Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Random Pop up ads non stop. Infected please help


  • This topic is locked This topic is locked
13 replies to this topic

#1 Juyce

Juyce

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 12 March 2009 - 01:12 PM

My computer WinXP displays 2 or 3 pop up ad every 2 or 3 minutes. I know when and how I recieved it but this time it actually did it's work. One of the pop up ads came up yesterday showing that fake virus scanner and like usual I would just exit out of it. But this one was a bit different and another window came up, exited out of that one as well. I guess after clicking the exit button it activated it and then infected my computer.

These random pop up ads show up every couple minutes and I don't know where to begin to stop this. Im usually very cautious about these and always avoid them, but this has got in to my system. 6 pop up ads have already came while typing this. I have just noticed right now that, while typing, sometimes a letter won't appear as it just skipped the input, every other minute as well. This problem has never occured before. Assistance would be greatly appreciated. Thank you here is my HJT log.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:29 AM, on 3/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\system32\spoolsv.exe
I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
I:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
I:\Program Files\Bonjour\mDNSResponder.exe
i:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
I:\WINDOWS\system32\nvsvc32.exe
I:\Program Files\Orb Networks\Orb\bin\OrbMediaService.exe
I:\Program Files\Orb Networks\Orb\bin\OrbTray.exe
I:\WINDOWS\system32\svchost.exe
I:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
I:\Program Files\iPod\bin\iPodService.exe
I:\WINDOWS\system32\wscntfy.exe
I:\WINDOWS\Explorer.EXE
I:\WINDOWS\system32\taskmgr.exe
I:\WINDOWS\RTHDCPL.EXE
I:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
I:\WINDOWS\system32\rundll32.exe
I:\Program Files\iTunes\iTunesHelper.exe
I:\WINDOWS\system32\rundll32.exe
I:\WINDOWS\system32\rundll32.exe
I:\WINDOWS\system32\ctfmon.exe
I:\Program Files\Internet Explorer\iexplore.exe
I:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Juyce _init[(SAP-
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - I:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2012F73E-7427-4AD8-9E9D-6CBA6E0053D4} - I:\Program Files\Video Add-on\isfmdl.dll (file missing)
O2 - BHO: (no name) - {28d9925a-b98a-43ca-8e0b-9f8b77d60110} - I:\WINDOWS\system32\zudidafo.dll
O2 - BHO: {6850d09a-01ab-bba8-4ed4-26e27f73f2a6} - {6a2f37f7-2e62-4de4-8abb-ba10a90d0586} - I:\WINDOWS\system32\olnqnt.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - I:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - I:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - I:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - I:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE I:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE I:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ANIWZCS2Service] I:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] I:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "I:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "I:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "I:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] I:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "I:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Dwihohu] rundll32.exe "I:\WINDOWS\Iqisirujiqig.dll",e
O4 - HKLM\..\Run: [Kguma] rundll32.exe "I:\WINDOWS\iteziqizoqosiho.dll",e
O4 - HKLM\..\Run: [konizafasa] Rundll32.exe "I:\WINDOWS\system32\vobikabe.dll",s
O4 - HKLM\..\Run: [04c4d2c4] rundll32.exe "I:\WINDOWS\system32\suziziju.dll",b
O4 - HKLM\..\Run: [CPM03407333] Rundll32.exe "i:\windows\system32\hedelime.dll",a
O4 - HKCU\..\Run: [NVIDIA nTune] "I:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "I:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "I:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [Veoh] "I:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [MSMSGS] "I:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Orb] I:\Program Files\Orb Networks\Orb\bin\OrbTray.exe
O4 - HKCU\..\Run: [AdobeUpdater] "I:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKUS\S-1-5-19\..\Run: [konizafasa] Rundll32.exe "I:\WINDOWS\system32\vobikabe.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [konizafasa] Rundll32.exe "I:\WINDOWS\system32\vobikabe.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-73586283-1220945662-839522115-1009\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe (User 'x')
O4 - Startup: Air Mouse.lnk = I:\Program Files\Air Mouse\Air Mouse\Air Mouse.exe
O4 - Startup: LimeWire On Startup.lnk = I:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: Yahoo! Widgets.lnk = I:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: Air Mouse.lnk = I:\Program Files\Air Mouse\Air Mouse\Air Mouse.exe
O4 - Global Startup: AutoStart IR.lnk = I:\Program Files\WinTV\Ir.exe
O4 - Global Startup: hp psc 2000 Series.lnk = I:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - I:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - I:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - I:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {428088E0-96DB-4960-99D5-3C809C5A7D74} (GamOnUpdate Control) - http://www.wcgzone.com/GamOnUpdate.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1197481113171
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{171462E1-6508-49AE-ADCD-3FA1959A8898}: NameServer = 71.252.0.12,71.242.0.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{171462E1-6508-49AE-ADCD-3FA1959A8898}: NameServer = 71.252.0.12,71.242.0.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{171462E1-6508-49AE-ADCD-3FA1959A8898}: NameServer = 71.252.0.12,71.242.0.12
O17 - HKLM\System\CS3\Services\Tcpip\..\{171462E1-6508-49AE-ADCD-3FA1959A8898}: NameServer = 71.252.0.12,71.242.0.12
O20 - AppInit_DLLs: I:\WINDOWS\system32\pabopisu.dll i:\windows\system32\hedelime.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - i:\windows\system32\hedelime.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - i:\windows\system32\hedelime.dll
O23 - Service: Apple Mobile Device - Apple Inc. - I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - I:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - I:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - I:\PROGRA~1\WinTV\HCWTVS~1.EXE
O23 - Service: iPod Service - Apple Inc. - I:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - I:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMIndexingService - Nero AG - I:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - I:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - I:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - I:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OrbMediaService - Orb Networks - I:\Program Files\Orb Networks\Orb\bin\OrbMediaService.exe
O23 - Service: Pml Driver HPZ12 - HP - I:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - I:\Program Files\WinPcap\rpcapd.exe

--
End of file - 10274 bytes

Attached Files

  • Attached File  DDS.txt   12.4KB   2 downloads

Edited by Juyce, 12 March 2009 - 01:24 PM.


BC AdBot (Login to Remove)

 


#2 Juyce

Juyce
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 14 March 2009 - 10:53 PM

Title was: Random Pop-up from adtrget, Never ending new tabs. INFECTED please help!, <http://url.adtrgt.com/cpv.jsp?p= pop-up>, CTF loader, comp slowdown ~ OB

Please help me, this is getting very annoying. I'm having random pop up's every 1 or 2 minutes, and it seems only when I have IE 7 opened, sometimes I don't even have it open and pop up occurs as well. Also when I am working on something browsing/gaming or something, it will take me off my application that i'm working on(typing this right now and randomly I lose my cursor to type and I have to reclick the screen to proceed). I came home today and turned on my computer and a windows error came up saying something about CTF loader, they had to stop the application. I read a little about ctf loade and it said it's connected to MS office. I have office, but I never use it, rarely ever. It's starting to concern me and hopefully my infection isn't that bad. Please help I've been forum hopping trying to get a response from forum to forum and this is my second post! :thumbup2:

Here is my logs DDS and ATTACH and HJT log if you need it?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:52:43 PM, on 3/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\system32\spoolsv.exe
I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
I:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
I:\Program Files\Bonjour\mDNSResponder.exe
I:\WINDOWS\system32\nvsvc32.exe
I:\WINDOWS\system32\svchost.exe
I:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
I:\Program Files\iPod\bin\iPodService.exe
I:\WINDOWS\system32\wscntfy.exe
I:\WINDOWS\Explorer.EXE
I:\WINDOWS\RTHDCPL.EXE
I:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
I:\Program Files\iTunes\iTunesHelper.exe
I:\WINDOWS\system32\ctfmon.exe
I:\PROGRA~1\WinTV\HCWTVS~1.EXE
I:\Program Files\WC3Banlist\WC3Banlist.exe
I:\Documents and Settings\Juyce\Desktop\W3DR_1.4.0.3\W3DR.exe
I:\WINDOWS\system32\taskmgr.exe
I:\WINDOWS\system32\dwwin.exe
I:\Program Files\Internet Explorer\iexplore.exe
I:\WINDOWS\system32\notepad.exe
I:\WINDOWS\system32\notepad.exe
I:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Juyce _init[(SAP-
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - I:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2012F73E-7427-4AD8-9E9D-6CBA6E0053D4} - I:\Program Files\Video Add-on\isfmdl.dll (file missing)
O2 - BHO: (no name) - {28d9925a-b98a-43ca-8e0b-9f8b77d60110} - I:\WINDOWS\system32\zudidafo.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - I:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: {2a6bb58b-186f-d27a-4aa4-8e46ae3e8f0d} - {d0f8e3ea-64e8-4aa4-a72d-f681b85bb6a2} - I:\WINDOWS\system32\hwnbmc.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - I:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - I:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - I:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE I:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE I:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ANIWZCS2Service] I:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [D-Link AirPlus XtremeG] I:\Program Files\D-Link\AirPlus XtremeG\AirPlusCFG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "I:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "I:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "I:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] I:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "I:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Dwihohu] rundll32.exe "I:\WINDOWS\Iqisirujiqig.dll",e
O4 - HKLM\..\Run: [Kguma] rundll32.exe "I:\WINDOWS\iteziqizoqosiho.dll",e
O4 - HKLM\..\Run: [konizafasa] Rundll32.exe "I:\WINDOWS\system32\vobikabe.dll",s
O4 - HKLM\..\Run: [04c4d2c4] rundll32.exe "I:\WINDOWS\system32\zikebenu.dll",b
O4 - HKLM\..\Run: [CPM03407333] Rundll32.exe "i:\windows\system32\binibafi.dll",a
O4 - HKCU\..\Run: [NVIDIA nTune] "I:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [ctfmon.exe] I:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "I:\Program Files\DAEMON Tools Pro\DTProAgent.exe"
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "I:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - HKCU\..\Run: [Veoh] "I:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [MSMSGS] "I:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Orb] I:\Program Files\Orb Networks\Orb\bin\OrbTray.exe
O4 - HKCU\..\Run: [AdobeUpdater] "I:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"
O4 - HKUS\S-1-5-19\..\Run: [konizafasa] Rundll32.exe "I:\WINDOWS\system32\vobikabe.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [konizafasa] Rundll32.exe "I:\WINDOWS\system32\vobikabe.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-73586283-1220945662-839522115-1008\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "I:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020 (User '?')
O4 - Startup: Air Mouse.lnk = I:\Program Files\Air Mouse\Air Mouse\Air Mouse.exe
O4 - Startup: LimeWire On Startup.lnk = I:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: Yahoo! Widgets.lnk = I:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
O4 - Global Startup: Air Mouse.lnk = I:\Program Files\Air Mouse\Air Mouse\Air Mouse.exe
O4 - Global Startup: AutoStart IR.lnk = I:\Program Files\WinTV\Ir.exe
O4 - Global Startup: hp psc 2000 Series.lnk = I:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - I:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\scieplugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - I:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - I:\Program Files\Bodog Poker\BPGame.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - I:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {428088E0-96DB-4960-99D5-3C809C5A7D74} (GamOnUpdate Control) - http://www.wcgzone.com/GamOnUpdate.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1197481113171
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{171462E1-6508-49AE-ADCD-3FA1959A8898}: NameServer = 71.252.0.12,71.242.0.12
O17 - HKLM\System\CS1\Services\Tcpip\..\{171462E1-6508-49AE-ADCD-3FA1959A8898}: NameServer = 71.252.0.12,71.242.0.12
O17 - HKLM\System\CS2\Services\Tcpip\..\{171462E1-6508-49AE-ADCD-3FA1959A8898}: NameServer = 71.252.0.12,71.242.0.12
O17 - HKLM\System\CS3\Services\Tcpip\..\{171462E1-6508-49AE-ADCD-3FA1959A8898}: NameServer = 71.252.0.12,71.242.0.12
O20 - AppInit_DLLs: I:\WINDOWS\system32\pabopisu.dll hwnbmc.dll i:\windows\system32\binibafi.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - i:\windows\system32\binibafi.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - i:\windows\system32\binibafi.dll
O23 - Service: Apple Mobile Device - Apple Inc. - I:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - I:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - I:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - I:\PROGRA~1\WinTV\HCWTVS~1.EXE
O23 - Service: iPod Service - Apple Inc. - I:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - I:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NMIndexingService - Nero AG - I:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - I:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - I:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - I:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OrbMediaService - Orb Networks - I:\Program Files\Orb Networks\Orb\bin\OrbMediaService.exe
O23 - Service: Pml Driver HPZ12 - HP - I:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - I:\Program Files\WinPcap\rpcapd.exe

--
End of file - 10355 bytes

Attached Files


Edited by Orange Blossom, 14 March 2009 - 10:57 PM.
Merged topics. ~ OB


#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:03:42 PM

Posted 24 March 2009 - 03:35 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#4 Juyce

Juyce
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 24 March 2009 - 10:04 PM

Thanks for the reply

I have pop ups whenever I have my internet explorer open. They will occur every few minutes or so. Sometimes it will pop up in its own window, or sometimes while i'm just surfing unlimited amount of new tabs occur(non stop opening tabs in the same window). I'd have to open task manager and end task because it won't stop. I've tried to look at what web page it opens up and had to closely look at the address it loads up. Sometimes I see it as http://url.adtrgt.com/cpv.jsp?p= and random numbers/letters.

When using any application, this occurs very frequently that I would lose my cursor on the screen. Example typing this reply, I had to reclick into the screen to retype. Some application in the background is taking me off the screen every few minutes or so. Another example is when im playing a game, and out of nowhere the screen will minimize.

Some errors have come up about CTF loader, whatever that is. I don't use MS office at all, never.

Starting up my computer, I have to open my task manager as soon as the desktop starts, and close some applications to make sure my computer doesn't hang up and freeze. I've seen some suspicious applications i've never noticed before in the start up. Recently ive seen an iexplorer.exe opened up during start up in the task manager. But there is no internet explorer open. Many rundll32.exe open, 4 of them.. i pretty sure there should be like only one.

Another suspicus application opened in task manager 2840690404.exe. Kaspersky stopped this application Process I:\WINDOWS\Temp\2840890404.exe (PID: 604) is trying to send data using a trusted application. Intended address:http://bontrafic.org/s/in.cgi.

Can't burn CDs any more? Computer shuts off during the middle of encoding. Burned 2 cd successfully later on tried multiple times and shuts down every time.

PLEAse Help..@!! thanks

Attached Files



#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 25 March 2009 - 02:31 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.

Disable Realtime Protection
Antimalware programs can interfere with ComboFix and other tools we need to run. Please temporarily disable all realtime protections you have enabled. Refer to this page, if you are unsure how.

Download and Run ComboFix
Download Combofix by sUBs from any of the links below, and save it to your desktop.
Link 1, Link 2, Link 3
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click on ComboFix.exe and follow the prompts. If you are using Windows Vista, right click the icon and select "Run as Administrator". You will not recieve the prompts below if you are not using Windows XP. ComboFix will check to see if you have the Windows Recovery Console installed.
  • If you did not have it installed, you will see the prompt below. Choose YES.
    Posted ImagePosted Image

  • When the Recovery Console has been installed, you will see the prompt below. Choose YES.
    Posted Image
  • When finished, ComboFix will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running. ComboFix will restart your computer if malware is found; allow it to do so.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.
In your next reply include:
-the ComboFix log
-the GMER scan log

Please also tell me of any changes you have made to your computer since you started your topic.

With Regards,
The Panda

#6 Juyce

Juyce
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 26 March 2009 - 01:09 AM

Thanks Panda for the response.

I ran the combo fix and everything went through. But when I ran the gmer.exe it closed and did not complete when I scanned the whole system. Windows error came up and stopped it. The last place it scanned is( i have to type it out :thumbup2: )

C:\documents and settings\default\appdata\local\application data\application data\application data\application data\application data\application data\application data\application data\application data\application data\application data\application data\Microsoft

Thats where it keeps stoping and closing. So I unchecked c:\, I hope thats ok and everything went through again normal(although I didn't find a save button :), so I click copy, i think thats what you ment) and I have a gmer log now.

Only changes I made is installing a few applications to monitor my cpu fan. I installed speedfan and 2 more because something messed up my burning too. I've never had problems with burning a cd/dvd. Now when I burn a dvd the file gets encoded and halfway during that process my computer shuts down completely! I don't know if thats due to the infection.

Anyways.. here are the logs.


ComboFix 09-03-25.02 - Juyce 2009-03-25 22:01:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1489 [GMT -7:00]
Running from: i:\documents and settings\Juyce\Desktop\ComboFix.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated)
FW: Kaspersky Anti-Virus *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

i:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
i:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
i:\windows\IE4 Error Log.txt
i:\windows\install.exe
i:\windows\system32\~.exe
i:\windows\system32\acabwh.dll
i:\windows\system32\ahuwuwus.ini
i:\windows\system32\awivivap.ini
i:\windows\system32\awozasoh.ini
i:\windows\system32\awqpqn.dll
i:\windows\system32\bamukitu.dll
i:\windows\system32\beninago.dll
i:\windows\system32\binibafi.dll
i:\windows\system32\bipibunu.dll
i:\windows\system32\bmaren.dll
i:\windows\system32\cbztyv.dll
i:\windows\system32\cyheqd.dll
i:\windows\system32\cyyzpz.dll
i:\windows\system32\dakovebi.dll
i:\windows\system32\dddqqw.dll
i:\windows\system32\dibewori.dll
i:\windows\system32\dumphive.exe
i:\windows\system32\ehufpx.dll
i:\windows\system32\eleyulam.ini
i:\windows\system32\febihago.dll
i:\windows\system32\fejuvizo.dll
i:\windows\system32\fewajipa.dll
i:\windows\system32\forareri.dll
i:\windows\system32\funanopo.dll
i:\windows\system32\funeroga.dll
i:\windows\system32\gehotimi.dll
i:\windows\system32\geviteji.dll
i:\windows\system32\geyanamu.dll
i:\windows\system32\ginegoda.dll
i:\windows\system32\gipunowe.dll
i:\windows\system32\gomuvahi.dll
i:\windows\system32\hedelime.dll
i:\windows\system32\hekanipi.dll
i:\windows\system32\hosazowa.dll
i:\windows\system32\hozavage.dll
i:\windows\system32\hwnbmc.dll
i:\windows\system32\IEDFix.exe
i:\windows\system32\ihowetap.ini
i:\windows\system32\ijetiveg.ini
i:\windows\system32\imitoheg.ini
i:\windows\system32\ipawagek.ini
i:\windows\system32\iwizezuj.ini
i:\windows\system32\ixxagx.dll
i:\windows\system32\jamahesa.dll
i:\windows\system32\jewonere.dll
i:\windows\system32\jurusiza.dll
i:\windows\system32\juzeziwi.dll
i:\windows\system32\kegawapi.dll
i:\windows\system32\kidejabe.dll
i:\windows\system32\klogon.dll
i:\windows\system32\konovozo.dll
i:\windows\system32\kryyfx.dll
i:\windows\system32\lelehaku.dll
i:\windows\system32\mapogizo.dll
i:\windows\system32\mbzztn.dll
i:\windows\system32\miziwiva.dll
i:\windows\system32\mizotufu.dll
i:\windows\system32\mosokobu.dll
i:\windows\system32\namopiya.dll
i:\windows\system32\nebsrj.dll
i:\windows\system32\nezusena.dll
i:\windows\system32\nimaboyu.dll
i:\windows\system32\noguyiyu.dll
i:\windows\system32\nubagida.dll
i:\windows\system32\numikoya.dll
i:\windows\system32\ohefitaw.ini
i:\windows\system32\olnqnt.dll
i:\windows\system32\ororeper.ini
i:\windows\system32\oselodaz.ini
i:\windows\system32\otonenaf.ini
i:\windows\system32\ozigopam.ini
i:\windows\system32\ozovonok.ini
i:\windows\system32\pabopisu.dll
i:\windows\system32\patewohi.dll
i:\windows\system32\paviviwa.dll
i:\windows\system32\penireho.dll
i:\windows\system32\piyoyadi.dll
i:\windows\system32\podzgv.dll
i:\windows\system32\Process.exe
i:\windows\system32\pujosove.dll
i:\windows\system32\reperoro.dll
i:\windows\system32\rfmhjx.dll
i:\windows\system32\rumikegu.dll
i:\windows\system32\SrchSTS.exe
i:\windows\system32\suziziju.dll
i:\windows\system32\tadebava.dll
i:\windows\system32\temufozu.dll
i:\windows\system32\tepepodu.dll
i:\windows\system32\tmp.reg
i:\windows\system32\ttazch.dll
i:\windows\system32\ubokosom.ini
i:\windows\system32\ujizizus.ini
i:\windows\system32\ukivobez.ini
i:\windows\system32\unebekiz.ini
i:\windows\system32\utikumab.ini
i:\windows\system32\uukubq.dll
i:\windows\system32\uvemotuw.ini
i:\windows\system32\uwedrc.dll
i:\windows\system32\vapewezu.dll
i:\windows\system32\vbtqhs.dll
i:\windows\system32\VCCLSID.exe
i:\windows\system32\vobikabe.dll
i:\windows\system32\vwzeuc.dll
i:\windows\system32\wakosoli.dll
i:\windows\system32\watifeho.dll
i:\windows\system32\WS2Fix.exe
i:\windows\system32\wutomevu.dll
i:\windows\system32\xxiqgk.dll
i:\windows\system32\yeyohitu.dll
i:\windows\system32\yifabuvi.dll
i:\windows\system32\yisikape.dll
i:\windows\system32\zadoleso.dll
i:\windows\system32\zakozafu.dll
i:\windows\system32\zewofeha.dll
i:\windows\system32\zikebenu.dll
i:\windows\system32\zudidafo.dll
j:\recycler\Desktop.ini
j:\recycler\Protect.ed

----- BITS: Possible infected sites -----

hxxp://82.98.235.205
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OREANS32
-------\Service_oreans32


((((((((((((((((((((((((( Files Created from 2009-02-26 to 2009-03-26 )))))))))))))))))))))))))))))))
.

2009-03-24 19:26 . 2009-03-24 19:26 2,713 ---hs---- i:\windows\system32\kozodobe.dll
2009-03-22 11:32 . 2009-03-22 11:43 <DIR> d-------- i:\program files\SpeedFan
2009-03-22 11:32 . 2009-03-22 11:32 45 --a------ i:\windows\system32\initdebug.nfo
2009-03-22 11:12 . 2009-03-22 11:12 <DIR> d-------- i:\program files\Motherboard Monitor 5
2009-03-22 11:12 . 2004-04-10 09:42 2,944 --a------ i:\windows\system32\mbmiodrvr.sys
2009-03-19 14:03 . 2009-03-19 14:03 10,240 --a------ i:\windows\instsp2.exe
2009-03-18 21:43 . 2009-03-18 21:43 1,790,651 ---hs---- i:\windows\system32\ayipoman.tmp
2009-03-18 10:45 . 2009-03-18 10:45 <DIR> d-------- i:\documents and settings\x.JUYCEXP1\Application Data\Nero
2009-03-12 10:48 . 2009-03-12 10:48 <DIR> d-------- i:\documents and settings\x.JUYCEXP1
2009-03-11 11:36 . 2009-03-11 11:36 <DIR> d-------- I:\rsit
2009-03-11 11:34 . 2009-03-11 11:34 <DIR> d-------- i:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-26 05:20 1,228,064 --sha-w i:\windows\system32\drivers\fidbox2.dat
2009-03-26 05:14 954,572 --sha-w i:\windows\system32\drivers\fidbox.idx
2009-03-26 05:14 71,724,832 --sha-w i:\windows\system32\drivers\fidbox.dat
2009-03-26 05:14 118,148 --sha-w i:\windows\system32\drivers\fidbox2.idx
2009-03-26 04:42 --------- d-----w i:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-03-25 14:19 --------- d-----w i:\program files\WinTV
2009-03-24 02:43 --------- d-----w i:\program files\Warcraft III
2009-03-22 21:07 --------- d-----w i:\program files\Bodog Poker
2009-03-19 21:10 41,984 ----a-w i:\windows\Iqisirujiqig.dll
2009-03-11 20:53 --------- d-----w i:\program files\Driver Detective 6
2009-03-02 02:11 --------- d-----w i:\documents and settings\Juyce\Application Data\Azureus
2009-02-19 04:54 --------- d-----w i:\program files\Packet Tracer 3.2
2009-02-07 04:54 --------- d-----w i:\program files\DIFX
2009-02-07 04:53 --------- d-----w i:\program files\Pure Networks
2009-02-07 04:53 --------- d-----w i:\program files\Common Files\Pure Networks Shared
2009-02-07 04:53 --------- d-----w i:\documents and settings\All Users\Application Data\Pure Networks
2009-02-05 01:50 --------- d-----w i:\program files\Bodog Casino
2009-01-29 07:13 --------- d-----w i:\program files\iLyrics
2009-01-14 08:15 2,829 ----a-w i:\windows\War3Unin.pif
2009-01-14 08:15 139,264 ----a-w i:\windows\War3Unin.exe
2009-01-08 18:46 134,144 ----a-w i:\windows\iteziqizoqosiho.dll
2008-11-11 21:02 32,768 --sha-w i:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008111120081112\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="i:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-20 81920]
"ctfmon.exe"="i:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DAEMON Tools Pro Agent"="i:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="i:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2007-12-13 1688872]
"Veoh"="i:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848]
"MSMSGS"="i:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"Orb"="i:\program files\Orb Networks\Orb\bin\OrbTray.exe" [2009-03-17 510416]
"AdobeUpdater"="i:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2009-02-05 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="i:\windows\system32\NvCpl.dll" [2007-10-04 8491008]
"NvMediaCenter"="i:\windows\system32\NvMcTray.dll" [2007-10-04 81920]
"ANIWZCS2Service"="i:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2006-06-01 49152]
"D-Link AirPlus XtremeG"="i:\program files\D-Link\AirPlus XtremeG\AirPlusCFG.exe" [2006-07-07 1323008]
"SunJavaUpdateSched"="i:\program files\Java\jre6\bin\jusched.exe" [2008-12-09 136600]
"Adobe Reader Speed Launcher"="i:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NeroFilterCheck"="i:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"AppleSyncNotifier"="i:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"QuickTime Task"="i:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="i:\program files\iTunes\iTunesHelper.exe" [2008-09-09 289576]
"Dwihohu"="i:\windows\Iqisirujiqig.dll" [2009-03-19 41984]
"Kguma"="i:\windows\iteziqizoqosiho.dll" [2009-01-08 134144]
"nwiz"="nwiz.exe" [2007-10-04 i:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-30 i:\windows\RTHDCPL.exe]

i:\documents and settings\Juyce\Start Menu\Programs\Startup\
Air Mouse.lnk - i:\program files\Air Mouse\Air Mouse\Air Mouse.exe [2009-02-16 269824]
LimeWire On Startup.lnk - i:\program files\LimeWire\LimeWire.exe [2007-07-02 122880]
Yahoo! Widgets.lnk - i:\program files\Yahoo!\Widgets\YahooWidgets.exe [2007-12-11 3746856]

i:\documents and settings\All Users\Start Menu\Programs\Startup\
Air Mouse.lnk - i:\program files\Air Mouse\Air Mouse\Air Mouse.exe [2009-02-16 269824]
AutoStart IR.lnk - i:\program files\WinTV\Ir.exe [2008-11-11 110647]
hp psc 2000 Series.lnk - i:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-09 323646]
hpoddt01.exe.lnk - i:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"i:\\Program Files\\Warcraft III\\war3.exe"=
"i:\\Program Files\\Azureus\\Azureus.exe"=
"i:\\Program Files\\LimeWire\\LimeWire.exe"=
"i:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"i:\\WINDOWS\\system32\\ftp.exe"=
"i:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"i:\\Program Files\\Messenger\\msmsgs.exe"=
"i:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"i:\\Program Files\\Garena\\Garena.exe"=
"i:\\Program Files\\Air Mouse\\Air Mouse\\Air Mouse.exe"=
"i:\\WINDOWS\\system32\\mmc.exe"=
"i:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"i:\\Program Files\\iTunes\\iTunes.exe"=
"i:\\Program Files\\Common Files\\Nero\\Lib\\NMIndexingService.exe"=
"i:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"=
"i:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe"=
"i:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe"=
"i:\\Program Files\\Orb Networks\\Orb\\bin\\xmltv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"67:UDP"= 67:UDP:0.0.0.0/255.255.255.255:Enabled:DHCP Discovery Service

R3 HauppaugeTVServer;HauppaugeTVServer;i:\progra~1\WinTV\HCWTVS~1.EXE [2008-11-11 815104]
R3 hcw18bda;Hauppauge WinTV 418 Driver;i:\windows\system32\drivers\hcw18bda.sys [2008-11-11 384896]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;i:\windows\system32\drivers\A5AGU.sys [2006-05-08 347648]
S3 cur_bus;Curitel USB Composite Device driver (WDM);i:\windows\system32\drivers\cur_bus.sys [2008-07-13 66672]
S3 cur_mdfl;Curitel Packet Service Filter;i:\windows\system32\drivers\cur_mdfl.sys [2008-07-13 9392]
S3 cur_mdm;Curitel Packet Service Drivers;i:\windows\system32\drivers\cur_mdm.sys [2008-07-13 100304]
S3 cur_serd;Curitel Packet Service Diagnostic Serial Port (WDM);i:\windows\system32\drivers\cur_serd.sys [2008-07-13 79216]
S3 NPF;NetGroup Packet Filter Driver;i:\windows\system32\drivers\npf.sys [2007-01-25 42000]
.
Contents of the 'Scheduled Tasks' folder

2009-03-21 i:\windows\Tasks\AppleSoftwareUpdate.job
- i:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2009-01-16 i:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1222880389.job
- i:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 17:56]
.
- - - - ORPHANS REMOVED - - - -

BHO-{28d9925a-b98a-43ca-8e0b-9f8b77d60110} - i:\windows\system32\zudidafo.dll
BHO-{f3484a47-c347-4218-bca8-3d618ed1e0c1} - i:\windows\system32\ehufpx.dll


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
DPF: {428088E0-96DB-4960-99D5-3C809C5A7D74} - hxxp://www.wcgzone.com/GamOnUpdate.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-25 22:17:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


i:\windows\system32\_000006_.tmp.dll 1846400 bytes executable


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
i:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
i:\program files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
i:\program files\Bonjour\mDNSResponder.exe
i:\program files\Java\jre6\bin\jqs.exe
i:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
i:\windows\system32\rundll32.exe
i:\windows\system32\rundll32.exe
i:\windows\system32\nvsvc32.exe
i:\program files\Orb Networks\Orb\bin\OrbMediaService.exe
i:\windows\system32\rundll32.exe
i:\windows\system32\wdfmgr.exe
i:\program files\Pure Networks\Network Magic\nmsrvc.exe
i:\program files\Orb Networks\Orb\bin\Orb.exe
i:\windows\system32\wscntfy.exe
i:\program files\Common Files\Nero\Lib\NMIndexingService.exe
i:\program files\iPod\bin\iPodService.exe
i:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
i:\program files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
i:\progra~1\WinTV\HCB046~1.EXE
.
**************************************************************************
.
Completion time: 2009-03-25 22:31:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-26 05:30:25

Pre-Run: 6,720,933,888 bytes free
Post-Run: 13,353,762,816 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

313 --- E O F --- 2009-03-26 05:26:41

Attached Files


Edited by PropagandaPanda, 26 March 2009 - 10:53 AM.


#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 26 March 2009 - 10:58 AM

Hello.

Let's finish off that infection.

Peer-to-Peer Programs Warning

Your log shows that you are using so called peer-to-peer or file-sharing programs (in your case LimeWire/b]). These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

It is your decision whether or not you wish to keep your program(s) but I suggest you remove it via add/remove. However, please refrain from using them until your computer has been declared clean.

Run ComboFix with CFScript
We will run ComboFix again with a script.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the box below into it:
    KILLALL::
    File::
    i:\windows\system32\kozodobe.dll
    i:\windows\system32\ayipoman.tmp
    i:\windows\instsp2.exe
    i:\windows\Iqisirujiqig.dll
    i:\windows\iteziqizoqosiho.dll
    
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Dwihohu"=-
    "Kguma"=-
    
    Rootkit::
    i:\windows\system32\_000006_.tmp.dll
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
    Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Download and run MalwareBytes Anti-Malware
If you already have MBAM installed, simply update and run a quick scan.

Please download Malwarebytes Anti-Malware setup and to your desktop.
alternate download link 1
alternate download link 2

Refer to the steps given here on installing MalwareBytes, running the scan, and saving the log file (not on using File Assasin).
  • If you have trouble updating, try the other mirror download site.
  • Should the computer in question not be able update using the normal method download the update file from [b]here, using another machine if needed. Simple double click the file to install the updates.
  • If MalwareBytes asks to reboot to remove certain items, do so right away.
Please include the scan logfile in your next reply.
With Regards,
The Panda

#8 Juyce

Juyce
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 27 March 2009 - 12:22 AM

Here are the next set of logs, i have 2 mbam because i pressed ignore on one of the files at first.

How is the infection looking? No more crazy pop ups so far. Thanks

ComboFix 09-03-25.02 - Juyce 2009-03-26 21:31:23.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1443 [GMT -7:00]
Running from: i:\documents and settings\Juyce\Desktop\ComboFix.exe
Command switches used :: i:\documents and settings\Juyce\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated)
FW: Kaspersky Anti-Virus *disabled*
* Created a new restore point

FILE ::
i:\windows\instsp2.exe
i:\windows\Iqisirujiqig.dll
i:\windows\iteziqizoqosiho.dll
i:\windows\system32\ayipoman.tmp
i:\windows\system32\kozodobe.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

i:\windows\instsp2.exe
i:\windows\Iqisirujiqig.dll
i:\windows\iteziqizoqosiho.dll
i:\windows\system32\ayipoman.tmp
i:\windows\system32\kozodobe.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-27 to 2009-03-27 )))))))))))))))))))))))))))))))
.

2009-03-25 22:32 . 2009-03-25 22:49 250 --a------ i:\windows\gmer.ini
2009-03-22 11:32 . 2009-03-22 11:43 <DIR> d-------- i:\program files\SpeedFan
2009-03-22 11:32 . 2009-03-22 11:32 45 --a------ i:\windows\system32\initdebug.nfo
2009-03-22 11:12 . 2009-03-22 11:12 <DIR> d-------- i:\program files\Motherboard Monitor 5
2009-03-22 11:12 . 2004-04-10 09:42 2,944 --a------ i:\windows\system32\mbmiodrvr.sys
2009-03-18 10:45 . 2009-03-18 10:45 <DIR> d-------- i:\documents and settings\x.JUYCEXP1\Application Data\Nero
2009-03-12 10:48 . 2009-03-12 10:48 <DIR> d-------- i:\documents and settings\x.JUYCEXP1
2009-03-11 11:36 . 2009-03-11 11:36 <DIR> d-------- I:\rsit
2009-03-11 11:34 . 2009-03-11 11:34 <DIR> d-------- i:\program files\Trend Micro

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-27 04:40 1,237,024 --sha-w i:\windows\system32\drivers\fidbox2.dat
2009-03-27 04:36 957,308 --sha-w i:\windows\system32\drivers\fidbox.idx
2009-03-27 04:36 71,724,832 --sha-w i:\windows\system32\drivers\fidbox.dat
2009-03-27 04:36 119,084 --sha-w i:\windows\system32\drivers\fidbox2.idx
2009-03-26 06:55 --------- d-----w i:\program files\Warcraft III
2009-03-26 06:13 --------- d-----w i:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-03-26 05:20 --------- d-----w i:\program files\WinTV
2009-03-22 21:07 --------- d-----w i:\program files\Bodog Poker
2009-03-11 20:53 --------- d-----w i:\program files\Driver Detective 6
2009-03-02 02:11 --------- d-----w i:\documents and settings\Juyce\Application Data\Azureus
2009-02-19 04:54 --------- d-----w i:\program files\Packet Tracer 3.2
2009-02-07 04:54 --------- d-----w i:\program files\DIFX
2009-02-07 04:53 --------- d-----w i:\program files\Pure Networks
2009-02-07 04:53 --------- d-----w i:\program files\Common Files\Pure Networks Shared
2009-02-07 04:53 --------- d-----w i:\documents and settings\All Users\Application Data\Pure Networks
2009-02-05 01:50 --------- d-----w i:\program files\Bodog Casino
2009-01-29 07:13 --------- d-----w i:\program files\iLyrics
2009-01-14 08:15 2,829 ----a-w i:\windows\War3Unin.pif
2009-01-14 08:15 139,264 ----a-w i:\windows\War3Unin.exe
2008-11-11 21:02 32,768 --sha-w i:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008111120081112\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-25_22.29.25.35 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-09 11:08:53 1,847,552 ----a-w i:\windows\$hf_mig$\KB958690\SP3QFE\win32k.sys
+ 2008-07-09 07:38:24 17,272 ----a-w i:\windows\$hf_mig$\KB958690\spmsg.dll
+ 2008-07-09 07:38:25 231,288 ----a-w i:\windows\$hf_mig$\KB958690\spuninst.exe
+ 2008-07-09 07:38:24 26,488 ----a-w i:\windows\$hf_mig$\KB958690\update\spcustom.dll
+ 2008-07-09 07:38:29 755,576 ----a-w i:\windows\$hf_mig$\KB958690\update\update.exe
+ 2008-07-09 07:38:37 382,840 ----a-w i:\windows\$hf_mig$\KB958690\update\updspapi.dll
+ 2008-12-05 06:58:08 144,896 ----a-w i:\windows\$hf_mig$\KB960225\SP3QFE\schannel.dll
+ 2007-11-30 11:18:51 17,272 ----a-w i:\windows\$hf_mig$\KB960225\spmsg.dll
+ 2007-11-30 11:18:51 231,288 ----a-w i:\windows\$hf_mig$\KB960225\spuninst.exe
+ 2007-11-30 11:18:51 26,488 ----a-w i:\windows\$hf_mig$\KB960225\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w i:\windows\$hf_mig$\KB960225\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w i:\windows\$hf_mig$\KB960225\update\updspapi.dll
+ 2009-03-26 05:32:59 565,311 ----a-w i:\windows\gmer.dll
+ 2006-11-28 22:23:32 573,440 ----a-w i:\windows\gmer.exe
+ 2008-12-05 06:54:55 144,896 -c----w i:\windows\system32\dllcache\schannel.dll
- 2008-09-15 12:12:56 1,846,400 -c----w i:\windows\system32\dllcache\win32k.sys
+ 2009-02-09 11:13:27 1,846,784 -c----w i:\windows\system32\dllcache\win32k.sys
+ 2009-03-26 05:32:59 68,961 ----a-w i:\windows\system32\drivers\gmer.sys
- 2009-01-14 08:53:13 91,888 ----a-w i:\windows\system32\FNTCACHE.DAT
+ 2009-03-26 06:12:13 91,888 ----a-w i:\windows\system32\FNTCACHE.DAT
+ 2009-02-25 19:55:00 24,768,960 ----a-w i:\windows\system32\MRT.exe
- 2008-04-14 00:12:05 144,384 ----a-w i:\windows\system32\schannel.dll
+ 2008-12-05 06:54:55 144,896 ----a-w i:\windows\system32\schannel.dll
- 2008-07-09 07:38:24 17,272 ------w i:\windows\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w i:\windows\system32\spmsg.dll
- 2008-09-15 12:12:56 1,846,400 ----a-w i:\windows\system32\win32k.sys
+ 2009-02-09 11:13:27 1,846,784 ----a-w i:\windows\system32\win32k.sys
- 2009-03-26 05:16:07 16,384 --sha-w i:\windows\Temp\Cookies\index.dat
+ 2009-03-27 04:38:00 16,384 --sha-w i:\windows\temp\Cookies\index.dat
- 2009-03-26 05:16:07 16,384 --sha-w i:\windows\Temp\History\History.IE5\index.dat
+ 2009-03-27 04:38:00 16,384 --sha-w i:\windows\temp\History\History.IE5\index.dat
+ 2009-03-27 04:38:41 16,384 ----atw i:\windows\temp\Perflib_Perfdata_148.dat
+ 2009-03-27 04:37:54 16,384 ----atw i:\windows\temp\Perflib_Perfdata_460.dat
- 2009-03-26 05:16:07 32,768 --sha-w i:\windows\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-27 04:38:00 32,768 --sha-w i:\windows\temp\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-15 17:47:33 1,724,416 ----a-w i:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.2600.5581_x-ww_dfbc4fc4\GdiPlus.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="i:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-20 81920]
"ctfmon.exe"="i:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"DAEMON Tools Pro Agent"="i:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-09-06 136136]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="i:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2007-12-13 1688872]
"Veoh"="i:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848]
"MSMSGS"="i:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]
"Orb"="i:\program files\Orb Networks\Orb\bin\OrbTray.exe" [2009-03-17 510416]
"AdobeUpdater"="i:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2009-02-05 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="i:\windows\system32\NvCpl.dll" [2007-10-04 8491008]
"NvMediaCenter"="i:\windows\system32\NvMcTray.dll" [2007-10-04 81920]
"ANIWZCS2Service"="i:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2006-06-01 49152]
"D-Link AirPlus XtremeG"="i:\program files\D-Link\AirPlus XtremeG\AirPlusCFG.exe" [2006-07-07 1323008]
"SunJavaUpdateSched"="i:\program files\Java\jre6\bin\jusched.exe" [2008-12-09 136600]
"Adobe Reader Speed Launcher"="i:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NeroFilterCheck"="i:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"AppleSyncNotifier"="i:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"QuickTime Task"="i:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="i:\program files\iTunes\iTunesHelper.exe" [2008-09-09 289576]
"nwiz"="nwiz.exe" [2007-10-04 i:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-11-30 i:\windows\RTHDCPL.exe]

i:\documents and settings\Juyce\Start Menu\Programs\Startup\
Air Mouse.lnk - i:\program files\Air Mouse\Air Mouse\Air Mouse.exe [2009-02-16 269824]
LimeWire On Startup.lnk - i:\program files\LimeWire\LimeWire.exe [2007-07-02 122880]
Yahoo! Widgets.lnk - i:\program files\Yahoo!\Widgets\YahooWidgets.exe [2007-12-11 3746856]

i:\documents and settings\All Users\Start Menu\Programs\Startup\
Air Mouse.lnk - i:\program files\Air Mouse\Air Mouse\Air Mouse.exe [2009-02-16 269824]
AutoStart IR.lnk - i:\program files\WinTV\Ir.exe [2008-11-11 110647]
hp psc 2000 Series.lnk - i:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-04-09 323646]
hpoddt01.exe.lnk - i:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 28672]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"i:\\Program Files\\Warcraft III\\war3.exe"=
"i:\\Program Files\\Azureus\\Azureus.exe"=
"i:\\Program Files\\LimeWire\\LimeWire.exe"=
"i:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"i:\\WINDOWS\\system32\\ftp.exe"=
"i:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"i:\\Program Files\\Messenger\\msmsgs.exe"=
"i:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"i:\\Program Files\\Garena\\Garena.exe"=
"i:\\Program Files\\Air Mouse\\Air Mouse\\Air Mouse.exe"=
"i:\\WINDOWS\\system32\\mmc.exe"=
"i:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"i:\\Program Files\\iTunes\\iTunes.exe"=
"i:\\Program Files\\Common Files\\Nero\\Lib\\NMIndexingService.exe"=
"i:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"=
"i:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe"=
"i:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe"=
"i:\\Program Files\\Orb Networks\\Orb\\bin\\xmltv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"67:UDP"= 67:UDP:0.0.0.0/255.255.255.255:Enabled:DHCP Discovery Service

R3 HauppaugeTVServer;HauppaugeTVServer;i:\progra~1\WinTV\HCWTVS~1.EXE [2008-11-11 815104]
R3 hcw18bda;Hauppauge WinTV 418 Driver;i:\windows\system32\drivers\hcw18bda.sys [2008-11-11 384896]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;i:\windows\system32\drivers\A5AGU.sys [2006-05-08 347648]
S3 cur_bus;Curitel USB Composite Device driver (WDM);i:\windows\system32\drivers\cur_bus.sys [2008-07-13 66672]
S3 cur_mdfl;Curitel Packet Service Filter;i:\windows\system32\drivers\cur_mdfl.sys [2008-07-13 9392]
S3 cur_mdm;Curitel Packet Service Drivers;i:\windows\system32\drivers\cur_mdm.sys [2008-07-13 100304]
S3 cur_serd;Curitel Packet Service Diagnostic Serial Port (WDM);i:\windows\system32\drivers\cur_serd.sys [2008-07-13 79216]
S3 NPF;NetGroup Packet Filter Driver;i:\windows\system32\drivers\npf.sys [2007-01-25 42000]
.
Contents of the 'Scheduled Tasks' folder

2009-03-21 i:\windows\Tasks\AppleSoftwareUpdate.job
- i:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2009-01-16 i:\windows\Tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1222880389.job
- i:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 17:56]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
DPF: {428088E0-96DB-4960-99D5-3C809C5A7D74} - hxxp://www.wcgzone.com/GamOnUpdate.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-26 21:38:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
i:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
i:\program files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
i:\program files\Bonjour\mDNSResponder.exe
i:\program files\Java\jre6\bin\jqs.exe
i:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
i:\windows\system32\nvsvc32.exe
i:\windows\system32\rundll32.exe
i:\program files\Orb Networks\Orb\bin\OrbMediaService.exe
i:\windows\system32\rundll32.exe
i:\windows\system32\wdfmgr.exe
i:\program files\Pure Networks\Network Magic\nmsrvc.exe
i:\program files\Orb Networks\Orb\bin\Orb.exe
i:\program files\Common Files\Nero\Lib\NMIndexingService.exe
i:\windows\system32\wscntfy.exe
i:\windows\system32\WgaTray.exe
i:\program files\iPod\bin\iPodService.exe
i:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
i:\program files\Hewlett-Packard\Digital Imaging\bin\hposts08.exe
i:\progra~1\WinTV\HCB046~1.EXE
.
**************************************************************************
.
Completion time: 2009-03-26 21:51:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-27 04:50:28
ComboFix2.txt 2009-03-26 05:31:45

Pre-Run: 13,281,935,360 bytes free
Post-Run: 13,315,334,144 bytes free

221 --- E O F --- 2009-03-27 04:22:53

Attached Files


Edited by PropagandaPanda, 27 March 2009 - 07:15 AM.


#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 27 March 2009 - 07:19 AM

Hello.

Looks like it's gone.

Let's check for anything left.

Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.

Follow up with a new DDS.txt log please.

Any problems at the moment?

With Regards,
The Panda

#10 Juyce

Juyce
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 28 March 2009 - 11:42 AM

Hey, that was the longest scan ever..

I guess no more problems with the computer, no more pop ups. Yesterday I was browsing and new tabs on the IE kept opening non stop. But maybe I did something to provoke it. I think it should be fixed. There is just a few files left on my hd. Thanks for the response

Attached Files


Edited by Juyce, 28 March 2009 - 11:45 AM.


#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 28 March 2009 - 12:13 PM

Hello.

I:\Documents and Settings\Juyce\Desktop\dc187setup.exe
I:\Program Files\DotA Gaming Network\plug-ins\abypass.dsp

The setup file on your desktop and the program it installed is bundled with malware.

Please delete them. Uninstall "DotA Client Build 1.87 (Tester)" using Add/Remove Programs.

Download and Run ATFCleaner
Please download ATF Cleaner by Atribune. This program will clear out temporary files and settings. You will likely be logged out of the forum where you are recieving help.
  • Double-click ATF-Cleaner.exe to run the program. If you are using Windows Vista, right click the icon and select Run As Administrator.
  • Under Main Select Files to Delete choose: Select All.
  • Click the Empty Selected button.
Download and Run OTMoveIT
  • Please download OTMoveIt3 by OldTimer to your desktop. If you have already used the program, there is no need to download a new one.
  • Double-click OTMoveIt3.exe to run it. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Copy the lines in the codebox below. Do not copy the word "code".
    :files
    i:\windows\system32\wayapego.dll
    
    :commands
    [emptytemp]
  • Return to OTMoveIt3, right click in the Paste List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
  • Close all open windows expect OTMoveIt.
  • Click the Posted Image button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3.
Note: If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key. Navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest ".log" file present, and copy/paste the contents of that document back here in your next post.

Please tell me what issues are still present.

With Regards,
The Panda

#12 Juyce

Juyce
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:42 PM

Posted 01 April 2009 - 02:53 PM

Sorry reply took so long, I was a little busy this week.

I'm having one problem still, I don't know if the malware is causing it or something else. If I have an application running and lets say on that app it shows a link, When I click on the link it does not direct me to the site. A blank internet explorer opens but it does not redirect me to the site.

One example I just opened this program network magic, and it has a link to "View Support FAQ". Once i click it a blank IE pops up and a error message appears:

Windows cannot find 'http://www1.networkmagic.com/support/faq/. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and the click search.

Not just this program, i am pretty sure any program that has a link that will open the browser up. This has never occured before since this infection. Any ideas?

Attached Files



#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 01 April 2009 - 03:32 PM

Hello.

Hmm.. that sounds strange, and not typical of an infection.

Would you consider upgrading to IE8? It usually repairs such issues.

With Regards,
The Panda

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:42 PM

Posted 10 April 2009 - 07:11 PM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users