Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Badly infected with virus hjt link inside


  • Please log in to reply
9 replies to this topic

#1 makaveli3005

makaveli3005

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:11:28 PM

Posted 07 March 2009 - 09:35 AM

I have this virus I keep getting popup block ads instead of the webpage I want to view. Also my computer has slown down where I type something but only a few of the letters make it to the screen and I have to retype it.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:33, on 2009-03-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\regsvr32.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Orb Networks\Orb\bin\Orb.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Valued Customer\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: blueskyadagency - {417f4744-a886-7ad1-0dcf-343701718155} - C:\WINDOWS\system32\nsiF66.dll
O2 - BHO: TBSB05288 - {6714ADBD-C6C1-42A8-BD84-9C9339059421} - C:\Program Files\IEToolbar\ECO Bar\ecobar.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: blueskyadagency browser enhancer - {C1F2BBD6-1DFF-B6F4-DCCC-DA3B74648D1A} - C:\WINDOWS\system32\dciryqzjalpgp.dll
O2 - BHO: BHO - {C9C42510-9B21-41c1-9DCD-8382A2D07C61} - C:\WINDOWS\system32\iehelper.dll (file missing)
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: ECO Bar - {10000000-1000-1000-1000-100000000000} - C:\Program Files\IEToolbar\ECO Bar\ecobar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [hrlhrsvc] "C:\WINDOWS\system32\hrlhrsvc.exe"
O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16
O4 - HKLM\..\Run: [xmdjyebypbn] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\dciryqzjalpgp.dll"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [logo link] C:\DOCUME~1\VALUED~1\APPLIC~1\FINDOK~1\Hold Log.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [mdm] C:\WINDOWS\mdm.exe
O4 - HKCU\..\Run: [DriverUpdaterPro] C:\Program Files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe -t
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [autochk] rundll32.exe C:\DOCUME~1\NETWOR~1\protect.dll,_IWMPEvents@16
O4 - HKCU\..\Run: [system tool] C:\WINDOWS\sysguard.exe
O4 - Startup: ChkDisk.dll
O4 - Startup: ChkDisk.lnk = ?
O4 - Startup: p2pmax.lnk = C:\Program Files\p2pmax\p2pmax.exe
O4 - Startup: ppcb_32.lnk = C:\Program Files\ppcbooster\ppcb_32.exe
O4 - Startup: runit_32.lnk = C:\Program Files\runit\runit_32.exe
O4 - Global Startup: ASUS WiFi-AP Solo.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200612...ex/qtplugin.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/instal...llMgr_v01_5.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6CE3FB5E-A75E-430E-8347-262B2620F726}: NameServer = 192.9.9.3
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: geBrsTNH - geBrsTNH.dll (file missing)
O20 - Winlogon Notify: iifeefd - iifeefd.dll (file missing)
O21 - SSODL: mpfanvqg - {AEAC12A0-9342-4D7B-BC25-BB09BA2195CB} - C:\WINDOWS\mpfanvqg.dll (file missing)
O21 - SSODL: vbksrofa - {71DE5F20-F659-4D48-8469-35CAAE32BB1B} - C:\WINDOWS\vbksrofa.dll (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Internet Explorer\prohdyxe.html
O24 - Desktop Component 1: (no name) - C:\Program Files\ComPlus Applications\prohdyxe.html

--
End of file - 10812 bytes




This is the popup block add I get everytime I try to view a page

http://browser-security.microsoft.com/block.php?r=21.0

I also did a combo fix


"Valued Customer" - 2009-03-07 9:06:54 Service Pack 2
ComboFix 07-05.21.6.V - Running from: "C:\Documents and Settings\Valued Customer\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\iehelper.dll
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\Program Files\YSTEM~1
C:\qoobox\purity\C\Program Files\Common Files\SMANTE~1
C:\qoobox\purity\C\Program Files\Common Files\STEM32~1
C:\qoobox\purity\C\WINDOWS\YSTEM3~1
C:\qoobox\purity\C\WINDOWS\system32\RACLE~1


((((((((((((((((((((((((((((((( Files Created from 2009-02-07 to 2009-03-07 ))))))))))))))))))))))))))))))))))


2009-03-06 18:03 364,560 --a------ C:\WINDOWS\sysguard.exe
2009-03-04 09:48 618,496 --a------ C:\WINDOWS\system32\nsiF66.dll
2009-03-01 10:28 22,016 --ahs---- C:\DOCUME~1\NETWOR~1\protect.dll
2009-02-28 10:39 22,016 --ahs---- C:\DOCUME~1\LOCALS~1\protect.dll
2009-02-28 07:38 22,016 --ahs---- C:\DOCUME~1\Mom\protect.dll
2009-02-27 21:08 22,016 --ahs---- C:\WINDOWS\system32\autochk.dll
2009-02-27 21:08 22,016 --ahs---- C:\DOCUME~1\VALUED~1\protect.dll
2009-02-12 17:36 93,696 --a------ C:\WINDOWS\bffe0705.exe
2009-02-12 17:36 905,670 --a------ C:\WINDOWS\nxqva14688.exe
2009-02-12 17:36 85,675 --a------ C:\WINDOWS\system32\0fcc2113-3ef7-a213-e810-86de6c72526e.exe
2009-02-12 17:36 85,460 --a------ C:\WINDOWS\iaas24625.exe
2009-02-12 17:36 69,697 --a------ C:\WINDOWS\mlvh55713.exe
2009-02-12 17:36 56,320 --a------ C:\WINDOWS\anqwu72278.exe
2009-02-12 17:36 481,792 --a------ C:\WINDOWS\rgmonsvc.exe
2009-02-12 17:36 48,287 --a------ C:\WINDOWS\system32\khwhaqezgt.exe
2009-02-12 17:36 4,623,480 --a------ C:\WINDOWS\eojf63317.exe
2009-02-12 17:36 347,019 --a------ C:\WINDOWS\khlbn5564.exe
2009-02-12 17:36 32,768 --a------ C:\WINDOWS\ulpp61230.exe
2009-02-12 17:36 28,672 --a------ C:\WINDOWS\ncek02072.exe
2009-02-12 17:36 184,696 --a------ C:\WINDOWS\jsqdn1023.exe
2009-02-12 17:36 142,607 --a------ C:\WINDOWS\beciq01263.exe
2009-02-12 17:36 10,752 --a------ C:\WINDOWS\utvor16607.exe
2009-02-12 17:36 1,466,368 --a------ C:\WINDOWS\system32\hrlhrsvc.exe
2009-02-12 17:36 <DIR> d-------- C:\Program Files\runit
2009-02-12 17:36 <DIR> d-------- C:\Program Files\ppcbooster
2009-02-12 17:36 <DIR> d-------- C:\Program Files\p2pmax
2009-02-12 17:36 <DIR> d-------- C:\Program Files\IEToolbar


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2009-03-07 14:11:39 -------- d-----w C:\DOCUME~1\VALUED~1\APPLIC~1\DNA
2009-03-07 14:01:38 -------- d-----w C:\Program Files\DNA
2009-03-03 00:39:24 296,448 ----a-w C:\WINDOWS\system32\dciryqzjalpgp.dll
2009-02-28 02:41:06 -------- d-----w C:\DOCUME~1\VALUED~1\APPLIC~1\BitTorrent
2009-02-23 17:03:24 -------- d-----w C:\Program Files\you already know
2009-02-12 21:53:06 -------- d-----w C:\Program Files\mIRC


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4efb-9B51-7695ECA05670}=C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll [2008-07-28 05:47]
{417f4744-a886-7ad1-0dcf-343701718155}=C:\WINDOWS\system32\nsiF66.dll [2009-03-04 09:48]
{6714ADBD-C6C1-42A8-BD84-9C9339059421}=C:\Program Files\IEToolbar\ECO Bar\ecobar.dll [2008-08-14 15:57]
{C1F2BBD6-1DFF-B6F4-DCCC-DA3B74648D1A}=C:\WINDOWS\system32\dciryqzjalpgp.dll [2009-03-02 19:39]
{C9C42510-9B21-41c1-9DCD-8382A2D07C61}=C:\WINDOWS\system32\iehelper.dll []
{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}=C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll [2008-07-28 05:47]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 15:22]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 21:22]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-09-06 14:09]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 19:12]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-10-01 17:57]
"hrlhrsvc"="C:\WINDOWS\system32\hrlhrsvc.exe" [2009-02-12 17:36]
"autochk"="C:\WINDOWS\system32\autochk.dll" [2009-03-01 21:38]
"xmdjyebypbn"="C:\WINDOWS\System32\regsvr32.exe" [2006-02-28 07:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 18:35]
"Orb"="C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" [2008-05-13 20:29]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 07:00]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 07:59]
"logo link"="C:\DOCUME~1\VALUED~1\APPLIC~1\FINDOK~1\Hold Log.exe" []
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 22:25]
"mdm"="C:\WINDOWS\mdm.exe" []
"DriverUpdaterPro"="C:\Program Files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe" [2008-09-19 16:55]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-12-19 11:17]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 12:39]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 22:06]
"Messenger (Yahoo!)"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-05 21:59]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"autochk"="C:\DOCUME~1\NETWOR~1\protect.dll,_IWMPEvents@16" []
"system tool"="C:\WINDOWS\sysguard.exe" [2009-03-06 18:03]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"HonorAutoRunSetting"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
C:\Program Files\Internet Explorer\prohdyxe.html

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
C:\Program Files\ComPlus Applications\prohdyxe.html

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-28 07:59]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"{AEAC12A0-9342-4D7B-BC25-BB09BA2195CB}"="C:\WINDOWS\mpfanvqg.dll" []
"{71DE5F20-F659-4D48-8469-35CAAE32BB1B}"="C:\WINDOWS\vbksrofa.dll" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBrsTNH]
geBrsTNH.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifeefd]
iifeefd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\PSEXESVC]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.8.8\webbuying.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2454c9f0-95b4-11db-8b11-0015af08fdcc}]
AutoRun\command- H:\Programs\nu2menu\nu2menu.exe


Contents of the 'Scheduled Tasks' folder
2009-03-03 17:43:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2009-03-07 14:04:34 C:\WINDOWS\tasks\MP Scheduled Scan.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-07 09:17:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2009-03-07 9:19:40
C:\ComboFix-quarantined-files.txt ... 2009-03-07 09:19
C:\ComboFix2.txt ... 2008-05-11 19:46
C:\ComboFix3.txt ... 2008-04-26 11:44

--- E O F ---

BC AdBot (Login to Remove)

 


#2 makaveli3005

makaveli3005
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:11:28 PM

Posted 08 March 2009 - 10:22 AM

Anyone know whats wrong??

#3 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:28 AM

Posted 08 March 2009 - 10:25 AM

Hello makaveli3005

Welcome to BleepingComputer :thumbup2:
========================

Please download DDS and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.
---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt
Attach.txt.
================
Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#4 makaveli3005

makaveli3005
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:11:28 PM

Posted 18 March 2009 - 12:57 PM

DDS (Ver_09-03-16.01) - NTFSx86
Run by Valued Customer at 22:24:21.50 on 2009-03-16
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1338 [GMT -4:00]

AV: Norton AntiVirus *On-access scanning disabled* (Outdated)
FW: Norton AntiVirus *disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hrlhrsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\regsvr32.exe
C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Orb Networks\Orb\bin\Orb.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\Program Files\ppcbooster\ppcb_32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Valued Customer\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: blueskyadagency: {417f4744-a886-7ad1-0dcf-343701718155} - c:\windows\system32\nsiF66.dll
BHO: TBSB05288 Class: {6714adbd-c6c1-42a8-bd84-9c9339059421} - c:\program files\ietoolbar\eco bar\ecobar.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Browser Helper Object: {afd4ad01-58c1-47db-a404-fbe00a6c5486} - c:\program files\common\helper.dll
BHO: blueskyadagency browser enhancer: {c1f2bbd6-1dff-b6f4-dccc-da3b74648d1a} - c:\windows\system32\dciryqzjalpgp.dll
BHO: BHO: {c9c42510-9b21-41c1-9dcd-8382a2d07c61} - c:\windows\system32\iehelper.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
TB: ECO Bar: {10000000-1000-1000-1000-100000000000} - c:\program files\ietoolbar\eco bar\ecobar.dll
uRun: [AIM] c:\program files\aim\aim.exe -cnetwait.odl
uRun: [Orb] "c:\program files\orb networks\orb\bin\OrbTray.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [logo link] c:\docume~1\valued~1\applic~1\findok~1\Hold Log.exe
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
uRun: [mdm] c:\windows\mdm.exe
uRun: [DriverUpdaterPro] c:\program files\xpc tools\driver updater pro\DriverUpdaterPro.exe -t
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [autochk] rundll32.exe c:\docume~1\networ~1\protect.dll,_IWMPEvents@16
uRun: [system tool] c:\windows\sysguard.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton antivirus\osCheck.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [hrlhrsvc] "c:\windows\system32\hrlhrsvc.exe"
mRun: [autochk] rundll32.exe c:\windows\system32\autochk.dll,_IWMPEvents@16
mRun: [xmdjyebypbn] c:\windows\system32\regsvr32.exe /s "c:\windows\system32\dciryqzjalpgp.dll"
StartupFolder: c:\documents and settings\valued customer\start menu\programs\startup\ChkDisk.dll
StartupFolder: c:\docume~1\valued~1\startm~1\programs\startup\chkdisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\valued~1\startm~1\programs\startup\p2pmax.lnk - c:\program files\p2pmax\p2pmax.exe
StartupFolder: c:\docume~1\valued~1\startm~1\programs\startup\ppcb_32.lnk - c:\program files\ppcbooster\ppcb_32.exe
StartupFolder: c:\docume~1\valued~1\startm~1\programs\startup\runit_32.lnk - c:\program files\runit\runit_32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\asuswi~1.lnk - c:\program files\asus wifi-ap solo\RtWLan.exe
uPolicies-system: DisableRegedit = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} - hxxp://h30155.www3.hp.com/ediags/dd/install/HPInstallMgr_v01_5.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab
TCP: {6CE3FB5E-A75E-430E-8347-262B2620F726} = 192.9.9.3
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: geBrsTNH - geBrsTNH.dll
Notify: iifeefd - iifeefd.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: mpfanvqg - {AEAC12A0-9342-4D7B-BC25-BB09BA2195CB} - c:\windows\mpfanvqg.dll
SSODL: vbksrofa - {71DE5F20-F659-4D48-8469-35CAAE32BB1B} - c:\windows\vbksrofa.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2006-10-10 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 55024]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2006-9-3 108648]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2006-9-3 108648]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2006-12-27 176128]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]
R3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2006-12-27 13532]
R3 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-4-2 1252232]
S1 ipfltdrvv;ipfltdrvv;c:\windows\system32\drivers\ipfltdrvv.sys --> c:\windows\system32\drivers\ipfltdrvv.sys [?]
S3 Asushwio;Asushwio;c:\windows\system32\drivers\ASUSHWIO.SYS [2006-12-27 5824]

=============== Created Last 30 ================

2009-03-16 21:33 268 a---h--- C:\sqmdata14.sqm
2009-03-16 21:33 244 a---h--- C:\sqmnoopt14.sqm
2009-03-16 21:28 268 a---h--- C:\sqmdata13.sqm
2009-03-16 21:28 244 a---h--- C:\sqmnoopt13.sqm
2009-03-16 21:28 <DIR> --d----- C:\ComboFix
2009-03-16 21:28 388,608 a------- c:\windows\system32\CF21508.exe
2009-03-15 23:46 268 a---h--- C:\sqmdata12.sqm
2009-03-15 23:46 244 a---h--- C:\sqmnoopt12.sqm
2009-03-15 11:16 268 a---h--- C:\sqmdata11.sqm
2009-03-15 11:16 244 a---h--- C:\sqmnoopt11.sqm
2009-03-13 17:24 268 a---h--- C:\sqmdata10.sqm
2009-03-13 17:24 244 a---h--- C:\sqmnoopt10.sqm
2009-03-13 16:29 <DIR> --d----- c:\program files\Common
2009-03-11 08:42 268 a---h--- C:\sqmdata09.sqm
2009-03-11 08:42 244 a---h--- C:\sqmnoopt09.sqm
2009-03-07 10:19 428,032 a------- c:\windows\system32\swreg.exe
2009-03-07 10:19 212,480 a------- c:\windows\system32\swxcacls.exe
2009-03-07 10:19 86,528 a------- c:\windows\catchme.exe
2009-03-07 10:19 49,152 a------- c:\windows\system32\vfind.exe
2009-03-07 10:04 268 a---h--- C:\sqmdata08.sqm
2009-03-07 10:04 244 a---h--- C:\sqmnoopt08.sqm
2009-03-06 19:03 364,560 a------- c:\windows\sysguard.exe
2009-03-04 10:48 618,496 a------- c:\windows\system32\nsiF66.dll
2009-03-01 22:39 268 a---h--- C:\sqmdata07.sqm
2009-03-01 22:39 244 a---h--- C:\sqmnoopt07.sqm
2009-02-27 22:08 22,016 a--sh--- c:\windows\system32\autochk.dll
2009-02-27 22:08 22,016 a--sh--- c:\documents and settings\valued customer\protect.dll
2009-02-23 21:12 268 a---h--- C:\sqmdata06.sqm
2009-02-23 21:12 244 a---h--- C:\sqmnoopt06.sqm
2009-02-23 05:08 268 a---h--- C:\sqmdata05.sqm
2009-02-23 05:08 244 a---h--- C:\sqmnoopt05.sqm

==================== Find3M ====================

2009-03-16 11:40 48,285 a------- c:\windows\system32\khwhaqezgt.exe
2009-03-16 10:32 388,608 a------- c:\windows\system32\dciryqzjalpgp.dll
2009-03-06 19:53 85,675 a------- c:\windows\system32\0fcc2113-3ef7-a213-e810-86de6c72526e.exe
2009-02-09 06:19 1,846,272 a------- c:\windows\system32\win32k.sys
2008-12-20 19:15 826,368 a------- c:\windows\system32\wininet.dll
2008-10-30 17:09 10,240 ac-sh--- c:\program files\Thumbs.db
2008-02-28 00:57 247,080,410 a------- c:\documents and settings\valued customer\DJ Tiesto-In Search Of Sunrise 4-2CD-2005 .(By.Taken).[WwW.emulebit.CoM].zip
2007-01-18 21:30 6,895,942 ac------ c:\program files\Textbook.pdf
2007-01-11 04:10 1,035,271 a------- c:\program files\wrar362.exe
2007-01-07 22:11 25,085,540 a------- c:\program files\SUPERsetup.exe
2007-01-06 18:23 13,338,496 a------- c:\program files\Orb20SetupUs.exe
2007-01-05 22:46 16,179,264 a------- c:\program files\DivXInstaller.exe
2007-01-02 00:56 359,112 a------- c:\program files\LimeWireWin.exe
2006-05-03 06:06 163,328 a--shr-- c:\windows\system32\flvDX.dll
2007-04-02 15:53 118,784 a--shr-- c:\windows\system32\msgnmsger.exe

============= FINISH: 22:24:31.89 ===============




UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 2006-12-27 08:43:31
System Uptime: 2009-03-16 21:30:20 (1 hours ago)

Motherboard: ASUSTeK Computer INC. | | P5W DH Deluxe
Processor: Intel® Core™2 CPU 6400 @ 2.13GHz | LGA 775 | 2137/266mhz
Processor: Intel® Core™2 CPU 6400 @ 2.13GHz | LGA 775 | 2137/266mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 466 GiB total, 156.472 GiB free.
D: is CDROM ()
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP921: 2008-12-17 08:34:58 - System Checkpoint
RP922: 2008-12-18 03:00:15 - Software Distribution Service 3.0
RP923: 2008-12-18 11:42:10 - Software Distribution Service 3.0
RP924: 2008-12-19 12:31:46 - System Checkpoint
RP925: 2008-12-20 13:50:45 - System Checkpoint
RP926: 2008-12-21 15:23:22 - System Checkpoint
RP927: 2008-12-22 15:31:46 - System Checkpoint
RP928: 2008-12-22 16:44:14 - Software Distribution Service 3.0
RP929: 2008-12-23 17:56:12 - System Checkpoint
RP930: 2008-12-24 18:53:48 - System Checkpoint
RP931: 2008-12-25 19:31:39 - System Checkpoint
RP932: 2008-12-25 23:51:09 - Software Distribution Service 3.0
RP933: 2008-12-27 00:31:38 - System Checkpoint
RP934: 2008-12-28 01:02:11 - System Checkpoint
RP935: 2008-12-29 01:03:16 - System Checkpoint
RP936: 2008-12-29 14:33:01 - Software Distribution Service 3.0
RP937: 2008-12-30 15:02:11 - System Checkpoint
RP938: 2008-12-31 16:37:51 - System Checkpoint
RP939: 2009-01-01 17:02:11 - System Checkpoint
RP940: 2009-01-02 00:36:31 - Software Distribution Service 3.0
RP941: 2009-01-03 01:14:11 - System Checkpoint
RP942: 2009-01-04 02:24:09 - System Checkpoint
RP943: 2009-01-05 05:57:35 - System Checkpoint
RP944: 2009-01-05 21:00:35 - Software Distribution Service 3.0
RP945: 2009-01-06 21:13:55 - System Checkpoint
RP946: 2009-01-07 21:15:57 - System Checkpoint
RP947: 2009-01-08 22:01:55 - System Checkpoint
RP948: 2009-01-09 03:19:52 - Software Distribution Service 3.0
RP949: 2009-01-10 04:01:55 - System Checkpoint
RP950: 2009-01-11 04:59:49 - System Checkpoint
RP951: 2009-01-12 05:59:49 - System Checkpoint
RP952: 2009-01-12 14:45:00 - Software Distribution Service 3.0
RP953: 2009-01-13 14:59:50 - System Checkpoint
RP954: 2009-01-14 15:00:55 - System Checkpoint
RP955: 2009-01-15 03:00:18 - Software Distribution Service 3.0
RP956: 2009-01-15 19:36:38 - Software Distribution Service 3.0
RP957: 2009-01-16 20:12:27 - System Checkpoint
RP958: 2009-01-17 20:14:21 - System Checkpoint
RP959: 2009-01-18 21:14:21 - System Checkpoint
RP960: 2009-01-19 22:08:27 - System Checkpoint
RP961: 2009-01-20 00:18:43 - Software Distribution Service 3.0
RP962: 2009-01-21 00:56:38 - System Checkpoint
RP963: 2009-01-22 01:11:16 - System Checkpoint
RP964: 2009-01-22 09:57:23 - Software Distribution Service 3.0
RP965: 2009-01-23 10:55:33 - System Checkpoint
RP966: 2009-01-24 12:21:56 - System Checkpoint
RP967: 2009-01-25 12:55:24 - System Checkpoint
RP968: 2009-01-26 13:12:31 - Software Distribution Service 3.0
RP969: 2009-01-27 13:34:19 - System Checkpoint
RP970: 2009-01-29 09:56:30 - System Checkpoint
RP971: 2009-01-29 19:37:53 - Software Distribution Service 3.0
RP972: 2009-01-30 20:19:05 - System Checkpoint
RP973: 2009-01-31 20:54:13 - System Checkpoint
RP974: 2009-02-01 21:53:13 - System Checkpoint
RP975: 2009-02-02 22:53:13 - System Checkpoint
RP976: 2009-02-03 06:02:48 - Software Distribution Service 3.0
RP977: 2009-02-04 06:55:10 - System Checkpoint
RP978: 2009-02-05 06:56:16 - System Checkpoint
RP979: 2009-02-05 18:07:03 - Software Distribution Service 3.0
RP980: 2009-02-06 18:49:46 - System Checkpoint
RP981: 2009-02-07 19:08:17 - System Checkpoint
RP982: 2009-02-08 19:38:09 - System Checkpoint
RP983: 2009-02-09 20:10:03 - System Checkpoint
RP984: 2009-02-09 21:17:17 - Software Distribution Service 3.0
RP985: 2009-02-10 22:11:30 - System Checkpoint
RP986: 2009-02-11 03:00:25 - Software Distribution Service 3.0
RP987: 2009-02-12 03:10:22 - System Checkpoint
RP988: 2009-02-13 03:12:29 - System Checkpoint
RP989: 2009-02-14 03:20:58 - System Checkpoint
RP990: 2009-02-15 03:26:23 - System Checkpoint
RP991: 2009-02-15 10:45:57 - Software Distribution Service 3.0
RP992: 2009-02-16 10:50:21 - System Checkpoint
RP993: 2009-02-17 07:07:45 - Software Distribution Service 3.0
RP994: 2009-02-18 07:24:24 - System Checkpoint
RP995: 2009-02-19 08:42:43 - System Checkpoint
RP996: 2009-02-19 14:58:11 - Software Distribution Service 3.0
RP997: 2009-02-20 15:41:21 - System Checkpoint
RP998: 2009-02-21 17:05:21 - System Checkpoint
RP999: 2009-02-22 17:23:07 - System Checkpoint
RP1000: 2009-02-23 17:26:45 - System Checkpoint
RP1001: 2009-02-24 04:43:03 - Software Distribution Service 3.0
RP1002: 2009-02-25 03:00:16 - Software Distribution Service 3.0
RP1003: 2009-02-26 03:11:25 - System Checkpoint
RP1004: 2009-02-26 14:46:41 - Software Distribution Service 3.0
RP1005: 2009-02-27 15:48:34 - System Checkpoint
RP1006: 2009-02-28 16:13:20 - System Checkpoint
RP1007: 2009-03-01 17:13:21 - System Checkpoint
RP1008: 2009-03-02 16:50:36 - Software Distribution Service 3.0
RP1009: 2009-03-03 17:45:06 - System Checkpoint
RP1010: 2009-03-04 17:46:49 - System Checkpoint
RP1011: 2009-03-05 18:45:07 - System Checkpoint
RP1012: 2009-03-06 00:05:51 - Software Distribution Service 3.0
RP1013: 2009-03-07 01:32:48 - System Checkpoint
RP1014: 2009-03-08 02:17:12 - System Checkpoint
RP1015: 2009-03-09 03:17:12 - System Checkpoint
RP1016: 2009-03-09 10:24:34 - Software Distribution Service 3.0
RP1017: 2009-03-10 06:01:12 - Software Distribution Service 3.0
RP1018: 2009-03-11 02:00:18 - Software Distribution Service 3.0
RP1019: 2009-03-12 02:33:42 - System Checkpoint
RP1020: 2009-03-13 14:55:38 - System Checkpoint
RP1021: 2009-03-14 15:39:44 - System Checkpoint
RP1022: 2009-03-15 00:00:35 - Software Distribution Service 3.0
RP1023: 2009-03-16 00:47:21 - System Checkpoint
RP1024: 2009-03-16 18:15:05 - Software Distribution Service 3.0

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 1 (SP1)
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Reader 8.1.1
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AOL Instant Messenger
AppCore
Apple Mobile Device Support
Apple Software Update
ASUS DH Remote
ASUS WiFi-AP Solo
AutoUpdate
AV
BitTorrent
Bonjour
ccCommon
CiD Help
Contextual Platform Blueskyadagency
CopySafe Plugin
Critical Update for Windows Media Player 11 (KB959772)
DivX Codec
DivX Content Uploader
DivX Player
DivX Web Player
DNA
DPS
ECO Bar
EVEREST Home Edition v2.20
Google Earth
High Definition Audio Driver Package - KB888111
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for MSXML 2 (KB887606)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB319740)
Hotfix for Windows XP (KB889527)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB897338)
Hotfix for Windows XP (KB898900)
Hotfix for Windows XP (KB903234)
Hotfix for Windows XP (KB904412)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB907865)
Hotfix for Windows XP (KB909095)
Hotfix for Windows XP (KB909394)
Hotfix for Windows XP (KB912461)
Hotfix for Windows XP (KB912817)
Hotfix for Windows XP (KB913538)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB917021)
Hotfix for Windows XP (KB918005)
Hotfix for Windows XP (KB918093)
Hotfix for Windows XP (KB918766)
Hotfix for Windows XP (KB919071)
Hotfix for Windows XP (KB924867)
Hotfix for Windows XP (KB924941)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB928388)
Hotfix for Windows XP (KB929120)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
HP Driver Diagnostics
IsoBuster 2.2
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 8
LightScribe 1.4.89.1
LimeWire 4.18.6
LiveUpdate Notice (Symantec Corporation)
Magic ISO Maker v5.3 (build 0229)
Marvell Miniport Driver
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0
Microsoft ActiveSync
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Journal Viewer
Microsoft XML Parser
mIRC
MobileMe Control Panel
Movkit Batch Video Converter 2.8
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
MultiTranse 4.3.1
Napster v2.0 BETA 7
Nero Suite
Norton AntiVirus (Symantec Corporation)
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton Protection Center
NVIDIA Drivers
Orb
P2P Max
PDF Settings
Performance Solution Blueskyadagency
PowerDVD
PowerISO
PPC Booster
QuickTime
Realtek High Definition Audio Driver
Run It
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Visio 2007 (KB947590)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Sid Meier's Civilization 4
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
SUPER Version 2007.bld.21 (Jan 4, 2007)
SUPERAntiSpyware Free Edition
Switch
Symantec
SymNet
Tibia
Ulead DVD MovieFactory 5 Plus
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb962871)
Update for Windows XP (KB897663)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB907265)
Update for Windows XP (KB908521)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911164)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB916846)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922120)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB925876)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VideoLAN VLC media player 0.8.6d
WavePad Uninstall
WebFldrs XP
Windows Communication Foundation
Windows Defender
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Player 11
Windows PowerShell™ 1.0
Windows Presentation Foundation
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
Windows Workflow Foundation
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB884020
Windows XP Hotfix - KB884883
Windows XP Hotfix - KB885222
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB886677
Windows XP Hotfix - KB886716
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB894395
Windows XP Hotfix - KB896626
WinRAR archiver
World in Conflict
XML Paper Specification Shared Components Pack 1.0
Yahoo! Messenger
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

2009-03-11 02:19:30, error: Service Control Manager [7022] - The Windows Image Acquisition (WIA) service hung on starting.
2009-03-10 23:57:43, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.
2009-03-10 08:47:30, error: atapi [9] - The device, \Device\Ide\IdePort2, did not respond within the timeout period.

==== End Of File ===========================




GMER 1.0.15.14939 - http://www.gmer.net
Rootkit scan 2009-03-17 07:43:03
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

SSDT 899F32F8 ZwConnectPort
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB78F9F20]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe[1236] kernel32.dll!SetUnhandledExceptionFilter 7C84480D 5 Bytes JMP 00413C60 C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe (Orb/Orb Networks)
.text C:\Program Files\Internet Explorer\iexplore.exe[2052] kernel32.dll!LoadLibraryExW + 36 7C801B27 5 Bytes JMP 0423D8B4 C:\Program Files\Common\helper.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2052] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 42F0F341 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2052] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 430A187F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2052] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 430A1800 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2052] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 430A1844 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2052] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 430A178C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2052] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 430A17C6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2052] USER32.dll!LoadCursorFromFileA + 5F6 7E454061 5 Bytes [39, E0, 90, 90, 90] {CMP EAX, ESP; NOP ; NOP ; NOP }
.text C:\Program Files\Internet Explorer\iexplore.exe[2052] USER32.dll!LoadCursorFromFileA + 8CD 7E454338 7 Bytes [39, E0, 90, 90, 90, 90, 90] {CMP EAX, ESP; NOP ; NOP ; NOP ; NOP ; NOP }
.text C:\Program Files\Internet Explorer\iexplore.exe[2052] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 430A18BA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2052] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 42F316F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2052] WS2_32.dll!send 71AB428A 6 Bytes PUSH 10003D34; RET C:\WINDOWS\system32\autochk.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2052] WS2_32.dll!WSARecv 71AB4318 6 Bytes PUSH 10003B87; RET C:\WINDOWS\system32\autochk.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2052] WS2_32.dll!recv 71AB615A 6 Bytes PUSH 10003C11; RET C:\WINDOWS\system32\autochk.dll
.text C:\Program Files\Internet Explorer\iexplore.exe[2052] WS2_32.dll!WSASend 71AB6233 6 Bytes PUSH 10003CB8; RET C:\WINDOWS\system32\autochk.dll
.text C:\Program Files\internet explorer\iexplore.exe[2076] kernel32.dll!LoadLibraryExW + 36 7C801B27 5 Bytes JMP 0429D8B4 C:\Program Files\Common\helper.dll
.text C:\Program Files\internet explorer\iexplore.exe[2076] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 42F0F341 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2076] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 430A187F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2076] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 430A1800 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2076] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 430A1844 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2076] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 430A178C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2076] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 430A17C6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2076] USER32.dll!LoadCursorFromFileA + 5F6 7E454061 5 Bytes [39, E0, 90, 90, 90] {CMP EAX, ESP; NOP ; NOP ; NOP }
.text C:\Program Files\internet explorer\iexplore.exe[2076] USER32.dll!LoadCursorFromFileA + 8CD 7E454338 7 Bytes [39, E0, 90, 90, 90, 90, 90] {CMP EAX, ESP; NOP ; NOP ; NOP ; NOP ; NOP }
.text C:\Program Files\internet explorer\iexplore.exe[2076] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 430A18BA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2076] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 42F316F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2076] ws2_32.dll!send 71AB428A 6 Bytes PUSH 10003D34; RET C:\WINDOWS\system32\autochk.dll
.text C:\Program Files\internet explorer\iexplore.exe[2076] ws2_32.dll!WSARecv 71AB4318 6 Bytes PUSH 10003B87; RET C:\WINDOWS\system32\autochk.dll
.text C:\Program Files\internet explorer\iexplore.exe[2076] ws2_32.dll!recv 71AB615A 6 Bytes PUSH 10003C11; RET C:\WINDOWS\system32\autochk.dll
.text C:\Program Files\internet explorer\iexplore.exe[2076] ws2_32.dll!WSASend 71AB6233 6 Bytes PUSH 10003CB8; RET C:\WINDOWS\system32\autochk.dll
.text C:\Program Files\internet explorer\iexplore.exe[2552] kernel32.dll!LoadLibraryExW + 36 7C801B27 5 Bytes JMP 04BFD8B4 C:\Program Files\Common\helper.dll
.text C:\Program Files\internet explorer\iexplore.exe[2552] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 42F0F341 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2552] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 430A187F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2552] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 430A1800 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2552] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 430A1844 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2552] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 430A178C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2552] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 430A17C6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2552] USER32.dll!LoadCursorFromFileA + 5F6 7E454061 5 Bytes [39, E0, 90, 90, 90] {CMP EAX, ESP; NOP ; NOP ; NOP }
.text C:\Program Files\internet explorer\iexplore.exe[2552] USER32.dll!LoadCursorFromFileA + 8CD 7E454338 7 Bytes [39, E0, 90, 90, 90, 90, 90] {CMP EAX, ESP; NOP ; NOP ; NOP ; NOP ; NOP }
.text C:\Program Files\internet explorer\iexplore.exe[2552] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 430A18BA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2552] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 42F316F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\internet explorer\iexplore.exe[2552] WS2_32.dll!send 71AB428A 6 Bytes PUSH 10003D34; RET C:\WINDOWS\system32\autochk.dll
.text C:\Program Files\internet explorer\iexplore.exe[2552] WS2_32.dll!WSARecv 71AB4318 6 Bytes PUSH 10003B87; RET C:\WINDOWS\system32\autochk.dll
.text C:\Program Files\internet explorer\iexplore.exe[2552] WS2_32.dll!recv 71AB615A 6 Bytes PUSH 10003C11; RET C:\WINDOWS\system32\autochk.dll
.text C:\Program Files\internet explorer\iexplore.exe[2552] WS2_32.dll!WSASend 71AB6233 6 Bytes PUSH 10003CB8; RET C:\WINDOWS\system32\autochk.dll
.text C:\Program Files\Orb Networks\Orb\bin\Orb.exe[2908] kernel32.dll!SetUnhandledExceptionFilter 7C84480D 5 Bytes JMP 00402CD0 C:\Program Files\Orb Networks\Orb\bin\Orb.exe (Orb Application/Orb Networks, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\Valued Customer\Cookies\valued_customer@ads.quixsurf[2].txt 109 bytes
File C:\Documents and Settings\Valued Customer\Local Settings\Temporary Internet Files\Content.IE5\DPN57HTT\160x600[1].htm 233 bytes
File C:\Documents and Settings\Valued Customer\Local Settings\Temporary Internet Files\Content.IE5\DPN57HTT\ErrorPageTemplate[1] 2168 bytes
File C:\Documents and Settings\Valued Customer\Local Settings\Temporary Internet Files\Content.IE5\DPN57HTT\info_48[1] 6993 bytes
File C:\Documents and Settings\Valued Customer\Local Settings\Temporary Internet Files\Content.IE5\DPN57HTT\adopt[1].htm 871 bytes
File C:\Documents and Settings\Valued Customer\Local Settings\Temporary Internet Files\Content.IE5\DPN57HTT\background_gradient[2] 453 bytes
File C:\Documents and Settings\Valued Customer\Local Settings\Temporary Internet Files\Content.IE5\DPN57HTT\496e00e404b99[1].htm 555 bytes
File C:\Documents and Settings\Valued Customer\Local Settings\Temporary Internet Files\Content.IE5\DPN57HTT\httpErrorPagesScripts[1] 7579 bytes

---- EOF - GMER 1.0.15 ----

#5 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:28 AM

Posted 18 March 2009 - 06:03 PM

Download this program:

submit files packer

Highlight the files listed below in bold and right-click and selecting copy.

c:\windows\system32\khwhaqezgt.exe
c:\windows\system32\0fcc2113-3ef7-a213-e810-86de6c72526e.exe



Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

I will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to samples.

Click Here to upload the files please.
------------------------
Since you have ran Combofix before please delete the version you have then do the following:

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#6 makaveli3005

makaveli3005
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:11:28 PM

Posted 20 March 2009 - 01:50 PM

computer seems much better now. Heres the combo fix log. ALso when I start the compuyer up I get a file trying to open called p2pmax.exe.vir But it cant find anything to open it.

ComboFix 09-03-19.02 - Valued Customer 2009-03-20 14:38:20.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1349 [GMT -4:00]
Running from: c:\documents and settings\Valued Customer\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Outdated)
FW: Norton AntiVirus *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\protect.dll
c:\documents and settings\Mom\protect.dll
c:\documents and settings\Mom\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\Mom\Start Menu\Programs\Startup\ChkDisk.lnk
c:\documents and settings\NetworkService\protect.dll
c:\documents and settings\Valued Customer\protect.dll
c:\documents and settings\Valued Customer\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\Valued Customer\Start Menu\Programs\Startup\ChkDisk.lnk
c:\documents and settings\Valued Customer\Start Menu\Programs\Startup\ppcb_32.lnk
c:\documents and settings\Valued Customer\Start Menu\Programs\Startup\runit_32.lnk
c:\program files\Common\helper.dll
c:\program files\Common\helper.sig
c:\program files\IEToolbar
c:\program files\IEToolbar\ECO Bar\basis.xml
c:\program files\IEToolbar\ECO Bar\ecobar.dll
c:\program files\IEToolbar\ECO Bar\icons.bmp
c:\program files\IEToolbar\ECO Bar\info.txt
c:\program files\IEToolbar\ECO Bar\tbhelper.dll
c:\program files\IEToolbar\ECO Bar\uninstall.exe
c:\program files\IEToolbar\ECO Bar\version.txt
c:\program files\IEToolbar\ECO Bar\your_logo.png
c:\program files\p2pmax
c:\program files\p2pmax\p2pmax.exe
c:\program files\p2pmax\p2pmaxu.exe
c:\program files\ppcbooster
c:\program files\ppcbooster\ppcb_32.exe
c:\program files\ppcbooster\ppcbu_32.exe
c:\program files\runit
c:\program files\runit\config.txt
c:\program files\runit\runit_32.exe
c:\program files\runit\runitu_32.exe
c:\windows\sysguard.exe
c:\windows\system32\autochk.dll
c:\windows\system32\CMMGR32.EXE
c:\windows\system32\dciryqzjalpgp.dll
c:\windows\system32\utstv.ini
.
---- Previous Run -------
.
c:\documents and settings\Mom\Start Menu\Programs\Awola6
c:\documents and settings\Mom\Start Menu\Programs\Awola6\Awola Anti-Spyware 6.0.lnk
c:\documents and settings\Mom\Start Menu\Programs\Awola6\Uninstall Awola Anti-Spyware 6.0.lnk
c:\windows\BMef402ebd.txt
c:\windows\BMef402ebd.xml
c:\windows\cookies.ini
c:\windows\IE4 Error Log.txt
c:\windows\mdm.exe
c:\windows\pskt.ini
c:\windows\sysrlb32.exe
c:\windows\system32\app.exe
c:\windows\system32\bosghxuk.ini
c:\windows\system32\cbeflvfx.ini
c:\windows\system32\dfglncpo.ini
c:\windows\system32\dwshtajf.ini
c:\windows\system32\eumeicmo.ini
c:\windows\system32\fbpjwetm.ini
c:\windows\system32\ghnvfxce.ini
c:\windows\system32\gtv_sd.bin
c:\windows\system32\gvwelhos.ini
c:\windows\system32\kcdtghue.ini
c:\windows\system32\lclcfg32.ini
c:\windows\system32\lfd32.ini
c:\windows\system32\mcrh.tmp
c:\windows\system32\micro1
c:\windows\system32\mprCdMoq.ini
c:\windows\system32\mprCdMoq.ini2
c:\windows\system32\MSINET.oca
c:\windows\system32\muhsiqqx.ini
c:\windows\system32\rphrubcu.ini
c:\windows\system32\sl.bin
c:\windows\system32\socukief.ini
c:\windows\system32\stfv.bin
c:\windows\system32\vwailxjl.ini
c:\windows\system32\windows
c:\windows\system32\xdcvmuyu.ini
c:\windows\system32\xekykniu.ini
c:\windows\system32\XHkSrtwa.ini
c:\windows\system32\ynomaffx.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TNIDRIVER
-------\Service_yzbgqap


((((((((((((((((((((((((( Files Created from 2009-02-20 to 2009-03-20 )))))))))))))))))))))))))))))))
.

2009-03-20 14:24 . 2009-03-20 14:24 268 --ah----- C:\sqmdata17.sqm
2009-03-20 14:24 . 2009-03-20 14:24 244 --ah----- C:\sqmnoopt17.sqm
2009-03-19 16:39 . 2009-03-19 16:39 268 --ah----- C:\sqmdata16.sqm
2009-03-19 16:39 . 2009-03-19 16:39 244 --ah----- C:\sqmnoopt16.sqm
2009-03-18 07:41 . 2009-03-18 07:41 <DIR> d-------- c:\program files\iTunes
2009-03-18 07:41 . 2009-03-18 07:41 <DIR> d-------- c:\program files\iPod
2009-03-18 07:41 . 2009-03-18 07:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-18 07:39 . 2009-03-18 07:39 <DIR> d-------- c:\program files\QuickTime
2009-03-18 07:38 . 2009-03-05 23:59 1,900,544 --a------ c:\windows\system32\usbaaplrc.dll
2009-03-17 18:14 . 2009-03-17 18:14 268 --ah----- C:\sqmdata15.sqm
2009-03-17 18:14 . 2009-03-17 18:14 244 --ah----- C:\sqmnoopt15.sqm
2009-03-16 21:33 . 2009-03-16 21:33 268 --ah----- C:\sqmdata14.sqm
2009-03-16 21:33 . 2009-03-16 21:33 244 --ah----- C:\sqmnoopt14.sqm
2009-03-16 21:28 . 2009-03-16 21:28 268 --ah----- C:\sqmdata13.sqm
2009-03-16 21:28 . 2009-03-16 21:28 244 --ah----- C:\sqmnoopt13.sqm
2009-03-15 23:46 . 2009-03-15 23:46 268 --ah----- C:\sqmdata12.sqm
2009-03-15 23:46 . 2009-03-15 23:46 244 --ah----- C:\sqmnoopt12.sqm
2009-03-15 11:16 . 2009-03-15 11:16 268 --ah----- C:\sqmdata11.sqm
2009-03-15 11:16 . 2009-03-15 11:16 244 --ah----- C:\sqmnoopt11.sqm
2009-03-13 17:24 . 2009-03-13 17:24 268 --ah----- C:\sqmdata10.sqm
2009-03-13 17:24 . 2009-03-13 17:24 244 --ah----- C:\sqmnoopt10.sqm
2009-03-13 16:29 . 2009-03-20 14:38 <DIR> d-------- c:\program files\Common
2009-03-11 08:42 . 2009-03-11 08:42 268 --ah----- C:\sqmdata09.sqm
2009-03-11 08:42 . 2009-03-11 08:42 244 --ah----- C:\sqmnoopt09.sqm
2009-03-07 10:04 . 2009-03-07 10:04 268 --ah----- C:\sqmdata08.sqm
2009-03-07 10:04 . 2009-03-07 10:04 244 --ah----- C:\sqmnoopt08.sqm
2009-03-04 10:48 . 2009-03-04 10:48 618,496 --a------ c:\windows\system32\nsiF66.dll
2009-03-01 22:39 . 2009-03-01 22:39 268 --ah----- C:\sqmdata07.sqm
2009-03-01 22:39 . 2009-03-01 22:39 244 --ah----- C:\sqmnoopt07.sqm
2009-02-23 21:12 . 2009-02-23 21:12 268 --ah----- C:\sqmdata06.sqm
2009-02-23 21:12 . 2009-02-23 21:12 244 --ah----- C:\sqmnoopt06.sqm
2009-02-23 05:08 . 2009-02-23 05:08 268 --ah----- C:\sqmdata05.sqm
2009-02-23 05:08 . 2009-02-23 05:08 244 --ah----- C:\sqmnoopt05.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-20 18:41 --------- d-----w c:\program files\DNA
2009-03-20 18:41 --------- d-----w c:\documents and settings\Valued Customer\Application Data\DNA
2009-03-19 04:45 --------- d-----w c:\program files\mIRC
2009-03-18 11:41 --------- d-----w c:\program files\Common Files\Apple
2009-03-18 11:40 --------- d-----w c:\program files\Bonjour
2009-03-11 07:06 --------- d-----w c:\documents and settings\Valued Customer\Application Data\BitTorrent
2009-03-11 07:01 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-06 03:59 36,864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-02-23 17:03 --------- d-----w c:\program files\you already know
2008-10-30 21:09 10,240 -csha-w c:\program files\Thumbs.db
2008-05-10 19:48 0 --sha-w c:\documents and settings\Mom\Application Data\00480e735bb240c3461019295b35d243c30c3294c4.dat
2008-02-28 04:57 247,080,410 ----a-w c:\documents and settings\Valued Customer\DJ Tiesto-In Search Of Sunrise 4-2CD-2005 .(By.Taken).[WwW.emulebit.CoM].zip
2007-01-19 01:30 6,895,942 -c--a-w c:\program files\Textbook.pdf
2007-01-11 08:10 1,035,271 ----a-w c:\program files\wrar362.exe
2007-01-08 02:11 25,085,540 ----a-w c:\program files\SUPERsetup.exe
2007-01-06 22:23 13,338,496 ----a-w c:\program files\Orb20SetupUs.exe
2007-01-06 02:46 16,179,264 ----a-w c:\program files\DivXInstaller.exe
2007-01-02 04:56 359,112 ----a-w c:\program files\LimeWireWin.exe
2006-05-03 10:06 163,328 --sha-r c:\windows\system32\flvDX.dll
2007-04-02 19:53 118,784 --sha-r c:\windows\system32\msgnmsger.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{417f4744-a886-7ad1-0dcf-343701718155}]
2009-03-04 10:48 618496 --a------ c:\windows\system32\nsiF66.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\program files\AIM\aim.exe" [2006-08-01 67112]
"Orb"="c:\program files\Orb Networks\Orb\bin\OrbTray.exe" [2008-05-13 507904]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 1510640]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 1961984]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-19 342848]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 2321600]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-05 4347120]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 115816]
"osCheck"="c:\program files\Norton AntiVirus\osCheck.exe" [2006-09-05 26248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 583048]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"hrlhrsvc"="c:\windows\system32\hrlhrsvc.exe" [2009-02-12 1466368]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]

c:\documents and settings\Valued Customer\Start Menu\Programs\Startup\
p2pmax.lnk - c:\qoobox\Quarantine\C\Program Files\p2pmax\p2pmax.exe.vir [2009-01-13 28672]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ASUS WiFi-AP Solo.lnk - c:\program files\ASUS WiFi-AP Solo\RtWLan.exe [2006-12-27 987136]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= c:\program files\Internet Explorer\prohdyxe.html
FriendlyName=

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= c:\program files\ComPlus Applications\prohdyxe.html
FriendlyName=

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-28 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-05-17 10:58 294912 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\vio\dvacm.acm
"msacm.mpegacm"= mpegacm.acm
"msacm.ulmp3acm"= ulmp3acm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2006-10-10 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2007-02-27 55024]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2006-12-27 176128]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
R3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2006-12-27 13532]
S1 ipfltdrvv;ipfltdrvv;c:\windows\system32\drivers\ipfltdrvv.sys --> c:\windows\system32\drivers\ipfltdrvv.sys [?]
S3 Asushwio;Asushwio;c:\windows\system32\drivers\ASUSHWIO.SYS [2006-12-27 5824]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SJYPKT

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2454c9f0-95b4-11db-8b11-0015af08fdcc}]
\Shell\AutoRun\command - h:\programs\nu2menu\nu2menu.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2009-03-20 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 22:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{C1F2BBD6-1DFF-B6F4-DCCC-DA3B74648D1A} - c:\windows\system32\dciryqzjalpgp.dll
HKCU-Run-logo link - c:\docume~1\VALUED~1\APPLIC~1\FINDOK~1\Hold Log.exe
HKCU-Run-mdm - c:\windows\mdm.exe
HKCU-Run-DriverUpdaterPro - c:\program files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe
HKCU-Run-system tool - c:\windows\sysguard.exe
HKLM-Run-autochk - c:\windows\system32\autochk.dll
SSODL-mpfanvqg-{AEAC12A0-9342-4D7B-BC25-BB09BA2195CB} - c:\windows\mpfanvqg.dll
SSODL-vbksrofa-{71DE5F20-F659-4D48-8469-35CAAE32BB1B} - c:\windows\vbksrofa.dll
Notify-geBrsTNH - geBrsTNH.dll
Notify-iifeefd - iifeefd.dll
MSConfigStartUp-WebBuying - c:\program files\Web Buying\v1.8.8\webbuying.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {6CE3FB5E-A75E-430E-8347-262B2620F726} = 192.9.9.3
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-20 14:41:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-790525478-963894560-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:41,cd,48,50,aa,e7,10,81,3c,a4,8a,36,fd,4c,b9,60,6e,9b,9b,f5,10,73,ed,
d6,04,d6,94,67,37,4d,cc,78,66,e6,06,c5,5d,7b,f2,74,9a,32,27,50,e5,fb,f8,0f,\
"??"=hex:93,48,ab,31,01,17,2e,13,5b,4b,15,13,74,f2,85,d8
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1116)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-03-20 14:47:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-20 18:47:43
ComboFix2.txt 2009-03-15 15:30:39
ComboFix3.txt 2008-05-12 02:12:17
ComboFix4.txt 2008-04-27 19:26:44

Pre-Run: 165,532,033,024 bytes free
Post-Run: 165,736,185,856 bytes free

301 --- E O F --- 2009-03-20 18:31:00

#7 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:28 AM

Posted 21 March 2009 - 06:58 AM

1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Driver::
ipfltdrvv

File::
c:\windows\system32\nsiF66.dll
c:\windows\system32\hrlhrsvc.exe
c:\documents and settings\Valued Customer\Start Menu\Programs\Startup\p2pmax.lnk 
c:\program files\Internet Explorer\prohdyxe.html
c:\program files\ComPlus Applications\prohdyxe.html
c:\windows\system32\drivers\ipfltdrvv.sys

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{417f4744-a886-7ad1-0dcf-343701718155}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hrlhrsvc"=-
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
Combofix.txt and a new dds log.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#8 makaveli3005

makaveli3005
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:11:28 PM

Posted 28 April 2009 - 08:37 AM

ComboFix 09-04-27.03 - Valued Customer 2009-04-28 2:34.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.1342 [GMT -4:00]
Running from: c:\documents and settings\Valued Customer\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Valued Customer\Desktop\CFScript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Outdated)
FW: Norton AntiVirus *disabled*
* Created a new restore point

FILE ::
c:\documents and settings\Valued Customer\Start Menu\Programs\Startup\p2pmax.lnk
c:\program files\ComPlus Applications\prohdyxe.html
c:\program files\Internet Explorer\prohdyxe.html
c:\windows\system32\drivers\ipfltdrvv.sys
c:\windows\system32\hrlhrsvc.exe
c:\windows\system32\nsiF66.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Valued Customer\Local Settings\Temporary Internet Files\75432937.dll
c:\documents and settings\Valued Customer\Local Settings\Temporary Internet Files\75432937.exe
c:\documents and settings\Valued Customer\Start Menu\Programs\Startup\p2pmax.lnk
c:\windows\system32\__c004C9BA.dat
c:\windows\system32\hrlhrsvc.exe
c:\windows\system32\twain_32
c:\windows\system32\twain_32\local.ds
c:\windows\system32\twain_32\user.ds
C:\xcrashdump.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPFLTDRVV
-------\Service_ipfltdrvv


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-28 )))))))))))))))))))))))))))))))
.

2009-04-18 15:50 . 2009-04-18 15:50 -------- d-----w c:\documents and settings\Mom\Cars 4 18
2009-04-13 16:25 . 2009-04-13 16:25 687104 ----a-w c:\windows\system32\nst7F.dll
2009-04-10 11:34 . 2009-04-10 11:34 -------- d-----w c:\documents and settings\Valued Customer\Local Settings\Application Data\{BE43DE76-03BF-4409-A5F8-774035898168}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 06:42 . 2008-02-29 00:10 -------- d-----w c:\program files\DNA
2009-04-28 06:30 . 2009-03-21 21:16 16 ----a-w c:\windows\Csilimevocogirav.bin
2009-04-27 03:38 . 2009-02-01 16:24 -------- d-----w c:\program files\you already know
2009-04-16 04:45 . 2009-03-21 21:16 1366 ----a-w c:\windows\Rzupedakokox.dat
2009-04-14 03:10 . 2009-02-12 22:36 85654 ----a-w c:\windows\system32\0fcc2113-3ef7-a213-e810-86de6c72526e.exe
2009-03-21 15:34 . 2007-01-18 02:25 -------- d-----w c:\program files\BitTorrent
2009-03-20 18:38 . 2009-03-13 20:29 -------- d-----w c:\program files\Common
2009-03-19 04:45 . 2007-01-01 23:11 -------- d-----w c:\program files\mIRC
2009-03-18 11:41 . 2009-03-18 11:41 -------- d-----w c:\program files\iTunes
2009-03-18 11:41 . 2009-03-18 11:41 -------- d-----w c:\program files\iPod
2009-03-18 11:41 . 2008-01-11 02:20 -------- d-----w c:\program files\Common Files\Apple
2009-03-18 11:40 . 2008-03-12 02:19 -------- d-----w c:\program files\Bonjour
2009-03-18 11:39 . 2009-03-18 11:39 -------- d-----w c:\program files\QuickTime
2009-03-16 15:40 . 2009-02-12 22:36 48285 ----a-w c:\windows\system32\khwhaqezgt.exe
2009-03-06 14:00 . 2006-02-28 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 03:59 . 2009-03-18 11:38 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-06 03:59 . 2008-01-11 02:20 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-03 00:18 . 2006-02-28 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-23 09:09 . 2006-12-27 14:39 230704 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-02-20 18:09 . 2006-02-28 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 10:19 . 2006-02-28 12:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-09 10:01 . 2006-02-28 12:00 728576 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:01 . 2006-02-28 12:00 617984 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:01 . 2006-02-28 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:01 . 2006-02-28 12:00 715264 ----a-w c:\windows\system32\ntdll.dll
2009-02-06 10:29 . 2006-02-28 12:00 2142720 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:22 . 2006-02-28 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 09:54 . 2006-02-28 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 09:49 . 2004-08-03 22:59 2020864 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:52 . 2006-02-28 12:00 56320 ----a-w c:\windows\system32\secur32.dll
2008-10-30 21:09 . 2007-12-27 00:13 10240 -csha-w c:\program files\Thumbs.db
2007-01-19 01:30 . 2007-01-19 01:30 6895942 -c--a-w c:\program files\Textbook.pdf
2007-01-11 08:10 . 2007-01-11 08:10 1035271 ----a-w c:\program files\wrar362.exe
2007-01-08 02:11 . 2007-01-08 02:11 25085540 ----a-w c:\program files\SUPERsetup.exe
2007-01-06 22:23 . 2007-01-06 22:22 13338496 ----a-w c:\program files\Orb20SetupUs.exe
2007-01-06 02:46 . 2007-01-06 02:43 16179264 ----a-w c:\program files\DivXInstaller.exe
2007-01-02 04:56 . 2007-01-02 04:56 359112 ----a-w c:\program files\LimeWireWin.exe
2006-05-03 10:06 . 2007-01-08 02:11 163328 --sha-r c:\windows\system32\flvDX.dll
2007-04-02 19:53 . 2007-04-02 20:58 118784 --sha-r c:\windows\system32\msgnmsger.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
2008-07-28 10:47 160496 ----a-w c:\progra~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"= "c:\progra~1\Yahoo!\Companion\Installs\cpn\yt.dll" [2008-07-28 882416]

[HKEY_CLASSES_ROOT\clsid\{ef99bd32-c1fb-11d2-892f-0090271d4f88}]
[HKEY_CLASSES_ROOT\yt.YToolbarBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{003028C2-EA1C-4676-A316-B5CB50917002}]
[HKEY_CLASSES_ROOT\yt.YToolbarBand]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{F2CF5485-4E02-4F68-819C-B92DE9277049}"= "c:\windows\system32\ieframe.dll" [2009-02-20 6066176]

[HKEY_CLASSES_ROOT\clsid\{f2cf5485-4e02-4f68-819c-b92de9277049}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\program files\AIM\aim.exe" [2006-08-01 67112]
"Orb"="c:\program files\Orb Networks\Orb\bin\OrbTray.exe" [2008-05-14 507904]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 1510640]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-12 1961984]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-19 342848]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-06 4347120]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"osCheck"="c:\program files\Norton AntiVirus\osCheck.exe" [2006-09-06 26248]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-29 583048]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-04 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ASUS WiFi-AP Solo.lnk - c:\program files\ASUS WiFi-AP Solo\RtWLan.exe [2006-12-27 987136]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegedit"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-28 77824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebCheck"= {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - c:\windows\system32\webcheck.dll [2009-02-20 233472]
"WPDShServiceObj"= {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll [2006-10-19 133632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-05-17 14:58 294912 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli dpmgetit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

R3 Asushwio;Asushwio;c:\windows\system32\drivers\Asushwio.sys [2004-04-27 5824]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-05-28 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-05-28 55024]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-04 13592]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\DRIVERS\RTL8187.sys [2006-06-16 176128]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
S3 SjyPkt;SjyPkt;c:\windows\System32\Drivers\SjyPkt.sys [2006-03-31 13532]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2454c9f0-95b4-11db-8b11-0015af08fdcc}]
\Shell\AutoRun\command - h:\programs\nu2menu\nu2menu.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 21:57]

2009-04-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
HKLM-Run-Wgomogeh - c:\documents and settings\Valued Customer\Local Settings\Temporary Internet Files\75432937.dll
SharedTaskScheduler-{8C7461EF-2B13-11d2-BE35-3078302C2030} - %SystemRoot%\system32\browseui.dll
ShellExecuteHooks-{AEB6717E-7E19-11d0-97EE-00C04FD91972} - shell32.dll
SSODL-PostBootReminder-{7849596a-48ea-486e-8937-a2a3009f31a9} - %SystemRoot%\system32\SHELL32.dll
SSODL-CDBurn-{fbeb8a05-beee-4442-804e-409d6c4515e9} - %SystemRoot%\system32\SHELL32.dll
Notify-__c004C9BA - c:\windows\system32\__c004C9BA.dat


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\AIM\aim.exe
IE: {{92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\MICROS~2\Office12\REFIEBAR.DLL
TCP: {6CE3FB5E-A75E-430E-8347-262B2620F726} = 192.9.9.3
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - c:\windows\system32\urlmon.dll
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - c:\windows\system32\urlmon.dll
Filter: lzdhtml - {8f6b0360-b80d-11d0-a9b3-006097942311} - c:\windows\system32\urlmon.dll
Filter: text/webviewhtml - {733AC4CB-F1A4-11d0-B951-00A0C90312E1} -
Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - c:\progra~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
Handler: file - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - c:\windows\system32\urlmon.dll
Handler: ftp - {79eac9e3-baf9-11ce-8c82-00aa004ba90b} - c:\windows\system32\urlmon.dll
Handler: gopher - {79eac9e4-baf9-11ce-8c82-00aa004ba90b} - c:\windows\system32\urlmon.dll
Handler: http - {79eac9e2-baf9-11ce-8c82-00aa004ba90b} - c:\windows\system32\urlmon.dll
Handler: http\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: http\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: https - {79eac9e5-baf9-11ce-8c82-00aa004ba90b} - c:\windows\system32\urlmon.dll
Handler: https\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: https\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: ipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - c:\windows\system32\itss.dll
Handler: livecall - {828030A1-22C1-4009-854F-8E305202313F} - c:\progra~1\MSNMES~1\MSGRAP~1.DLL
Handler: local - {79eac9e7-baf9-11ce-8c82-00aa004ba90b} - c:\windows\system32\urlmon.dll
Handler: mk - {79eac9e6-baf9-11ce-8c82-00aa004ba90b} - c:\windows\system32\urlmon.dll
Handler: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - c:\windows\system32\itss.dll
Handler: msdaipp\0x00000001 - {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: msdaipp\oledb - {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - c:\progra~1\COMMON~1\System\OLEDB~1\MSDAIPP.DLL
Handler: msnim - {828030A1-22C1-4009-854F-8E305202313F} - c:\progra~1\MSNMES~1\MSGRAP~1.DLL
Handler: sysimage - {76E67A63-06E9-11D2-A840-006008059382} -
Handler: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - c:\windows\system32\msvidctl.dll
Name-Space Handler: mk\* - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - c:\windows\system32\itss.dll
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {95D88B35-A521-472B-A182-BB1A98356421} - hxxp://asp.mathxl.com/books/_Players/PearsonInstallAsst2.cab
DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} - hxxp://asp.mathxl.com/books/_Players/MathPlayer.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-28 02:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-790525478-963894560-725345543-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:41,cd,48,50,aa,e7,10,81,3c,a4,8a,36,fd,4c,b9,60,6e,9b,9b,f5,10,73,ed,
d6,04,d6,94,67,37,4d,cc,78,66,e6,06,c5,5d,7b,f2,74,9a,32,27,50,e5,fb,f8,0f,\
"??"=hex:93,48,ab,31,01,17,2e,13,5b,4b,15,13,74,f2,85,d8
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1116)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL

- - - - - - - > 'lsass.exe'(1172)
c:\windows\dpmgetit.dll

- - - - - - - > 'explorer.exe'(3320)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\dpmgetit.dll
c:\program files\Bonjour\mdnsNSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
c:\program files\Orb Networks\Orb\bin\Orb.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-04-28 2:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-28 06:50
ComboFix2.txt 2009-03-20 18:47
ComboFix3.txt 2009-03-15 15:30
ComboFix4.txt 2008-05-12 02:12
ComboFix5.txt 2009-04-28 06:33

Pre-Run: 162,579,738,624 bytes free
Post-Run: 162,906,488,832 bytes free

267 --- E O F --- 2009-04-24 05:18

#9 makaveli3005

makaveli3005
  • Topic Starter

  • Members
  • 107 posts
  • OFFLINE
  •  
  • Local time:11:28 PM

Posted 28 April 2009 - 09:21 AM

ALso now for some strange reason every now and then My monitor will flash like shut off turn back on turn off turn back on non stop. The computer information is still stere but the screen keeps flashing. I turn off the computer and sometimes it fixes it. Any ideas?

#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:28 AM

Posted 29 April 2009 - 06:56 AM

ALso now for some strange reason every now and then My monitor will flash like shut off turn back on turn off turn back on non stop. The computer information is still stere but the screen keeps flashing. I turn off the computer and sometimes it fixes it. Any ideas?

Could be your video driver.

Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :files
    c:\windows\system32\nst7F.dll
    c:\windows\Csilimevocogirav.bin
    C:\windows\Rzupedakokox.dat
    c:\windows\system32\0fcc2113-3ef7-a213-e810-86de6c72526e.exe
    
    :commands
    [emptytemp]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
===================================
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
=========================
Please post these logs in your next reply:
  • Ot Move it log
  • Malware Bytes log
  • New dds log

Edited by kahdah, 29 April 2009 - 06:57 AM.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users