest that you download Avenger and Copy it to the USB key copy it to the infected PC before you extract it.

Also yo may want to copy the script portion of the fix and save it in notepad as a .txt file and tranfer it as well. That way you can copy and paste the exact script.

1.Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
    (How to extract (decompress) zipped or compressed files, help in the link here: )
2. Copy all the text contained in the bold below to your Clipboard by highlighting it and pressing (Ctrl+C):


Drivers to Delete:
d0a39fef.sys

Files to delete:
c:\windows\owelaqocu.dll
c:\windows\system32\oxamhfft.dll
c:\windows\system32\tdshex.dll
c:\windows\system32\lrlxlryl.dll
c:\windows\system32\kkwgbp.dll
c:\windows\system32\ahmlesnh.dll
c:\windows\system32\iylmiaei.ini
c:\windows\system32\ieaimlyi.dll
c:\windows\system32\iyqevv.dll
c:\windows\system32\iqhcljnq.dll
c:\windows\system32\spejvvbr.ini
c:\windows\system32\rbvvjeps.dll
c:\windows\system32\ouwmgd.dll
c:\windows\system32\vnxvwrlf.dll
c:\windows\system32\fevvegod.ini
c:\windows\system32\dogevvef.dll
c:\windows\system32\xhffsz.dll
c:\windows\system32\guvdrvum.dll
c:\windows\system32\mjausxuj.ini
c:\windows\system32\kzcvnk.dll
c:\windows\system32\bvqstxkr.dll
c:\windows\system32\ouoojjrj.ini
c:\windows\system32\jrjjoouo.dll
c:\windows\system32\ttillkrc.ini
c:\windows\system32\mzpmqq.dll
c:\windows\system32\myrsjypl.dll
c:\windows\system32\tukpwkox.ini
c:\windows\system32\xokwpkut.dll
c:\windows\system32\fxcadh.dll
c:\windows\system32\tlwaeo.dll
c:\windows\system32\aumcvrxy.dll
c:\windows\system32\mwqaaxbo.ini
c:\windows\system32\jtgqlcht.dll
c:\windows\system32\cmfqak.dll
c:\windows\system32\wdqfrvsd.ini
c:\windows\system32\gdnhdn.dll
c:\windows\system32\bjxarncf.dll
c:\windows\system32\sndxwgtm.ini
c:\windows\system32\tvngqsnq.ini
c:\windows\system32\rucgpnfw.dll
c:\windows\system32\msszuk.dll
c:\windows\system32\dgcugtls.ini
c:\windows\system32\ctasiq.dll
c:\windows\system32\ggipujfo.dll
c:\windows\system32\nnoiptmf.ini
c:\windows\system32\qpwrtjdk.dll
c:\windows\system32\leejxj.dll
c:\windows\system32\iseyhb.dll
c:\windows\system32\gprnrqsw.dll
c:\windows\system32\tphkuqkk.ini
c:\windows\system32\cilnflon.ini
c:\windows\system32\wzysfp.dll
c:\windows\system32\lqnfaeon.dll
c:\windows\system32\AcKUwyay.ini2
c:\windows\system32\AcKUwyay.ini
c:\windows\system32\yaywUKcA.dll.vir
c:\windows\system32\wvUkJyAQ.dll
c:\windows\system32\wvUoPjij.dll


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Select Load Script
  • Select Paste from Clipboard
  • The information should now appear in the Open window
  • Select Execute
  • Answer Yes When prompted "Are you sure you want to execute the current script?"
4. The Avenger will automatically do the following:
  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.

Edited by bamajim, 04 March 2009 - 10:00 AM.

Posted Image
Microsoft MVP - Windows Security

#8 Jesse.James

Jesse.James
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 03 March 2009 - 08:33 PM

I'm not sure if that did anything because my computer still has that fake security icon and now a new background that says please download virus software because your computer is at risk. Which is also fake because it mispells a few words.

Avenger log:
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "UACd.sys" found!
ImagePath: \systemroot\system32\drivers\UACkkbqboro.sys
Start Type: 1 (System)

Rootkit scan completed.


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\c:\windows\system32\drivers\d0a39fef.sys" not found!
Deletion of driver "c:\windows\system32\drivers\d0a39fef.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\windows\owelaqocu.dll" deleted successfully.
File "c:\windows\system32\oxamhfft.dll" deleted successfully.
File "c:\windows\system32\tdshex.dll" deleted successfully.
File "c:\windows\system32\lrlxlryl.dll" deleted successfully.
File "c:\windows\system32\kkwgbp.dll" deleted successfully.
File "c:\windows\system32\ahmlesnh.dll" deleted successfully.
File "c:\windows\system32\iylmiaei.ini" deleted successfully.

Error: file "c:\windows\system32\ieaimlyi.dll" not found!
Deletion of file "c:\windows\system32\ieaimlyi.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\windows\system32\iyqevv.dll" deleted successfully.
File "c:\windows\system32\iqhcljnq.dll" deleted successfully.
File "c:\windows\system32\spejvvbr.ini" deleted successfully.

Error: file "c:\windows\system32\rbvvjeps.dll" not found!
Deletion of file "c:\windows\system32\rbvvjeps.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\windows\system32\ouwmgd.dll" deleted successfully.
File "c:\windows\system32\vnxvwrlf.dll" deleted successfully.
File "c:\windows\system32\fevvegod.ini" deleted successfully.

Error: file "c:\windows\system32\dogevvef.dll" not found!
Deletion of file "c:\windows\system32\dogevvef.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "c:\windows\system32\xhffsz.dll" deleted successfully.
File "c:\windows\system32\guvdrvum.dll" deleted successfully.
File "c:\windows\system32\mjausxuj.ini" deleted successfully.
File "c:\windows\system32\kzcvnk.dll" deleted successfully.
File "c:\windows\system32\bvqstxkr.dll" deleted successfully.
File "c:\windows\system32\ouoojjrj.ini" deleted successfully.
File "c:\windows\system32\jrjjoouo.dll" deleted successfully.
File "c:\windows\system32\ttillkrc.ini" deleted successfully.
File "c:\windows\system32\mzpmqq.dll" deleted successfully.
File "c:\windows\system32\myrsjypl.dll" deleted successfully.
File "c:\windows\system32\tukpwkox.ini" deleted successfully.
File "c:\windows\system32\xokwpkut.dll" deleted successfully.
File "c:\windows\system32\fxcadh.dll" deleted successfully.
File "c:\windows\system32\tlwaeo.dll" deleted successfully.
File "c:\windows\system32\aumcvrxy.dll" deleted successfully.
File "c:\windows\system32\mwqaaxbo.ini" deleted successfully.
File "c:\windows\system32\jtgqlcht.dll" deleted successfully.
File "c:\windows\system32\cmfqak.dll" deleted successfully.
File "c:\windows\system32\wdqfrvsd.ini" deleted successfully.
File "c:\windows\system32\gdnhdn.dll" deleted successfully.
File "c:\windows\system32\bjxarncf.dll" deleted successfully.
File "c:\windows\system32\sndxwgtm.ini" deleted successfully.
File "c:\windows\system32\tvngqsnq.ini" deleted successfully.
File "c:\windows\system32\rucgpnfw.dll" deleted successfully.
File "c:\windows\system32\msszuk.dll" deleted successfully.
File "c:\windows\system32\dgcugtls.ini" deleted successfully.
File "c:\windows\system32\ctasiq.dll" deleted successfully.
File "c:\windows\system32\ggipujfo.dll" deleted successfully.
File "c:\windows\system32\nnoiptmf.ini" deleted successfully.
File "c:\windows\system32\qpwrtjdk.dll" deleted successfully.
File "c:\windows\system32\leejxj.dll" deleted successfully.
File "c:\windows\system32\iseyhb.dll" deleted successfully.
File "c:\windows\system32\gprnrqsw.dll" deleted successfully.
File "c:\windows\system32\tphkuqkk.ini" deleted successfully.
File "c:\windows\system32\cilnflon.ini" deleted successfully.
File "c:\windows\system32\wzysfp.dll" deleted successfully.
File "c:\windows\system32\lqnfaeon.dll" deleted successfully.
File "c:\windows\system32\AcKUwyay.ini2" deleted successfully.
File "c:\windows\system32\AcKUwyay.ini" deleted successfully.
File "c:\windows\system32\yaywUKcA.dll.vir" deleted successfully.
File "c:\windows\system32\wvUkJyAQ.dll" deleted successfully.
File "c:\windows\system32\wvUoPjij.dll" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

#9 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 04 March 2009 - 10:09 AM

Jesse.James

It will take a couple of runs at this to completely remove. Please be patient, we will get it.

I 1. Rerun Avenger

2. Copy all the text contained in the bold below to your Clipboard by highlighting it and pressing (Ctrl+C):

Drivers to delete:
UACd.sys


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Select Load Script
  • Select Paste from Clipboard
  • The information should now appear in the Open window
  • Select Execute
  • Answer Yes When prompted "Are you sure you want to execute the current script?"
4. The Avenger will automatically do the following:
  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avengerís actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply

II.

1. Go HERE and download FakeAlertFix

Save it to your Desktop. But do not run it yet.

2. Reboot into Safe Mode
This can be done byRestart your PC, and after it starts, but before you see the Windows Splash screen
Begin tapping the F8 key twice a second untill you reach another menu screen (black background with white menu choices)
Use your arrow keys and select Safe Mode and then Enter
3. Close all Internet Explorer Windows and Run FakeAlertFixDouble click the fakealertfix.Zip file to unzip it.
Open the FakeAlertFix Folder
Double Click FakeAlertFix.vbe to run the program
Then Select O.K. at the prompt
Allow the program to run (Your desktop will disappear, then re-appear. This is normal)
When it is finished it wil produce a log C:\FakeAlertFix.txt
Copy and paste the results of that log in your reply
4. Then reboot your PC into Normal Windows Mode->> And post the C:\FakeAlertfix.txt log

Your reply should include the 2 logs requested.
Also tell me the changes this made.
Posted Image
Microsoft MVP - Windows Security

#10 Jesse.James

Jesse.James
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 04 March 2009 - 05:51 PM

I still have the icon and my background is still the same. I still can't log in and I still can't see pictures. I forgot to metion this before all my text is red in my browser and everything connecting to the internet is malfunctioning. So far I've noticed no changes. By the way when I was in safe mode I can see a second adminstrative account besides mine and I also noticed that when I sign in on my profile I can't open the task manager it just says "Blocked by Administrator."

Avenger:
Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "UACd.sys" found!
ImagePath: \systemroot\system32\drivers\UACkkbqboro.sys
Start Type: 4 (Disabled)

Rootkit scan completed.

Driver "UACd.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

FakeAlertFix:

========================================
FakeAlertFix

Version 1.5.8

By bamajim @ CastleCops.com

========================================

========================================

Values under HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

%windir%\system32\sessmgr.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Soldat\Soldat.exe
C:\Program Files\World of Warcraft\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Games\Counter-Strike Source\hl2.exe
C:\Program Files\Microsoft Games\Halo\halo.exe
C:\World of Warcraft\WoW-1.12.x-to-2.0.1-enUS-patch-downloader.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\CRack\NAT.EXE
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\YouTring\Phone.exe
\??\C:\WINDOWS\system32\winlogon.exe

Edited by Jesse.James, 04 March 2009 - 05:53 PM.


#11 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 05 March 2009 - 03:05 PM

Jesse.James

Please download Combofix and save to your desktop:Note: It is important that it is saved directly to your desktop
Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the contents of the C:\ComboFix.txt into your next reply.
Note: Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

Posted Image
Microsoft MVP - Windows Security

#12 Jesse.James

Jesse.James
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 06 March 2009 - 03:39 PM

I'm sorry but I left it open all this morning and it did whatever it was supposed to do but it didn't give me a log. When it was open it said do not have any programs running which I did so that could be the problem. From what I can see everything is fixed. If you want me to do something else or run Combofix again I will.

Edit: I'm using my old computer again.

Edited by Jesse.James, 06 March 2009 - 03:40 PM.


#13 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 06 March 2009 - 04:29 PM

Jesse.James

Yes, rerun Combofix and post the combofix log please.
I don't feel comfortable dealing with unknowns. I'd like to be sure that we got all of it.
Posted Image
Microsoft MVP - Windows Security

#14 Jesse.James

Jesse.James
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 07 March 2009 - 12:36 PM

Okay I got the log.

Combofix:

ComboFix 09-03-04.01 - Jan Fair 2009-03-07 3:08:15.2 - NTFSx86
Running from: F:\ComboFix.exe
AV: avast! antivirus 4.7.1098 [VPS 081024-1] *On-access scanning enabled* (Outdated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\mrxdavv.sys
c:\windows\system32\kwave.sys
.
---- Previous Run -------
.
c:\docume~1\JANFAI~1\LOCALS~1\Temp\mousehook.dll
c:\docume~1\JANFAI~1\LOCALS~1\Temp\ntdll64.dll
c:\windows\system32\a9k.bin
c:\windows\system32\ahtn.htm
c:\windows\system32\crypts.dll
c:\windows\system32\drivers\mrxdavv.sys
c:\windows\system32\Drivers\UACkkbqboro.sys
c:\windows\system32\frmwrk32.exe
c:\windows\system32\hhs3ijndfd.dll
c:\windows\system32\init32.exe
c:\windows\system32\kwave.sys
c:\windows\system32\lthmkwnx.dll
c:\windows\system32\ntdll64.exe
c:\windows\system32\UACcvdkrtrw.log
c:\windows\system32\UACdulhaasx.dll
c:\windows\system32\UACinit.dll
c:\windows\system32\UAClhjophmk.dll
c:\windows\system32\UACnbmqrmeq.dll
c:\windows\system32\UACvyxjgolt.dll
c:\windows\system32\UACwpgprqtq.dat
c:\windows\system32\uniq.tll
c:\windows\system32\warning.gif
c:\windows\system32\win32hlp.cnf
c:\windows\Tasks\wgaupgyk.job

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe


.
((((((((((((((((((((((((( Files Created from 2009-02-07 to 2009-03-07 )))))))))))))))))))))))))))))))
.

2100-02-16 16:09 . 2001-02-16 15:37 62 --a------ c:\windows\SYSTEM32\LXBOUSCI.INI
2009-03-03 20:36 . 2009-03-03 20:37 131,584 --a------ c:\windows\ikizejowe.dll
2009-02-24 19:51 . 2009-02-24 19:51 <DIR> d-------- c:\documents and settings\Administrator
2009-02-23 20:23 . 2009-02-23 16:28 8,688 --a------ c:\windows\SYSTEM32\DRIVERS\wg111v2.sys
2009-02-23 20:23 . 2009-02-23 16:28 8,688 --a------ c:\windows\SYSTEM32\DRIVERS\wATV03nt.sys
2009-02-23 20:23 . 2009-02-23 16:28 8,688 --a------ c:\windows\SYSTEM32\DRIVERS\wanatw4.sys
2009-02-23 20:23 . 2009-02-23 16:28 8,688 --a------ c:\windows\SYSTEM32\DRIVERS\vmnetadapter.sys
2009-02-23 17:00 . 2009-02-23 17:00 <DIR> d-------- c:\program files\Trend Micro
2009-02-23 16:29 . 2009-03-07 03:17 100,590 --a------ c:\windows\SYSTEM32\DRIVERS\d0a39fef.sys
2009-02-23 16:28 . 2009-02-23 16:28 81,920 --a------ C:\itamcndf.exe
2009-02-23 16:28 . 2009-02-23 16:28 40,448 --a------ C:\cxfagn.exe
2009-02-23 16:28 . 2009-02-23 16:28 39,936 --a------ c:\windows\Ejefuj.dll
2009-02-23 16:28 . 2009-02-23 16:28 39,936 --a------ C:\cwxwwgtl.exe
2009-02-23 16:28 . 2009-02-23 16:28 27,136 --a------ C:\pfkik.exe
2009-02-23 16:28 . 2009-02-23 16:28 8,688 --a------ c:\windows\SYSTEM32\uvsync.sys
2009-02-23 16:28 . 2009-02-23 16:28 705 --a------ C:\desae.exe
2009-02-23 16:28 . 2009-02-23 16:28 2 --a------ C:\-1938404523

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-06 23:45 34 ----a-w c:\documents and settings\Jan Fair\jagex_runescape_preferences.dat
2009-02-23 21:28 8,688 ----a-w c:\windows\system32\drivers\sptd.sys
2009-02-16 17:17 --------- d-----w c:\documents and settings\Jan Fair\Application Data\ArcSoft
2009-02-06 23:11 --------- d-----w c:\program files\YouTring
2009-01-30 02:29 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-30 02:27 --------- d-----w c:\documents and settings\All Users\Application Data\ArcSoft
2009-01-29 01:32 --------- d-----w c:\program files\Common Files\ArcSoft
2009-01-29 01:30 --------- d-----w c:\program files\Kodak
2009-01-21 21:11 --------- d-----w c:\program files\Jnes 0.5.3
2009-01-14 00:24 --------- d-----w c:\program files\Dynex Wireless Enhanced G Desktop card - DX-WGPDTC
2009-01-14 00:24 --------- d-----w c:\program files\Broadcom
2008-02-21 02:53 67,168 -c--a-w c:\documents and settings\Jan Fair\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-03-06_15.33.33.21 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-02-22 21:47:05 315,392 ----a-w c:\windows\.jagex_cache_32\runescape\jogl.dll
+ 2009-03-06 23:44:58 315,392 ----a-w c:\windows\.jagex_cache_32\runescape\jogl.dll
- 2009-02-22 21:47:05 20,480 ----a-w c:\windows\.jagex_cache_32\runescape\jogl_awt.dll
+ 2009-03-06 23:44:58 20,480 ----a-w c:\windows\.jagex_cache_32\runescape\jogl_awt.dll
+ 2009-03-07 08:16:13 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6c4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2009-02-10 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2002-12-03 212992]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"PCLEUSBTip"="c:\program files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe" [BU]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-09-13 185632]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-10-12 1282048]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-11-20 178688]
"Ufiluzupija"="c:\windows\Ejefuj.dll" [2009-02-23 39936]
"Fduvuhoxa"="c:\windows\ikizejowe.dll" [2009-03-03 131584]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 158208]
"BCMSMMSG"="BCMSMMSG.exe" [2002-05-16 c:\windows\BCMSMMSG.exe]
"nwiz"="nwiz.exe" [2007-12-05 c:\windows\SYSTEM32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Dynex Wireless Networking Utility.lnk - c:\program files\Dynex Enhanced G Desktop Card Adapter\DynexWCUI.exe [2008-10-07 1454080]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ctmp3"= c:\windows\System32\ctmp3.acm

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\uvsync.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Metacafe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Metacafe.lnk
backup=c:\windows\pss\Metacafe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WG111v2 Smart Wizard.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NETGEAR WG111v2 Smart Wizard.lnk
backup=c:\windows\pss\NETGEAR WG111v2 Smart Wizard.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jan Fair^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\Jan Fair\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jan Fair^Start Menu^Programs^Startup^Metacafe.lnk]
path=c:\documents and settings\Jan Fair\Start Menu\Programs\Startup\Metacafe.lnk
backup=c:\windows\pss\Metacafe.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jan Fair^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=c:\documents and settings\Jan Fair\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup

[HKLM\~\startupfolder\c:^documents and settings^jan fair^start menu^programs^startup^youtring.lnk]
path=c:\documents and settings\Jan Fair\Start Menu\Programs\Startup\YouTring.lnk
backup=c:\windows\pss\YouTring.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2009-02-10 17:15 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2008-01-03 11:15 50528 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a--c--- 2002-09-24 23:00 290816 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
--a------ 2007-12-04 08:00 79224 c:\progra~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 02:56 15360 c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
-ra------ 2002-08-14 19:22 28672 c:\windows\SYSTEM32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a--c--- 2005-05-11 22:12 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-30 09:47 289064 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X84-X85 Button Manager]
--a--c--- 2002-09-04 10:36 53248 c:\progra~1\LEXMAR~1\AcBtnMgr_X84-X85.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X84-X85 Button Monitor]
--a--c--- 2002-08-23 15:50 40960 c:\progra~1\LEXMAR~1\ACMonitor_X84-X85.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
--a--c--- 2002-09-06 19:15 192512 c:\program files\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
--a------ 2002-09-04 11:28 151552 c:\progra~1\McAfee.com\Agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a--c--- 2002-07-16 08:21 28672 c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 11:24 1694208 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-12-05 01:41 8523776 c:\windows\SYSTEM32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-12-05 01:41 81920 c:\windows\SYSTEM32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrinTray]
--a--c--- 2002-09-18 22:52 36864 c:\windows\SYSTEM32\SPOOL\DRIVERS\W32X86\3\printray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a--c--- 2007-09-13 08:53 185632 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
-----c--- 2000-05-11 02:00 90112 c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
--a------ 2002-05-16 19:36 65536 c:\windows\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-12-05 01:41 1626112 c:\windows\SYSTEM32\nwiz.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Microsoft Games\\Halo\\halo.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\CRack\\NAT.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\YouTring\\Phone.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 Dynex DX-WGPDTC WLService;Dynex Wireless Enhanced G Desktop card - DX-WGPDTC Service;c:\program files\Dynex Wireless Enhanced G Desktop card - DX-WGPDTC\WLService.exe [2009-01-13 49152]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-11-12 24652]
S1 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\SYSTEM32\DRIVERS\wg111v2.sys [2009-02-23 8688]
S1 uvsync;Frequency UV-SynCPU;c:\windows\SYSTEM32\uvsync.sys [2009-02-23 8688]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;c:\windows\SYSTEM32\DRIVERS\libusb0.sys [2008-06-02 29184]
S3 NaiFiltr;NaiFiltr;c:\windows\SYSTEM32\DRIVERS\NaiFiltr.sys [2003-02-03 23296]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0d809ea-e9b1-11dd-be71-0007e9d98ebc}]
\Shell\AutoRun\command - G:\MI.exe
.
Contents of the 'Scheduled Tasks' folder

2009-02-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2009-02-06 c:\windows\Tasks\LIFECHAT_MSN_MESSENGER_INSTALL_WEB_PAGE.job
- ????????????? ?!?????????????????!??Iurl.dll,OpenURL http://go.microsoft.com/fwlink/?linkId=577...d=0x409?????Jan Fair????????????????? []

2009-03-07 c:\windows\Tasks\McAfee.com Update Check (DB303D21-Jan Fair).job
- c:\progra~1\McAfee.com\Agent\mcupdate.exe [2002-09-04 11:28]

2009-03-07 c:\windows\Tasks\McAfee.com Update Check (DB303D21-Jan Fair).job
- c:\progra~1\McAfee.com\Agent [2007-12-03 07:43]

2009-03-07 c:\windows\Tasks\McAfee.com Update Check (DB303D21-Owner).job
- c:\progra~1\McAfee.com\Agent\mcupdate.exe [2002-09-04 11:28]

2009-03-07 c:\windows\Tasks\McAfee.com Update Check (DB303D21-Owner).job
- c:\progra~1\McAfee.com\Agent [2007-12-03 07:43]
.
- - - - ORPHANS REMOVED - - - -

Notify-utsync - utsync.dll
MSConfigStartUp-AdVantage - c:\program files\AdVantage\AdVantage.exe
MSConfigStartUp-ConMgr - c:\program files\EarthLink 5.0\ConMgr.exe
MSConfigStartUp-DAEMON Tools - c:\program files\DAEMON Tools\daemon.exe
MSConfigStartUp-diagent - c:\program files\Creative\SBLive\Diagnostics\diagent.exe
MSConfigStartUp-dvd43 - c:\program files\dvd43\dvd43_tray.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_02\bin\jusched.exe
MSConfigStartUp-WhenUSearch - c:\program files\DAEMON Tools SearchBar\Search.exe
MSConfigStartUp-ATIModeChange - Ati2mdxx.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.daemon-search.com/startpage
mStart Page = hxxp://www.dellnet.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = hxxp://www.google.com;;*.local
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Jan Fair\Application Data\Mozilla\Firefox\Profiles\davhpuz8.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/redirector/sredir?sredir=2706&query={searchTerms}&invocationType=tb50fftrie7
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://en-US.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.aol.com/aolcom/search?invocationType=tb50fftrab&query=
FF - component: c:\documents and settings\Jan Fair\Application Data\Mozilla\Firefox\Profiles\davhpuz8.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\documents and settings\Jan Fair\Application Data\Mozilla\Firefox\Profiles\davhpuz8.default\extensions\{7378B8C2-FC38-41b8-A8C9-875D1F5B0A24}\components\NativeComponent.dll
FF - component: c:\documents and settings\Jan Fair\Application Data\Mozilla\Firefox\Profiles\davhpuz8.default\extensions\{7affbfae-c4e2-4915-8c0f-00fa3ec610a1}\components\WinampPlayer.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-07 03:16:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DwlClient = c:\program files\Common Files\Dell\EUSW\Support.exe?l?e?s?\?D?e?l?l?\?E?U?S?W?\?S?u?p?p?o?r?t?.?e?x?e???????X:??h???x???`???X??? ???????`???P???? ?w? ?w)??p????????(???}????U?w????????????0??????w, ?w?M?wW??w???w)??p????????x'@?????????X????????"@?e?????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\d0a39fef]
"ImagePath"="\SystemRoot\System32\drivers\d0a39fef.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\s-1-5-21-3476394810-1662388437-3738621541-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:93,6c,3c,92,47,c8,0f,9e,bf,db,42,77,9e,32,43,57,b5,48,b7,49,5e,67,3f,
08,c9,45,77,55,fd,48,e4,16,16,d2,93,61,9d,25,9a,06,65,9c,46,dc,d9,31,1d,30,\
"??"=hex:35,fc,c6,3d,c9,02,ad,db,37,1f,61,de,0f,33,8f,50

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,9d,ac,50,7b,99,
b4,dc,b3,e2,63,26,f1,3f,c8,ff,68,56,fc,cb,ed,ef,8d,aa,06,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:6a,9c,d6,61,af,45,84,18,ab,30,6f,fd,c8,
85,11,10,6a,9c,d6,61,af,45,84,18,94,84,69,a1,a0,20,b6,72,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,9a,7b,c3,27,7e,
5f,92,f0,ff,7c,85,e0,43,d4,0e,fe,f9,c7,a9,05,18,5b,b4,0c,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,81,8f,06,15,7a,
37,ca,c7,86,8c,21,01,be,91,eb,e7,d0,ce,78,33,ca,3e,a7,af,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:e9,02,6c,fa,fb,1d,47,57,05,32,c9,60,6a,
23,6b,57,f5,1d,4d,73,a8,13,5c,05,43,5d,5d,cc,cb,22,8d,89,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,a1,a0,53,50,24,
a3,9c,02,df,20,58,62,78,6b,cf,c8,eb,98,1c,21,ce,02,bb,a2,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:fb,a7,78,e6,12,2f,9a,ea,3a,bc,a2,78,b3,
91,e0,c2,fb,a7,78,e6,12,2f,9a,ea,b3,25,eb,d6,02,50,44,c8,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:01,3a,48,fc,e8,04,4a,f1,aa,5d,ef,9e,ec,
10,ce,1f,01,3a,48,fc,e8,04,4a,f1,0f,01,6d,0b,c6,cf,81,98,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,0d,3c,5b,f7,6f,
de,e1,f7,f6,0f,4e,58,98,5b,89,c9,0a,1f,96,33,25,8e,30,05,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,c1,90,e6,f9,be,
9e,71,8a,3d,ce,ea,26,2d,45,aa,78,9b,12,9d,8e,45,76,e8,f3,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:f8,31,0f,a9,5f,a0,ec,fb,4b,d5,9c,81,dd,
09,34,ee,2a,b7,cc,b5,b9,7f,41,e7,ab,f2,fd,1f,96,46,a8,2e,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,3f,c0,ae,d5,95,
64,57,e6,6c,43,2d,1e,aa,22,2f,9c,a5,3a,55,8c,1c,ae,5d,7e,6c,43,2d,1e,aa,22,\
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\WLTRYSVC.EXE
c:\windows\SYSTEM32\BCMWLTRY.EXE
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Dynex Wireless Enhanced G Desktop card - DX-WGPDTC\WLanCfgG.exe
c:\windows\SYSTEM32\nvsvc32.exe
c:\windows\SYSTEM32\MsPMSPSv.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\SYSTEM32\wscntfy.exe
c:\windows\SYSTEM32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-03-07 3:22:37 - machine was rebooted [Jan Fair]
ComboFix-quarantined-files.txt 2009-03-07 08:22:34

Pre-Run: 26,859,040,768 bytes free
Post-Run: 26,847,027,200 bytes free

359 --- E O F --- 2009-02-12 08:01:57

#15 bamajim

bamajim

  • Members
  • 894 posts
  • OFFLINE
  •  
  • Local time:04:53 PM

Posted 09 March 2009 - 10:07 AM

Jesse.James

We still have a little work to do.

1. Open NotePad (not wordpad). Copy and paste the following into Notepad

Driver::
uvsync

File::
c:\windows\ikizejowe.dll
C:\itamcndf.exe
C:\cxfagn.exe
c:\windows\Ejefuj.dll
C:\cwxwwgtl.exe
C:\pfkik.exe
c:\windows\SYSTEM32\uvsync.sys
C:\desae.exe
C:\-1938404523

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ufiluzupija"=-
"Fduvuhoxa"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0d809ea-e9b1-11dd-be71-0007e9d98ebc}]

Save the File as CFScript(exactly as shown no spaces) ->> Save it to your Desktop

Using the Image as a reference, drag CFScript into ComboFix.exe

Posted ImageYou will be prompted to run Combofix again, Do so
Following the same rules as indicated in my first post
Then post the contents of the C:\ComboFix.txt log in your reply

Posted Image
Microsoft MVP - Windows Security




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users