Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware removal help


  • This topic is locked This topic is locked
9 replies to this topic

#1 tophe199

tophe199

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:42 AM

Posted 17 March 2009 - 06:06 PM

I believe i'm infected with a trojan of some kind. Many scans later it is still around. It affects most iexplorer.exe but seems to
have some route into firefox as well. It is causing popups for various pseudo virus removers (e.g. Malware Defender). It
also adds commands to run kemeuta, kagidefe, rizizozu in the startup sections of msconfig, etc.

DDS log below, attach.rar attached. Thanks in advance for your help!


DDS (Ver_09-03-16.01) - NTFSx86
Run by Eliasmiths at 18:46:27.15 on Tue 03/17/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2622 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Switch Off\swoff.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Samsung\Samsung CLX-216x Series\SPanel\PSU\Scan2pc.exe
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LaunchMate\LnchMate.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\movies\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.nhl.tv/team/console.jsp
uInternet Settings,ProxyOverride = *.local
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {85bbd82e-603b-4365-bfa2-60817ee2d694} - c:\windows\system32\menanati.dll
BHO: {855abdb7-8a80-3799-70f4-9b41d64ed568}: {865de46d-14b9-4f07-9973-08a87bdba558} - c:\windows\system32\zfiyft.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [Switch Off] c:\program files\switch off\swoff.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Maple_S2P] c:\program files\samsung\samsung clx-216x series\spanel\psu\Scan2pc.exe
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\SSMMgr.exe /autorun
mRun: [4c267184] rundll32.exe "c:\windows\system32\kemekuta.dll",b
mRun: [tilovajomo] Rundll32.exe "c:\windows\system32\kagidefe.dll",s
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
mRun: [CPM4f154218] Rundll32.exe "c:\windows\system32\rizizozu.dll",a
dRun: [Switch Off] c:\program files\switch off\swoff.exe
StartupFolder: c:\docume~1\eliasm~1\startm~1\programs\startup\mozill~2.lnk - c:\program files\mozilla firefox\firefox.exe
StartupFolder: c:\docume~1\eliasm~1\startm~1\programs\startup\mozill~1.lnk - c:\program files\mozilla thunderbird\thunderbird.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\launch~1.lnk - c:\program files\launchmate\LnchMate.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1218903465468
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: okczcd.dll c:\windows\system32\befavesi.dll zfiyft.dll c:\windows\system32\rizizozu.dll c:\windows\system32\lomosuve.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\rizizozu.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\rizizozu.dll
LSA: Notification Packages = scecli c:\windows\system32\befavesi.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\eliasm~1\applic~1\mozilla\firefox\profiles\oakvpyz0.default\
FF - prefs.js: browser.startup.homepage - hxxp://watarts.uwaterloo.ca/~celiasmi/start.html
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll

============= SERVICES / DRIVERS ===============

R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-7-15 127768]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-7-15 394952]
R2 Switch Off;Switch Off;c:\program files\switch off\swoff.exe -service --> c:\program files\switch off\swoff.exe -service [?]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-7-20 84992]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-3-15 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090104.003\naveng.sys [2009-1-4 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090104.003\navex15.sys [2009-1-4 876112]
S2 SSPORT;SSPORT;\??\c:\windows\system32\drivers\ssport.sys --> c:\windows\system32\drivers\SSPORT.sys [?]
S3 EraserUtilDrv10621;EraserUtilDrv10621;\??\c:\program files\common files\symantec shared\eengine\eraserutildrv10621.sys --> c:\program files\common files\symantec shared\eengine\EraserUtilDrv10621.sys [?]
S4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]
S4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-11-21 192104]
S4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-11-21 169576]
S4 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-3-14 116416]
S4 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-3-14 1816768]

=============== Created Last 30 ================

2009-03-17 18:37 141,312 a--sh--- c:\windows\system32\zfiyft.dll
2009-03-17 18:37 10,240 a------- c:\windows\instsp2.exe
2009-03-16 13:25 140,800 a--sh--- c:\windows\system32\fcvhhv.dll
2009-03-16 13:25 1,722,823 ---sh--- c:\windows\system32\atukemek.ini
2009-03-15 14:24 1,703,008 ---sh--- c:\windows\system32\upubujuw.ini
2009-03-15 14:24 141,824 a--sh--- c:\windows\system32\puubcv.dll
2009-03-15 02:24 1,702,995 ---sh--- c:\windows\system32\uwisulow.ini
2009-03-15 02:23 141,824 a--sh--- c:\windows\system32\qwflwa.dll
2009-03-06 15:16 67 a------- c:\windows\101_ASB.INI
2009-03-06 15:15 <DIR> --d----- C:\DISNEY
2009-03-02 15:32 <DIR> --d----- C:\KA
2009-02-27 16:06 5,195 a------- c:\windows\system32\DVA.386
2009-02-27 16:06 159 a------- c:\windows\mrpotato.ini

==================== Find3M ====================

2009-03-17 18:37 107,008 a--sh--- c:\windows\system32\rizizozu.dll
2009-03-17 18:37 141,312 a--sh--- c:\windows\system32\bajiwuyu.dll
2009-03-17 18:37 101,376 a--sh--- c:\windows\system32\jumovasi.dll
2009-03-16 21:36 22,030,368 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-03-16 21:36 263,060 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-03-16 13:25 108,544 a--sh--- c:\windows\system32\kawaluka.dll.vir
2009-03-16 13:25 140,800 a--sh--- c:\windows\system32\jopowoti.dll
2009-03-16 13:25 100,864 -------- c:\windows\system32\kemekuta.dll
2009-03-15 14:24 100,864 -------- c:\windows\system32\wujubupu.dll
2009-03-15 14:24 141,824 a--sh--- c:\windows\system32\yiwapeye.dll
2009-03-15 14:24 107,520 a--sh--- c:\windows\system32\lomosuve.dll
2009-03-15 02:23 107,520 a--sh--- c:\windows\system32\jirojihu.dll
2009-03-15 02:23 101,888 -------- c:\windows\system32\wolusiwu.dll
2009-03-15 02:23 141,824 a--sh--- c:\windows\system32\sujofete.dll
2009-02-28 12:18 332,992 a------- c:\docume~1\eliasm~1\applic~1\GDIPFONTCACHEV1.DAT
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-01-05 18:33 3,751,995 a------- c:\windows\system32\GPhotos.scr
2009-01-04 20:50 29,480 a------- c:\windows\system32\msxml3a.dll
2009-01-04 19:09 48,768 a------- c:\windows\system32\S32EVNT1.DLL
2008-12-18 23:08 130,324 a---h--- c:\windows\system32\mlfcache.dat
0000-00-00 00:00 69,120 a--sh--- c:\windows\system32\befavesi.dll
0000-00-00 00:00 69,120 a--sh--- c:\windows\system32\kagidefe.dll
0000-00-00 00:00 69,120 a--sh--- c:\windows\system32\menanati.dll

============= FINISH: 18:49:40.26 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 28 March 2009 - 12:32 PM

Hello tophe199,

I apologise for the delay, the forum is busy.

It also adds commands to run kemeuta, kagidefe, rizizozu in the startup sections of msconfig, etc.

Can you please re-enable all these using msconfig? I want Malwarebytes' Anti-Malware to be able to remove as much as possible.
----------------------------------------------
Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Checked (tick) all items except items in the C:\System Volume Information folder, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Post that log back here.
----------------------------------------------
Download and Run HijackThis
Download HJTInstall.exe to your Desktop.
  • Doubleclick HJTInstall.exe to install it.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed, it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Copy/Paste the log to your next reply please.
Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
----------------------------------------------
Post back:
Malwarebytes' Anti-Malware report.
A new HijackThis log.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#3 tophe199

tophe199
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:42 AM

Posted 01 April 2009 - 07:37 AM

Hi,

Thanks for your help. I should note that in my impatience I ran combofix before you replied. That will
presumably explain why some of the reported problems are already gone from these logs.

Thanks again!

Malwarebytes' Anti-Malware 1.35
Database version: 1927
Windows 5.1.2600 Service Pack 3

4/1/2009 8:31:03 AM
mbam-log-2009-04-01 (08-31-03).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 238816
Time elapsed: 1 hour(s), 16 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 29

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{865de46d-14b9-4f07-9973-08a87bdba558} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\befavesi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\fcvhhv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\jirojihu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\jopowoti.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kagidefe.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kemekuta.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\menanati.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\puubcv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\qwflwa.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\sujofete.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wolusiwu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wujubupu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\yiwapeye.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{55F2ED66-E836-4C11-8F8C-7274BDC4222F}\RP76\A0049082.dll (Trojan.Vundo) -> Not selected for removal.
C:\System Volume Information\_restore{55F2ED66-E836-4C11-8F8C-7274BDC4222F}\RP76\A0049088.dll (Trojan.Vundo) -> Not selected for removal.
C:\System Volume Information\_restore{55F2ED66-E836-4C11-8F8C-7274BDC4222F}\RP76\A0049098.dll (Trojan.Vundo) -> Not selected for removal.
C:\System Volume Information\_restore{55F2ED66-E836-4C11-8F8C-7274BDC4222F}\RP76\A0049099.dll (Trojan.Vundo) -> Not selected for removal.
C:\System Volume Information\_restore{55F2ED66-E836-4C11-8F8C-7274BDC4222F}\RP76\A0049101.dll (Trojan.Vundo) -> Not selected for removal.
C:\System Volume Information\_restore{55F2ED66-E836-4C11-8F8C-7274BDC4222F}\RP76\A0049107.dll (Trojan.Vundo) -> Not selected for removal.
C:\System Volume Information\_restore{55F2ED66-E836-4C11-8F8C-7274BDC4222F}\RP76\A0049113.dll (Trojan.Vundo) -> Not selected for removal.
C:\System Volume Information\_restore{55F2ED66-E836-4C11-8F8C-7274BDC4222F}\RP76\A0049114.dll (Trojan.Vundo) -> Not selected for removal.
C:\System Volume Information\_restore{55F2ED66-E836-4C11-8F8C-7274BDC4222F}\RP76\A0049118.dll (Trojan.Vundo) -> Not selected for removal.
C:\System Volume Information\_restore{55F2ED66-E836-4C11-8F8C-7274BDC4222F}\RP76\A0049128.dll (Trojan.Vundo) -> Not selected for removal.
C:\System Volume Information\_restore{55F2ED66-E836-4C11-8F8C-7274BDC4222F}\RP76\A0049129.dll (Trojan.Vundo) -> Not selected for removal.
C:\System Volume Information\_restore{55F2ED66-E836-4C11-8F8C-7274BDC4222F}\RP76\A0049130.dll (Trojan.Vundo) -> Not selected for removal.
C:\System Volume Information\_restore{55F2ED66-E836-4C11-8F8C-7274BDC4222F}\RP76\A0049097.dll (Trojan.Vundo) -> Not selected for removal.
C:\WINDOWS\system32\jumovasi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\reperizu.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\instsp2.exe (Trojan.Agent) -> Quarantined and deleted successfully.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:35:47 AM, on 4/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Samsung\Samsung CLX-216x Series\SPanel\PSU\Scan2pc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Switch Off\swoff.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LaunchMate\LnchMate.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nhl.tv/team/console.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Maple_S2P] C:\Program Files\Samsung\Samsung CLX-216x Series\SPanel\PSU\Scan2pc.exe
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKCU\..\Run: [Switch Off] C:\Program Files\Switch Off\swoff.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [SWHelper] "C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe" 1010011
O4 - HKUS\S-1-5-18\..\Run: [Switch Off] C:\Program Files\Switch Off\swoff.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Switch Off] C:\Program Files\Switch Off\swoff.exe (User 'Default user')
O4 - Startup: Mozilla Firefox.lnk = C:\Program Files\Mozilla Firefox\firefox.exe
O4 - Startup: Mozilla Thunderbird.lnk = C:\Program Files\Mozilla Thunderbird\thunderbird.exe
O4 - Global Startup: LaunchMate.lnk = C:\Program Files\LaunchMate\LnchMate.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1218903465468
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Switch Off - YaSoft - C:\Program Files\Switch Off\swoff.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6593 bytes

#4 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 01 April 2009 - 08:05 AM

Hello tophe199,

I understand your frustration, but the forum is very busy.

You shouldn't run Combofix tool, as it's a tool which should be used under experts guidance. Since you run it, please find the report in C:\Combofix folder, and post it.
----------------------------------------------
I see you have a firewall but not an Anti-Virus. This is very dangerous for your pc. You are completely open to infections.

You aren't running Anti Virus Software

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network.
Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software (for personal use), from one these excellent vendors NOW:

1) Antivir PersonalEditionClassic
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition
-Anti-virus program for Windows.
-The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition
- Free edition of the AVG anti-virus program for Windows.
- Available for single computer use for home and non commercial use.
----------------------------------------------
Post back:
Combofix report.
A new HijackThis log.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#5 tophe199

tophe199
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:42 AM

Posted 01 April 2009 - 07:35 PM

As requested.... thanks for your time.

-c


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:34:04 PM, on 4/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Samsung\Samsung CLX-216x Series\SPanel\PSU\Scan2pc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Switch Off\swoff.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LaunchMate\LnchMate.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Symantec AntiVirus\vptray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nhl.tv/team/console.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Maple_S2P] C:\Program Files\Samsung\Samsung CLX-216x Series\SPanel\PSU\Scan2pc.exe
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKCU\..\Run: [Switch Off] C:\Program Files\Switch Off\swoff.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [SWHelper] "C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe" 1010011
O4 - HKUS\S-1-5-18\..\Run: [Switch Off] C:\Program Files\Switch Off\swoff.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Switch Off] C:\Program Files\Switch Off\swoff.exe (User 'Default user')
O4 - Startup: Mozilla Firefox.lnk = C:\Program Files\Mozilla Firefox\firefox.exe
O4 - Startup: Mozilla Thunderbird.lnk = C:\Program Files\Mozilla Thunderbird\thunderbird.exe
O4 - Global Startup: LaunchMate.lnk = C:\Program Files\LaunchMate\LnchMate.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1218903465468
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Switch Off - YaSoft - C:\Program Files\Switch Off\swoff.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7498 bytes


ComboFix 09-03-27.02 - **** 2009-03-28 9:32:45.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2801 [GMT -4:00]
Running from: d:\movies\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\arabalul.ini
c:\windows\system32\atukemek.ini
c:\windows\system32\awatapam.ini
c:\windows\system32\bajiwuyu.dll
c:\windows\system32\befavesi.dll
c:\windows\system32\dardrv.dll
c:\windows\system32\darehuki.dll
c:\windows\system32\dkxrjz.dll
c:\windows\system32\ewewivaf.ini
c:\windows\system32\fafenume.dll
c:\windows\system32\fcvhhv.dll
c:\windows\system32\geyamiza.dll
c:\windows\system32\gorobumu.dll
c:\windows\system32\hckkpz.dll
c:\windows\system32\hugupapu.dll
c:\windows\system32\huzibeyu.dll
c:\windows\system32\ikuherad.ini
c:\windows\system32\jfjgqf.dll
c:\windows\system32\jidizg.dll
c:\windows\system32\jirojihu.dll
c:\windows\system32\jopowoti.dll
c:\windows\system32\kagidefe.dll
c:\windows\system32\karihoje.dll
c:\windows\system32\kawaluka.dll.vir
c:\windows\system32\kemekuta.dll
c:\windows\system32\kucnzh.dll
c:\windows\system32\ledibula.dll
c:\windows\system32\lomosuve.dll
c:\windows\system32\lulabara.dll
c:\windows\system32\mapatawa.dll
c:\windows\system32\menanati.dll
c:\windows\system32\mofavagu.dll
c:\windows\system32\mowotefe.dll
c:\windows\system32\niyihifi.dll
c:\windows\system32\otuzevih.ini
c:\windows\system32\popatetu.dll
c:\windows\system32\puubcv.dll
c:\windows\system32\qwflwa.dll
c:\windows\system32\rizizozu.dll
c:\windows\system32\ropepenu.dll
c:\windows\system32\suhovoti.dll
c:\windows\system32\sujofete.dll
c:\windows\system32\tayijobu.dll
c:\windows\system32\udavatef.ini
c:\windows\system32\unepepor.ini
c:\windows\system32\upubujuw.ini
c:\windows\system32\uwisulow.ini
c:\windows\system32\uyebizuh.ini
c:\windows\system32\vafowine.dll
c:\windows\system32\vakidibe.dll
c:\windows\system32\vapapuju.dll
c:\windows\system32\wolusiwu.dll
c:\windows\system32\wujubupu.dll
c:\windows\system32\yiwapeye.dll
c:\windows\system32\zfiyft.dll
c:\windows\system32\zheebc.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_PCIDump


((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-28 )))))))))))))))))))))))))))))))
.

2009-03-17 18:37 . 2009-03-17 18:37 10,240 --a------ c:\windows\instsp2.exe
2009-03-06 15:16 . 2009-03-06 15:16 67 --a------ c:\windows\101_ASB.INI
2009-03-06 15:15 . 2009-03-06 15:15 <DIR> d-------- C:\DISNEY
2009-03-02 15:32 . 2009-03-02 15:32 <DIR> d-------- C:\KA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-28 14:50 --------- d-----w c:\program files\Mozilla Thunderbird
2009-03-28 14:49 5,195,879 ----a-w c:\windows\Internet Logs\tvDebug.zip
2009-03-28 13:38 267,644 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-03-28 13:38 22,224,928 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-02-28 16:18 332,992 ----a-w c:\documents and settings\****\Application Data\GDIPFONTCACHEV1.DAT
2009-02-26 02:58 815,616 ----a-w c:\windows\Internet Logs\xDBC.tmp
2009-02-26 01:04 --------- d-----w c:\program files\The Print Shop 21
2009-02-13 01:07 --------- dc-h--w c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2009-02-13 01:07 --------- d-----w c:\program files\Uniblue
2009-02-13 01:07 --------- d-----w c:\documents and settings\****\Application Data\Uniblue
2009-01-31 20:49 --------- d-----w c:\documents and settings\****\Application Data\ImgBurn
2009-01-31 20:17 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2009-01-31 19:06 --------- d-----w c:\program files\AVStoDVD
2009-01-31 19:06 --------- d-----w c:\program files\AviSynth 2.5
2009-01-04 16:11 593,920 ----a-w c:\windows\Internet Logs\xDBA.tmp
2009-01-04 16:11 1,729,536 ----a-w c:\windows\Internet Logs\xDBB.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Switch Off"="c:\program files\Switch Off\swoff.exe" [2008-07-15 19456]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"Maple_S2P"="c:\program files\Samsung\Samsung CLX-216x Series\SPanel\PSU\Scan2pc.exe" [2007-01-15 253952]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2008-06-04 536576]
"CTHelper"="CTHELPER.EXE" [2007-04-09 c:\windows\system32\CtHelper.exe]
"CTxfiHlp"="CTXFIHLP.EXE" [2007-04-09 c:\windows\system32\Ctxfihlp.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-12-20 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Switch Off"="c:\program files\Switch Off\swoff.exe" [2008-07-15 19456]

c:\documents and settings\****\Start Menu\Programs\Startup\
Mozilla Firefox.lnk - c:\program files\Mozilla Firefox\firefox.exe [2008-07-15 307704]
Mozilla Thunderbird.lnk - c:\program files\Mozilla Thunderbird\thunderbird.exe [2008-07-15 8500328]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
LaunchMate.lnk - c:\program files\LaunchMate\LnchMate.exe [2008-07-15 618496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a-squared

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2007-05-10 22:46 624248 c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]
--a------ 2007-03-20 16:40 1884160 c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-07-10 09:47 116040 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2006-11-21 18:38 52840 c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-10 10:51 289064 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 20:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVD8LanguageShortcut]
--------- 2007-12-14 12:36 50472 c:\program files\CyberLink\PowerDVD8\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl8]
--------- 2008-03-20 21:23 83240 c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
--a------ 2007-03-14 20:49 125632 c:\progra~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SharedAccess"=2 (0x2)
"iPod Service"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"aawservice"=3 (0x3)
"CCALib8"=2 (0x2)
"Adobe Version Cue CS3"=3 (0x3)
"LiveUpdate"=3 (0x3)
"RichVideo"=2 (0x2)
"DefWatch"=2 (0x2)
"ccSetMgr"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Symantec AntiVirus"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"MDM"=2 (0x2)
"LexBceS"=2 (0x2)
"a2free"=2 (0x2)
"a2AntiMalware"=2 (0x2)
"SNDSrvc"=3 (0x3)
"SavRoam"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-07-20 84992]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-15 101936]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S2 Switch Off;Switch Off;c:\program files\Switch Off\swoff.exe -service --> c:\program files\Switch Off\swoff.exe -service [?]
S3 EraserUtilDrv10621;EraserUtilDrv10621;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10621.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10621.sys [?]
S4 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2007-03-14 116416]
.
Contents of the 'Scheduled Tasks' folder

2009-03-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2009-03-28 c:\windows\Tasks\ubfknnhi.job
- c:\windows\system32\nnnKBrpp.dll []
.
- - - - ORPHANS REMOVED - - - -

BHO-{85bbd82e-603b-4365-bfa2-60817ee2d694} - c:\windows\system32\menanati.dll
BHO-{aff3afeb-e234-4739-82d3-2bf5650534a9} - c:\windows\system32\kucnzh.dll
MSConfigStartUp-4c267184 - c:\windows\system32\kemekuta.dll
MSConfigStartUp-CPM4f154218 - c:\windows\system32\lomosuve.dll
MSConfigStartUp-Nvacinohazozahu - c:\windows\Vvofozavuy.dll
MSConfigStartUp-tilovajomo - c:\windows\system32\kagidefe.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.nhl.tv/team/console.jsp
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\****\Application Data\Mozilla\Firefox\Profiles\oakvpyz0.default\
FF - prefs.js: browser.startup.homepage - hxxp://****
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-28 10:50:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:8f,6f,2c,af,f8,19,e6,5b,5e,bd,5a,fd,69,6d,da,b0,69,62,c0,5a,86,
eb,b2,cf,e5,3b,a2,04,b9,8e,8d,19,7e,c8,50,95,2b,86,98,a5,5b,8b,20,4b,27,92,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\Hw*]
"DisplayName"="???\17?\11\09"
"DeviceDesc"="???\17?\11\09"
"ProviderName"="???\11?\17?\11??"
"MFG"="???????"
"ReinstallString"=".10.1000.7"
"DeviceInstanceIds"=multi:"e:\\drivers\\chipset\\driver\\x86_x64\\sbdrv\\smbus\\smbusati.inf\00"

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:8f,6f,2c,af,f8,19,e6,5b,5e,bd,5a,fd,69,6d,da,b0,69,62,c0,5a,86,
eb,b2,cf,e5,3b,a2,04,b9,8e,8d,19,7e,c8,50,95,2b,86,98,a5,5b,8b,20,4b,27,92,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(804)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2009-03-28 10:55:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-28 14:55:51

Pre-Run: 73,015,869,440 bytes free
Post-Run: 73,862,062,080 bytes free

272 --- E O F --- 2009-03-11 07:00:36

Edited by tophe199, 01 April 2009 - 07:39 PM.


#6 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 02 April 2009 - 01:17 PM

Hello tophe199,

Did you set this line as your start page?

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nhl.tv/team/console.jsp


Do you know what this folder is?

C:\KA
----------------------------------------------
Upload a File to Jotti
Please visit http://virusscan.jotti.org/

Copy/paste this file and path into the white box at the top:

c:\windows\101_ASB.INI

Press Submit - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.
----------------------------------------------
Update Java Runtime

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 13.
  • Go to Java Site
  • Click to Download Java SE Runtime Environment (JRE) 6 Update 13
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says "jre-6u13-windows-i586-p.exe" and save the downloaded file to your desktop.
  • Go to Start => Control Panel => Add or Remove Programs
  • Uninstall all old versions of Java (Java 3 Runtime Environment, JRE or JSE)
  • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
----------------------------------------------
COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    http://www.bleepingcomputer.com/forums/t/211923/malware-removal-help/?p=1204196
    Collect::
    c:\windows\instsp2.exe
    
    File::
    c:\windows\Tasks\ubfknnhi.job
    
    DirLook::
    C:\KA
    
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\BitTorrent\\bittorrent.exe"=-
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • If you need help to disable your protection programs see here.
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------------------------------------------
Run Kaspersky Online AV Scanner
Note: Internet Explorer should be used.

Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computer under Scan and then put the kettle on!
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.
----------------------------------------------
Post back:
Answer to my questions.
Jotti results.
Combofix report.
Kaspersky report with desciption of how your pc is behaving.
A new HijackThs log.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#7 tophe199

tophe199
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:42 AM

Posted 04 April 2009 - 03:38 PM

Hi Again,

Answer to questions:
1. Yes I set that as my start page
2. the KA directory is from knowledge adventures games (kids software)

Jotti Results

Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1
File to upload & scan: Virus

Service
Service load:
0% 100%
File: 101_ASB.INI
Status:
OK
MD5: b7af6456367817f10f50266dcbe978c3
Packers detected:
-
Scanner results
Scan taken on 04 Apr 2009 13:39:50 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Quick Heal
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

Powered by
images/asquared.png images/antivir.png images/arcavir.jpg images/avast.png images/avg.gif images/bitdefender.png images/clamav-logo1.png images/cpsecure.gif images/drweb.gif images/f-prot.png images/f-secure_logo.gif images/ikarus.gif images/kaspersky.png images/nod32.gif images/norman.png images/panda.gif images/quickheal.jpg images/sophos.gif images/virusbuster.gif images/vba32.png
Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 10Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.

Sponsored by HotelScraper.com.
Statistics
Last file scanned at least one scanner reported something about: oodpesur.dll (MD5: 4ba63546e60a1790002bd9706acbbbe4, size: 112688 bytes), detected by:

Scanner Malware name
A-Squared Trojan-Dropper.Delf!IK
AntiVir X
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
CPsecure X
Dr.Web X
F-Prot Antivirus W32/Heuristic-210!Eldorado
F-Secure Anti-Virus X
Ikarus Trojan-Dropper.Delf
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control W32/Packed_Upack.H
Panda Antivirus X
Quick Heal Trojan.Agent.irc
Sophos Antivirus Mal/EncPk-BW
VirusBuster Packed/Upack
VBA32 X


You are free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.

ComboFix 09-04-03.01 - Eliasmiths 2009-04-04 10:03:06.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2879 [GMT -4:00]
Running from: c:\combofix malware fixer\ComboFix.exe
Command switches used :: c:\documents and settings\Eliasmiths\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Outdated)
FW: ZoneAlarm Firewall *enabled*
* Created a new restore point

FILE ::
c:\windows\Tasks\ubfknnhi.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Tasks\ubfknnhi.job

.
((((((((((((((((((((((((( Files Created from 2009-03-04 to 2009-04-04 )))))))))))))))))))))))))))))))
.

2009-04-04 09:50 . 2009-04-04 09:49 410,984 --a------ c:\windows\system32\deploytk.dll
2009-04-01 08:35 . 2009-04-01 08:35 <DIR> d-------- c:\program files\Trend Micro
2009-04-01 00:13 . 2009-04-01 00:13 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-04-01 00:13 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-01 00:13 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-06 15:16 . 2009-03-06 15:16 67 --a------ c:\windows\101_ASB.INI
2009-03-06 15:15 . 2009-03-06 15:15 <DIR> d-------- C:\DISNEY

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-04 13:56 --------- d-----w c:\program files\Symantec AntiVirus
2009-04-04 13:49 --------- d-----w c:\program files\Java
2009-04-03 21:36 --------- d-----w c:\program files\Mozilla Thunderbird
2009-04-01 12:31 272,972 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-01 12:31 22,894,624 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-03-28 14:49 5,195,879 ----a-w c:\windows\Internet Logs\tvDebug.zip
2009-02-28 16:18 332,992 ----a-w c:\documents and settings\Eliasmiths\Application Data\GDIPFONTCACHEV1.DAT
2009-02-26 02:58 815,616 ----a-w c:\windows\Internet Logs\xDBC.tmp
2009-02-26 01:04 --------- d-----w c:\program files\The Print Shop 21
2009-02-13 01:07 --------- dc-h--w c:\documents and settings\All Users\Application Data\{B46E1EF5-0B37-4DB4-A4E2-9F2B41036185}
2009-02-13 01:07 --------- d-----w c:\program files\Uniblue
2009-02-13 01:07 --------- d-----w c:\documents and settings\Eliasmiths\Application Data\Uniblue
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-01-05 22:33 3,751,995 ----a-w c:\windows\system32\GPhotos.scr
2009-01-05 00:50 29,480 ----a-w c:\windows\system32\msxml3a.dll
2009-01-04 23:09 48,768 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-01-04 16:11 593,920 ----a-w c:\windows\Internet Logs\xDBA.tmp
2009-01-04 16:11 1,729,536 ----a-w c:\windows\Internet Logs\xDBB.tmp
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\KA ----

2009-03-04 16:58 385 --a------ c:\ka\PRE_K\students.dat
2009-03-02 15:32 93 --a------ c:\ka\PRE_K\PRE_K.INI
2009-03-02 15:32 1539 --a------ c:\ka\PRE_K\DeIsL1.isu
1996-08-14 12:31 266786 --a------ c:\ka\PRE_K\PRE_K.EXE
1996-08-13 07:51 766 --a------ c:\ka\PRE_K\PRE_K.ICO
1996-08-12 21:55 7373475 --a------ c:\ka\PRE_K\DATA.DF
1996-02-25 20:17 132608 --a------ c:\ka\PRE_K\WSOUND32.DLL


((((((((((((((((((((((((((((( SnapShot@2009-03-28_10.55.15.01 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-10 05:21:01 135,168 ----a-w c:\windows\system32\java.exe
+ 2009-04-04 13:49:43 144,792 ----a-w c:\windows\system32\java.exe
- 2008-06-10 05:21:04 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2009-04-04 13:49:43 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-06-10 06:32:34 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2009-04-04 13:49:43 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2009-03-30 21:13:00 53,248 ----a-w c:\windows\system32\Macromed\Shockwave 10\PostUpdate.exe
+ 2009-02-25 16:55:00 24,768,960 ----a-w c:\windows\system32\MRT.exe
- 2009-03-09 20:21:56 62,286 ----a-w c:\windows\system32\perfc009.dat
+ 2009-03-28 14:54:14 62,286 ----a-w c:\windows\system32\perfc009.dat
- 2009-03-09 20:21:56 400,624 ----a-w c:\windows\system32\perfh009.dat
+ 2009-03-28 14:54:15 400,624 ----a-w c:\windows\system32\perfh009.dat
+ 2009-04-04 13:50:03 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_f04.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Switch Off"="c:\program files\Switch Off\swoff.exe" [2008-07-15 19456]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SWHelper"="c:\windows\system32\Macromed\Shockwave 10\PostUpdate.exe" [2009-03-30 53248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"Maple_S2P"="c:\program files\Samsung\Samsung CLX-216x Series\SPanel\PSU\Scan2pc.exe" [2007-01-15 253952]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2008-06-04 536576]
"vptray"="c:\progra~1\SYMANT~1\\vptray.exe" [2007-03-14 125632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-04 148888]
"CTHelper"="CTHELPER.EXE" [2007-04-09 c:\windows\system32\CtHelper.exe]
"CTxfiHlp"="CTXFIHLP.EXE" [2007-04-09 c:\windows\system32\Ctxfihlp.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-12-20 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Switch Off"="c:\program files\Switch Off\swoff.exe" [2008-07-15 19456]

c:\documents and settings\Eliasmiths\Start Menu\Programs\Startup\
Mozilla Firefox.lnk - c:\program files\Mozilla Firefox\firefox.exe [2008-07-15 307704]
Mozilla Thunderbird.lnk - c:\program files\Mozilla Thunderbird\thunderbird.exe [2008-07-15 8500328]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
LaunchMate.lnk - c:\program files\LaunchMate\LnchMate.exe [2008-07-15 618496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2007-05-10 22:46 624248 c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]
--a------ 2007-03-20 16:40 1884160 c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-07-10 09:47 116040 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2006-11-21 18:38 52840 c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-07-10 10:51 289064 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-13 20:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVD8LanguageShortcut]
--------- 2007-12-14 12:36 50472 c:\program files\CyberLink\PowerDVD8\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl8]
--------- 2008-03-20 21:23 83240 c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
--a------ 2007-03-14 20:49 125632 c:\progra~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SharedAccess"=2 (0x2)
"iPod Service"=3 (0x3)
"FastUserSwitchingCompatibility"=3 (0x3)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"aawservice"=3 (0x3)
"CCALib8"=2 (0x2)
"Adobe Version Cue CS3"=3 (0x3)
"LiveUpdate"=3 (0x3)
"RichVideo"=2 (0x2)
"DefWatch"=2 (0x2)
"ccSetMgr"=2 (0x2)
"SPBBCSvc"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Symantec AntiVirus"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"MDM"=2 (0x2)
"LexBceS"=2 (0x2)
"a2free"=2 (0x2)
"a2AntiMalware"=2 (0x2)
"SNDSrvc"=3 (0x3)
"SavRoam"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 Switch Off;Switch Off;c:\program files\Switch Off\swoff.exe -service --> c:\program files\Switch Off\swoff.exe -service [?]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-07-20 84992]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-15 101936]
S2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]
S3 EraserUtilDrv10621;EraserUtilDrv10621;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10621.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10621.sys [?]
S4 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2007-03-14 116416]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - JAVAQUICKSTARTERSERVICE
.
Contents of the 'Scheduled Tasks' folder

2009-04-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.nhl.tv/team/console.jsp
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Eliasmiths\Application Data\Mozilla\Firefox\Profiles\oakvpyz0.default\
FF - prefs.js: browser.startup.homepage - hxxp://watarts.uwaterloo.ca/~celiasmi/start.html
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-04 10:05:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTHelper = CTHELPER.EXE?
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:8f,6f,2c,af,f8,19,e6,5b,5e,bd,5a,fd,69,6d,da,b0,69,62,c0,5a,86,
eb,b2,cf,e5,3b,a2,04,b9,8e,8d,19,7e,c8,50,95,2b,86,98,a5,5b,8b,20,4b,27,92,\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\Hw*]
"DisplayName"="???\17?\11\09"
"DeviceDesc"="???\17?\11\09"
"ProviderName"="???\11?\17?\11??"
"MFG"="???????"
"ReinstallString"=".10.1000.7"
"DeviceInstanceIds"=multi:"e:\\drivers\\chipset\\driver\\x86_x64\\sbdrv\\smbus\\smbusati.inf\00"

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:8f,6f,2c,af,f8,19,e6,5b,5e,bd,5a,fd,69,6d,da,b0,69,62,c0,5a,86,
eb,b2,cf,e5,3b,a2,04,b9,8e,8d,19,7e,c8,50,95,2b,86,98,a5,5b,8b,20,4b,27,92,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(808)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-04-04 10:07:03
ComboFix-quarantined-files.txt 2009-04-04 14:07:01
ComboFix2.txt 2009-03-28 14:55:56

Pre-Run: 74,817,019,904 bytes free
Post-Run: 74,773,553,152 bytes free

232 --- E O F --- 2009-03-29 23:57:03

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, April 4, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, April 04, 2009 15:36:32
Records in database: 2010107
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 150334
Threat name: 38
Infected objects: 55
Suspicious objects: 7
Duration of the scan: 04:07:10


File name / Threat name / Threats count
C:\Documents and Settings\Eliasmiths\Application Data\Thunderbird\Profiles\kxm3qks9.default\Mail\Local Folders\Inbox Infected: Trojan-Downloader.Win32.Diehard.dk 1
C:\Documents and Settings\Eliasmiths\Application Data\Thunderbird\Profiles\kxm3qks9.default\Mail\Local Folders\Inbox Infected: Trojan-Downloader.Win32.Agent.tpf 1
C:\Documents and Settings\Eliasmiths\Application Data\Thunderbird\Profiles\kxm3qks9.default\Mail\Local Folders\Inbox Infected: Trojan-Clicker.HTML.Agent.ag 1
C:\Documents and Settings\Eliasmiths\Application Data\Thunderbird\Profiles\kxm3qks9.default\Mail\Local Folders\Inbox Infected: Trojan-Spy.Win32.Zbot.dnv 3
C:\Documents and Settings\Eliasmiths\Application Data\Thunderbird\Profiles\kxm3qks9.default\Mail\Local Folders\Inbox Infected: Trojan-Downloader.Win32.Small.aafc 1
C:\Documents and Settings\Eliasmiths\Application Data\Thunderbird\Profiles\kxm3qks9.default\Mail\Local Folders\Inbox Infected: Trojan.Win32.Crypt.hz 1
C:\Documents and Settings\Eliasmiths\Application Data\Thunderbird\Profiles\kxm3qks9.default\Mail\Local Folders\Inbox Infected: Worm.Win32.AutoRun.lpc 1
C:\Documents and Settings\Eliasmiths\Application Data\Thunderbird\Profiles\kxm3qks9.default\Mail\Local Folders\Inbox Infected: Trojan-Spy.Win32.Zbot.dya 1
C:\Documents and Settings\Eliasmiths\Application Data\Thunderbird\Profiles\kxm3qks9.default\Mail\Local Folders\Inbox Infected: Worm.Win32.AutoRun.lpp 1
C:\Documents and Settings\Eliasmiths\Application Data\Thunderbird\Profiles\kxm3qks9.default\Mail\Local Folders\Inbox Infected: Trojan-Spy.Win32.Zbot.dzc 1
C:\Documents and Settings\Eliasmiths\Application Data\Thunderbird\Profiles\kxm3qks9.default\Mail\Local Folders\Inbox Infected: Worm.Win32.AutoRun.lsq 2
C:\Documents and Settings\Eliasmiths\Application Data\Thunderbird\Profiles\kxm3qks9.default\Mail\Local Folders\Inbox Infected: Trojan-Spy.Win32.Zbot.ehs 3
C:\Documents and Settings\Eliasmiths\Application Data\Thunderbird\Profiles\kxm3qks9.default\Mail\Local Folders\Inbox Infected: Worm.Win32.AutoRun.lut 1
C:\Documents and Settings\Eliasmiths\Application Data\Thunderbird\Profiles\kxm3qks9.default\Mail\Local Folders\Inbox Infected: Worm.Win32.AutoRun.lze 1
C:\Documents and Settings\Eliasmiths\Application Data\Thunderbird\Profiles\kxm3qks9.default\Mail\Local Folders\Inbox Infected: Worm.Win32.AutoRun.mfa 3
C:\Documents and Settings\Eliasmiths\Application Data\Thunderbird\Profiles\kxm3qks9.default\Mail\Local Folders\Inbox Infected: Worm.Win32.AutoRun.mma 1
C:\Documents and Settings\Eliasmiths\Application Data\Thunderbird\Profiles\kxm3qks9.default\Mail\Local Folders\Inbox Infected: Worm.Win32.AutoRun.mty 3
C:\Documents and Settings\Eliasmiths\Application Data\Thunderbird\Profiles\kxm3qks9.default\Mail\Local Folders\Inbox Infected: Trojan.Win32.FraudPack.gen 3
C:\Documents and Settings\Eliasmiths\Application Data\Thunderbird\Profiles\kxm3qks9.default\Mail\Local Folders\Inbox Infected: Worm.Win32.AutoRun.eqm 2
C:\Documents and Settings\Eliasmiths\Application Data\Thunderbird\Profiles\kxm3qks9.default\Mail\Local Folders\Inbox Infected: Trojan-Spy.Win32.Zbot.etp 2
C:\Documents and Settings\Eliasmiths\Application Data\Thunderbird\Profiles\kxm3qks9.default\Mail\Local Folders\Inbox Infected: Worm.Win32.AutoRun.ons 1
C:\Documents and Settings\Eliasmiths\Application Data\Thunderbird\Profiles\kxm3qks9.default\Mail\Local Folders\Inbox Infected: Worm.Win32.AutoRun.ovn 1
C:\Documents and Settings\Eliasmiths\Application Data\Thunderbird\Profiles\kxm3qks9.default\Mail\Local Folders\Inbox Infected: Trojan.Win32.Monderb.rov 1
C:\Documents and Settings\Eliasmiths\Application Data\Thunderbird\Profiles\kxm3qks9.default\Mail\Local Folders\Inbox Infected: Trojan.Win32.Agent.afhp 1
C:\Documents and Settings\Eliasmiths\Application Data\Thunderbird\Profiles\kxm3qks9.default\Mail\Local Folders\Inbox Infected: Email-Worm.Win32.Druzgl.a 1
C:\Documents and Settings\Eliasmiths\Application Data\Thunderbird\Profiles\kxm3qks9.default\Mail\Local Folders\Inbox Infected: Trojan.Win32.Agent.agwr 1
C:\Documents and Settings\Eliasmiths\Application Data\Thunderbird\Profiles\kxm3qks9.default\Mail\Local Folders\Inbox Infected: Worm.Win32.AutoRun.qzg 1
C:\Documents and Settings\Eliasmiths\Application Data\Thunderbird\Profiles\kxm3qks9.default\Mail\Local Folders\Inbox Infected: Trojan.Win32.Agent.ajcd 2
C:\Documents and Settings\Eliasmiths\Application Data\Thunderbird\Profiles\kxm3qks9.default\Mail\Local Folders\Inbox Infected: Trojan-Downloader.Win32.Small.afzf 1
C:\Documents and Settings\Eliasmiths\Application Data\Thunderbird\Profiles\kxm3qks9.default\Mail\Local Folders\Inbox Infected: Trojan.Win32.Agent.alur 2
C:\Documents and Settings\Eliasmiths\Application Data\Thunderbird\Profiles\kxm3qks9.default\Mail\Local Folders\Inbox Infected: Trojan-Dropper.Win32.Agent.zdl 1
C:\Documents and Settings\Eliasmiths\Application Data\Thunderbird\Profiles\kxm3qks9.default\Mail\Local Folders\Inbox Infected: Worm.Win32.AutoRun.seh 1
C:\Documents and Settings\Eliasmiths\Application Data\Thunderbird\Profiles\kxm3qks9.default\Mail\Local Folders\Inbox Infected: Worm.Win32.AutoRun.shm 2
C:\Documents and Settings\Eliasmiths\Application Data\Thunderbird\Profiles\kxm3qks9.default\Mail\Local Folders\Junk Suspicious: Trojan-Spy.HTML.Fraud.gen 7
C:\Documents and Settings\Eliasmiths\Application Data\Thunderbird\Profiles\kxm3qks9.default\Mail\Local Folders\Junk Infected: Trojan.HTML.PCard.l 1
C:\Documents and Settings\Eliasmiths\Application Data\Thunderbird\Profiles\kxm3qks9.default\Mail\Local Folders\Junk Infected: Trojan-Downloader.Win32.Small.aafc 1
C:\Program Files\serv-U\Serv-U32.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.24.a 1
C:\Program Files\UltraVNC\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1102 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\mapatawa.dll.vir Infected: Trojan.Win32.Monder.bvzf 1
D:\movies\Software\serv-U.zip Infected: not-a-virus:Server-FTP.Win32.Serv-U.24.a 1

The selected area was scanned.

Behaviour: I have not noticed any odd behaviour since the original combfix run. (My computer does
blue screen on shut down, but it has done that for about the last month).

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:36:01 PM, on 4/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Samsung\Samsung CLX-216x Series\SPanel\PSU\Scan2pc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Switch Off\swoff.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Symantec AntiVirus\vptray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_07\bin\javaws.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe
C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nhl.tv/team/console.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Maple_S2P] C:\Program Files\Samsung\Samsung CLX-216x Series\SPanel\PSU\Scan2pc.exe
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Switch Off] C:\Program Files\Switch Off\swoff.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [SWHelper] "C:\WINDOWS\system32\Macromed\Shockwave 10\PostUpdate.exe" 1010011
O4 - HKUS\S-1-5-18\..\Run: [Switch Off] C:\Program Files\Switch Off\swoff.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Switch Off] C:\Program Files\Switch Off\swoff.exe (User 'Default user')
O4 - Startup: Mozilla Firefox.lnk = C:\Program Files\Mozilla Firefox\firefox.exe
O4 - Startup: Mozilla Thunderbird.lnk = C:\Program Files\Mozilla Thunderbird\thunderbird.exe
O4 - Global Startup: LaunchMate.lnk = C:\Program Files\LaunchMate\LnchMate.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1218903465468
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Switch Off - YaSoft - C:\Program Files\Switch Off\swoff.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7907 bytes

#8 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 05 April 2009 - 02:41 AM

Hello tophe199,

Behaviour: I have not noticed any odd behaviour since the original combfix run.


Nice to hear this.

(My computer does blue screen on shut down, but it has done that for about the last month).

We've almost finished cleaning your pc. This is not a malware issue, and i suggest, you open a thread in a General Troubleshooting forum to get help for this, after we are done.

Some links for you:
http://forums.whatthetech.com/forums.html
http://www.bleepingcomputer.com/forums/
http://www.techguy.org/
----------------------------------------------
Now let's continue.

You have a lot of infected emails in the folders below:
C:\Documents and Settings\Eliasmiths\Application Data\Thunderbird\Profiles\kxm3qks9.default\Mail\Local Folders\Inbox

C:\Documents and Settings\Eliasmiths\Application Data\Thunderbird\Profiles\kxm3qks9.default\Mail\Local Folders\Junk

Go mannually and empty both Inbox and Junk folders.
----------------------------------------------
Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
  • Posted Image
The above procedure will reset your System Restore and clear out the backups and quarantines created during the course of this fix.
----------------------------------------------
Congratulations your machine appears to be clean! :thumbup2:

Here are some free programs I recommend that could help you improve your computer's security.

Spybot Search and Destroy 1.6
Download it from here. Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here

Install SpyWare Blaster 4.0
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Install MVPS Hosts File from here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/winhelp2002/hosts.htm

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com

Please check out Tony Klein's article "How did I get infected in the first place?"

Read some information here how to prevent Malware.

Is your pc running slow?
Read What to do if your Computer is running slowly

Happy safe surfing!
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#9 tophe199

tophe199
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:42 AM

Posted 05 April 2009 - 10:20 AM

Thanks a ton for your help. You rock!

-c.

#10 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 05 April 2009 - 12:26 PM

You are welcome, I'm glad I could help you out! :thumbup2:
Now that your problem appears to be resolved, this thread will be closed.
In case you have any problems, please Start a new topic.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users