Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

All kinds of trouble...


  • This topic is locked This topic is locked
10 replies to this topic

#1 Jakezim

Jakezim

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 29 March 2009 - 06:33 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:24, on 2009-03-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\SpywareDetector\SDMainService.exe
C:\Program Files\SpywareDetector\SDService.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\SpiralFrog\Spiralfrog.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SpywareDetector\SDActiveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\SpywareDetector\SpywareDetector.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=101676&l=dis
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\2.bin\A2SRCHAS.DLL
O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: (no name) - {af632abb-0d6b-46d3-bc23-61378734e588} - C:\WINDOWS\system32\zitovovi.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpiralFrog] C:\Program Files\SpiralFrog\Spiralfrog.exe
O4 - HKLM\..\Run: [SDActiveMonitor] C:\Program Files\SpywareDetector\SDActiveMonitor.exe -AUTO
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DVDtoiPodConverter_upgrade] "C:\Program Files\E-Zsoft\DVDtoiPodConverter\DVDtoiPodConverter.exe" /upgrade
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Wgipugu] rundll32.exe "C:\WINDOWS\udusafuza.dll",e
O4 - HKLM\..\Run: [niguwufosa] Rundll32.exe "C:\WINDOWS\system32\tefiwizu.dll",s
O4 - HKLM\..\Run: [CPMe72650fc] Rundll32.exe "c:\windows\system32\hojubipa.dll",a
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe -silent
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Diagnostic Manager] C:\DOCUME~1\Tom\LOCALS~1\Temp\3207210426.exe
O4 - HKUS\S-1-5-19\..\Run: [niguwufosa] Rundll32.exe "C:\WINDOWS\system32\tefiwizu.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [niguwufosa] Rundll32.exe "C:\WINDOWS\system32\tefiwizu.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab50997.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by106fd.bay106.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab50997.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O20 - AppInit_DLLs: c:\windows\system32\vawerepu.dll c:\windows\system32\hojubipa.dll
O21 - SSODL: WPDShServiceObj - b{aaa288ba-9a4c-45b0-95d7-94d524869db5} - (no file)
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\hojubipa.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\hojubipa.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SDMainSvc - Max Secure Software - C:\Program Files\SpywareDetector\SDMainService.exe
O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 12006 bytes



All kinds of things pop up when I scan with an anti-spyware program, such as: Trojan.AppInit_Dlls and GenSTS.{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}.

Can someone please help me?

BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:57 PM

Posted 05 April 2009 - 03:35 PM

Hello, Jakezim
We Need to Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

If this tool helped you, please consider a donation to it's author: Posted Image

How to run ComboFix:
  • Please download ComboFix from one of the following mirrors, and save it to your desktop.
  • Disable any running Anti-Virus or Anti-Malware programs. This includes Firewalls, Anti-Virus, Spyware Scanners, etc. Any or all of them may interfere with the running of ComboFix.
  • Double click Posted Image on your desktop.
  • Read and accept (Press Yes) to the disclaimer.
  • For Windows XP Systems: Install the Recovery Console:
    • If you are using Windows XP and do not already have the Recovery Console installed, please ensure your internet connection is active (if possible), and press Yes. If for some reason your internet is not working, please press No. If you are not using Windows XP, you will not be prompted.
    • When prompted to accept the EULA, press OK.
    • Accept Microsoft's EULA (Press Yes).
    • When you are told that the RC is installed correctly, please press YES to continue scanning for malware.
  • ComboFix will run. Simply wait for it to finish.
  • When it finishes, ComboFix will produce a log. Please post that log in your next reply here :thumbup2:
NOTE: If ComboFix will not run, please rename it to GlobRemover.exe and try again!

In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 Jakezim

Jakezim
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 05 April 2009 - 10:23 PM

ComboFix 09-04-04.01 - Tom 2009-04-05 10:06:13.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1535.897 [GMT -5:00]
Running from: c:\documents and settings\Tom\Desktop\ComboFixx.exe
AV: Norton AntiVirus 2005 *On-access scanning disabled* (Outdated)
FW: Norton Internet Worm Protection *enabled*
* Created a new restore point
.
ADS - svchost.exe: deleted 32768 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Tom\a.exe
c:\windows\system32\amomqewb.ini
c:\windows\system32\avatotef.ini
c:\windows\system32\badarizo.dll
c:\windows\system32\bjwtduxk.ini
c:\windows\system32\dupejume.dll
c:\windows\system32\eadiwmfs.ini
c:\windows\system32\eeLmTBeg.ini
c:\windows\system32\eeLmTBeg.ini2
c:\windows\system32\ekohumin.ini
c:\windows\system32\evodamim.ini
c:\windows\system32\fetotava.dll
c:\windows\system32\hakodoso.dll.tmp
c:\windows\system32\hazagebi.dll
c:\windows\system32\hojubipa.dll
c:\windows\system32\hulujige.dll
c:\windows\system32\icbvauhu.ini
c:\windows\system32\ighqdnww.ini
c:\windows\system32\iyipujil.ini
c:\windows\system32\kokemabo.dll
c:\windows\system32\koknihph.ini
c:\windows\system32\kuzogago.dll.vir
c:\windows\system32\kvpwxded.ini
c:\windows\system32\lbulthjw.ini
c:\windows\system32\lijuhidi.dll
c:\windows\system32\mfuuigdj.ini
c:\windows\system32\mrmhittr.ini
c:\windows\system32\orowumiz.ini
c:\windows\system32\pizatoro.dll.tmp
c:\windows\system32\pksuebsh.ini
c:\windows\system32\povukide.dll.tmp
c:\windows\system32\qaovdcye.ini
c:\windows\system32\qbkwxkdl.ini
c:\windows\system32\rcfqfgfl.ini
c:\windows\system32\sakadadu.dll
c:\windows\system32\sddjsjpi.ini
c:\windows\system32\senekaqbpxiuyx.dat
c:\windows\system32\taskkill.exe
c:\windows\system32\tefiwizu.dll.tmp
c:\windows\system32\txiifeso.ini
c:\windows\system32\uaspybne.ini
c:\windows\system32\uctafwmw.ini
c:\windows\system32\udadakas.ini
c:\windows\system32\udewuziy.ini
c:\windows\system32\uwyirntx.ini
c:\windows\system32\vawerepu.dll.tmp
c:\windows\system32\vufosesa.dll
c:\windows\system32\wavovozi.dll
c:\windows\system32\wysgkbjb.ini
c:\windows\system32\xiglbgni.ini
c:\windows\system32\xjsehusk.ini
c:\windows\system32\yavafike.dll
c:\windows\system32\yizuwedu.dll
c:\windows\system32\yozuzejo.dll
c:\windows\system32\yxyfbjdx.ini
c:\windows\system32\zimuworo.dll

----- BITS: Possible infected sites -----

hxxp://www.spiralfrog.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_seneka


((((((((((((((((((((((((( Files Created from 2009-03-05 to 2009-04-05 )))))))))))))))))))))))))))))))
.

2009-04-04 06:13 . 2009-04-04 06:14 <DIR> d-------- c:\program files\iTunes
2009-04-04 06:13 . 2009-04-04 06:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-04-04 06:10 . 2009-04-04 06:10 <DIR> d-------- c:\program files\Bonjour
2009-04-04 06:08 . 2009-04-04 06:09 <DIR> d-------- c:\program files\QuickTime
2009-04-03 04:40 . 2009-04-05 02:04 1,318 --a------ c:\windows\Uqizoxihuvuwoxu.dat
2009-04-03 04:40 . 2009-04-05 03:21 16 --a------ c:\windows\Fsuya.bin
2009-03-29 06:08 . 2009-03-29 06:08 <DIR> d-------- c:\program files\Trend Micro
2009-03-29 01:19 . 2009-03-29 01:19 128,512 --a------ C:\gldmo.exe
2009-03-29 01:19 . 2009-03-29 01:19 98,304 --a------ C:\ajtbyh.exe
2009-03-29 01:19 . 2009-03-29 01:19 50,176 --a------ c:\windows\system32\drivers\UACd.sys
2009-03-29 01:19 . 2009-03-29 01:19 45,056 --a------ C:\dmsiacq.exe
2009-03-29 01:19 . 2009-03-29 01:19 9,216 --a------ c:\windows\instsp2.exe
2009-03-29 01:19 . 2009-03-29 01:19 7,680 --a------ C:\wicnin.exe
2009-03-29 01:19 . 2009-03-29 01:19 4,096 --a------ C:\lxdwn.exe
2009-03-29 01:19 . 2009-03-29 01:19 2 --a------ C:\-468360241
2009-03-28 14:00 . 2009-03-28 14:00 <DIR> d-------- c:\documents and settings\Tom\My desktop
2009-03-28 13:32 . 2009-03-28 13:32 <DIR> d-------- c:\documents and settings\Tom\Application Data\AVS4YOU
2009-03-28 13:32 . 2009-03-28 13:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-03-28 13:29 . 2009-03-28 13:31 <DIR> d-------- c:\program files\Common Files\AVSMedia
2009-03-28 13:29 . 2009-03-28 13:31 <DIR> d-------- c:\program files\AVS4YOU
2009-03-28 09:05 . 2009-03-28 09:05 <DIR> d-------- c:\documents and settings\Tom\Application Data\MSNInstaller
2009-03-28 08:59 . 2009-03-28 08:59 <DIR> d--h----- c:\windows\msdownld.tmp
2009-03-27 23:48 . 2009-04-04 23:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater
2009-03-25 07:53 . 2009-03-25 07:53 <DIR> d-------- c:\documents and settings\Tom\Application Data\acccore
2009-03-25 07:47 . 2009-03-25 07:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2009-03-25 07:45 . 2009-03-25 07:49 <DIR> d-------- c:\program files\AIM6
2009-03-25 06:07 . 2009-04-05 01:10 <DIR> d-------- c:\documents and settings\Tom\Tracing
2009-03-25 06:06 . 2009-03-25 06:06 <DIR> d-------- c:\program files\Windows Live SkyDrive
2009-03-25 06:06 . 2009-03-25 06:06 <DIR> d-------- c:\program files\Windows Live
2009-03-25 06:06 . 2009-03-25 06:06 <DIR> d-------- c:\program files\Microsoft
2009-03-25 06:02 . 2009-03-25 06:02 <DIR> d-------- c:\program files\Common Files\Windows Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-05 15:14 --------- d-----w c:\program files\SpiralFrog
2009-04-05 05:32 --------- d-----w c:\documents and settings\Tom\Application Data\FrostWire
2009-04-05 05:04 --------- d-----w c:\program files\Incomplete
2009-04-05 05:04 --------- d-----w c:\program files\FrostWire
2009-04-04 11:13 --------- d-----w c:\program files\iPod
2009-04-04 11:13 --------- d-----w c:\program files\Common Files\Apple
2009-03-31 11:25 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-28 09:54 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-28 09:54 --------- d-----w c:\program files\Electronic Arts
2009-03-28 09:52 --------- d-----w c:\program files\Google
2009-03-28 07:03 --------- d-----w c:\program files\Steam
2009-03-25 12:47 --------- d-----w c:\program files\Viewpoint
2009-03-25 12:47 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-03-25 12:47 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-03-25 12:46 --------- d-----w c:\program files\Common Files\AOL
2009-03-19 15:47 7,134 ----a-w c:\documents and settings\Tom\Application Data\wklnhst.dat
2009-03-09 09:34 --------- d-----w c:\program files\SpywareDetector
2009-03-06 05:33 --------- d-----w c:\documents and settings\Tom\Application Data\Apple Computer
2009-03-06 04:59 36,864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-02-27 11:16 --------- d-----w c:\program files\Free iPod Video Converter
2009-02-27 11:15 --------- d-----w c:\program files\AviSynth 2.5
2009-02-27 10:35 --------- d-----w c:\program files\Cucusoft
2008-11-18 23:11 30 ----a-w c:\documents and settings\Tom\jagex_runescape_preferences.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\2.bin\A2SRCHAS.DLL" [2008-07-02 66912]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2008-08-01 1103216]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2003-04-14 1491216]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2008-10-10 4789760]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-01-09 3321856]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-27 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2005-12-06 100056]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-09-24 49152]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-29 81920]
"SpiralFrog"="c:\program files\SpiralFrog\Spiralfrog.exe" [2007-12-18 163128]
"SDActiveMonitor"="c:\program files\SpywareDetector\SDActiveMonitor.exe" [2008-12-04 1370064]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"DVDtoiPodConverter_upgrade"="c:\program files\E-Zsoft\DVDtoiPodConverter\DVDtoiPodConverter.exe" [2008-11-02 900608]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"Wgipugu"="c:\windows\udusafuza.dll" [2007-03-08 156672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-03-23 58992]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-09-24 282624]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 73728]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ SDEarlyDelete\0SDEarlyDelete \??\c:\program files\SpywareDetector\0autocheck autochk *

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli wmsrary.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
--a------ 2004-03-19 23:17 78960 c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2005-03-23 16:34 58992 c:\program files\Common Files\Symantec Shared\CCAPP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 20:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-06-29 00:43 8466432 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-06-29 00:43 81920 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2009-01-05 16:18 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-11-01 04:42 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
--a------ 2004-03-11 17:18 135168 c:\program files\Digital Media Reader\shwiconEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a------ 2005-12-06 16:45 100056 c:\progra~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
--a------ 2004-05-18 03:30 543232 c:\windows\zHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nForce Tray Options]
--a------ 2003-09-03 03:25 73728 c:\windows\system32\sstray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-06-29 00:43 1626112 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowWnd]
--a------ 2003-09-19 18:09 36864 c:\windows\ShowWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2003-08-15 09:34 57344 c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Blitz 1941 Global\\BlitzClient2.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Trend Micro\\HijackThis\\HijackThis.exe"=
"c:\\Program Files\\Viewpoint\\Common\\ViewpointService.exe"=
"c:\\Program Files\\SpiralFrog\\Spiralfrog.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunesHelper.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3274:TCP"= 3274:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R2 SDMainSvc;SDMainSvc;c:\program files\SpywareDetector\SDMainService.exe [2008-12-09 923088]
R2 SDService;SDService;c:\program files\SpywareDetector\SDService.exe [2007-08-12 1701328]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2009-03-25 24652]
S3 Fadpu16E;Fadpu16E;\??\c:\docume~1\Tom\LOCALS~1\Temp\Fadpu16E.sys --> c:\docume~1\Tom\LOCALS~1\Temp\Fadpu16E.sys [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-06-30 13352]
S3 SDActMon;SDActMon;c:\program files\SpywareDetector\SDActMon.sys [2008-07-17 21888]
S3 XDva219;XDva219;\??\c:\windows\system32\XDva219.sys --> c:\windows\system32\XDva219.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-03-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-04-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-27 23:48]

2009-03-28 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Tom.job
- c:\progra~1\NORTON~1\Navw32.exe [2005-10-19 13:54]

2009-03-27 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

2008-05-21 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - (no file)
BHO-{af632abb-0d6b-46d3-bc23-61378734e588} - c:\windows\system32\yavafike.dll
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
MSConfigStartUp-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
MSConfigStartUp-Steam - c:\valve\Steam\Steam.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?o=101676&l=dis
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
FF - ProfilePath - c:\documents and settings\Tom\Application Data\Mozilla\Firefox\Profiles\nu2737cn.default\
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np32dsw.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin4.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin5.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin6.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSFDMGR.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-05 10:11:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1440936148-3481316508-1564428167-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:89,51,ff,54,16,83,7c,db,74,52,7b,1f,ea,66,f6,4b,e2,08,57,85,7a,2e,65,
94,46,d5,44,b2,2c,d6,57,5e,b2,99,ed,35,40,e4,ba,4d,9e,46,82,6e,b2,25,c6,ac,\
"??"=hex:6a,cf,f8,a0,ac,2e,aa,62,23,d2,da,b5,c0,7b,9f,67

[HKEY_USERS\S-1-5-21-1440936148-3481316508-1564428167-1006\Software\SecuROM\License information*]
"datasecu"=hex:fb,be,68,4a,1e,ef,da,93,13,89,07,ab,46,a5,5d,d6,14,a4,91,3c,e1,
99,78,6d,a2,7f,c8,d1,a2,e1,93,08,25,e6,6f,c9,bd,bf,be,b0,20,35,bf,19,e3,ac,\
"rkeysecu"=hex:3a,70,83,d9,1a,bd,0e,1a,ed,c1,d2,a7,fe,a6,18,32
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(632)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(688)
c:\windows\wmsrary.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Norton AntiVirus\IWP\NPFMNTOR.EXE
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\slserv.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\windows\system32\msiexec.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2009-04-05 10:22:34 - machine was rebooted [Tom]
ComboFix-quarantined-files.txt 2009-04-05 15:22:14

Pre-Run: 45,003,276,288 bytes free
Post-Run: 44,955,910,144 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Home Edition" /fastdetect

355 --- E O F --- 2008-10-24 03:30:59

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:57 PM

Posted 05 April 2009 - 10:35 PM

Hello, Jakezim
Viewpoint is considered foistware instead of malware because it is installed without users approval, but doesn't spy or do anything "bad". You may like to read this article about the potential of this Viewpoint software here:
http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on Start > Run... > and then paste the following into the "Open" field: "appwiz.cpl" and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, and/or Viewpoint Media Player.

We need to re-run ComboFix with some additonal directives.
  • Please disable any running anti-virus programs.

    If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the quotebox below into it:
    file::
    c:\windows\Uqizoxihuvuwoxu.dat
    c:\windows\Fsuya.bin
    C:\gldmo.exe
    C:\ajtbyh.exe
    c:\windows\system32\drivers\UACd.sys
    C:\dmsiacq.exe
    c:\windows\instsp2.exe
    C:\wicnin.exe
    C:\lxdwn.exe
    C:\-468360241
    c:\windows\udusafuza.dll
    C:\Windows\wmsrary.dll
    c:\documents and settings\Tom\Application Data\wklnhst.dat
    folder::
    c:\program files\AskSBar
    c:\program files\SpywareDetector
    registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Wgipugu"=-
    "SDActiveMonitor"=-
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"=-
    [-HKEY_CLASSES_ROOT\CLSID\{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}]
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    "BootExecute"=hex(7):61,75,74,6f,63,68,65,63,6b,20,61,75,74,6f,63,68,6b,20,2a,00,00
    driver::
    Fadpu16E
    XDva219
    SDMainSvc
    SDService
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Posted Image
    Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt". Please copy and paste that report here.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

In your next reply, please include the following:
  • ComboFix.txt

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 Jakezim

Jakezim
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 05 April 2009 - 11:27 PM

ComboFix 09-04-04.01 - Tom 2009-04-05 11:10:17.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1535.890 [GMT -5:00]
Running from: c:\documents and settings\Tom\Desktop\ComboFixx.exe
Command switches used :: c:\documents and settings\Tom\Desktop\CFscript.txt
AV: Norton AntiVirus 2005 *On-access scanning disabled* (Outdated)
FW: Norton Internet Worm Protection *enabled*
* Created a new restore point

FILE ::
C:\-468360241
C:\ajtbyh.exe
C:\dmsiacq.exe
c:\documents and settings\Tom\Application Data\wklnhst.dat
C:\gldmo.exe
C:\lxdwn.exe
C:\wicnin.exe
c:\windows\Fsuya.bin
c:\windows\instsp2.exe
c:\windows\system32\drivers\UACd.sys
c:\windows\udusafuza.dll
c:\windows\Uqizoxihuvuwoxu.dat
c:\windows\wmsrary.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-468360241
C:\ajtbyh.exe
C:\dmsiacq.exe
c:\documents and settings\Tom\Application Data\wklnhst.dat
C:\gldmo.exe
C:\lxdwn.exe
c:\program files\AskSBar
c:\program files\AskSBar\bar\2.bin\A2FFXTBR.JAR
c:\program files\AskSBar\bar\2.bin\A2FFXTBR.MANIFEST
c:\program files\AskSBar\bar\2.bin\A2NTSTBR.JAR
c:\program files\AskSBar\bar\2.bin\A2NTSTBR.MANIFEST
c:\program files\AskSBar\bar\Cache\0003B71C
c:\program files\AskSBar\bar\Cache\02D23CC2.bin
c:\program files\AskSBar\bar\Cache\02D23E0B.bin
c:\program files\AskSBar\bar\Cache\02D23EC6.bin
c:\program files\AskSBar\bar\Cache\02D2400E.bin
c:\program files\AskSBar\bar\Cache\02D24156.bin
c:\program files\AskSBar\bar\Cache\02D24202.bin
c:\program files\AskSBar\bar\Cache\files.ini
c:\program files\AskSBar\bar\History\search2
c:\program files\AskSBar\bar\Settings\prevcfg2.htm
c:\program files\AskSBar\SrchAstt\2.bin\A2SRCHAS.DLL
c:\program files\SpywareDetector
c:\program files\SpywareDetector\ActiveProtection.dll
c:\program files\SpywareDetector\AntiRootKitDLL.dll
c:\program files\SpywareDetector\CloseAll.exe
c:\program files\SpywareDetector\Data\SD1.DB
c:\program files\SpywareDetector\Data\SD18.DB
c:\program files\SpywareDetector\Data\SD19.DB
c:\program files\SpywareDetector\Data\SD2.DB
c:\program files\SpywareDetector\Data\SD23.DB
c:\program files\SpywareDetector\Data\SD25.DB
c:\program files\SpywareDetector\Data\SD26.DB
c:\program files\SpywareDetector\Data\SD3.DB
c:\program files\SpywareDetector\Data\SD31.DB
c:\program files\SpywareDetector\Data\SD39.DB
c:\program files\SpywareDetector\Data\SD4.DB
c:\program files\SpywareDetector\Data\SD5.DB
c:\program files\SpywareDetector\Data\SD501.DB
c:\program files\SpywareDetector\Data\SD503.DB
c:\program files\SpywareDetector\Data\SD504.DB
c:\program files\SpywareDetector\Data\SD505.DB
c:\program files\SpywareDetector\Data\SD506.DB
c:\program files\SpywareDetector\Data\SD507.DB
c:\program files\SpywareDetector\Data\SD508.DB
c:\program files\SpywareDetector\Data\SD509.DB
c:\program files\SpywareDetector\Data\SD510.DB
c:\program files\SpywareDetector\Data\SD511.DB
c:\program files\SpywareDetector\Data\SD512.DB
c:\program files\SpywareDetector\Data\SD516.DB
c:\program files\SpywareDetector\Data\SD517.DB
c:\program files\SpywareDetector\Data\SD519.DB
c:\program files\SpywareDetector\Data\SD520.DB
c:\program files\SpywareDetector\Data\SD521.DB
c:\program files\SpywareDetector\Data\SD522.DB
c:\program files\SpywareDetector\Data\SD523.DB
c:\program files\SpywareDetector\Data\SD524.DB
c:\program files\SpywareDetector\Data\SD525.DB
c:\program files\SpywareDetector\Data\SD526.DB
c:\program files\SpywareDetector\Data\SD527.DB
c:\program files\SpywareDetector\Data\SD528.DB
c:\program files\SpywareDetector\Data\SD529.DB
c:\program files\SpywareDetector\Data\SD530.DB
c:\program files\SpywareDetector\Data\SD531.DB
c:\program files\SpywareDetector\Data\SD532.DB
c:\program files\SpywareDetector\Data\SD536.DB
c:\program files\SpywareDetector\Data\SD537.DB
c:\program files\SpywareDetector\Data\SD538.DB
c:\program files\SpywareDetector\Data\SD539.DB
c:\program files\SpywareDetector\Data\SD540.DB
c:\program files\SpywareDetector\Data\SD541.DB
c:\program files\SpywareDetector\Data\SD542.DB
c:\program files\SpywareDetector\Data\SD543.DB
c:\program files\SpywareDetector\Data\SD6.DB
c:\program files\SpywareDetector\Data\SD7.DB
c:\program files\SpywareDetector\Data\SD8.DB
c:\program files\SpywareDetector\Data\SDE.DB
c:\program files\SpywareDetector\Data\SDF501.DB
c:\program files\SpywareDetector\Data\SDF502.DB
c:\program files\SpywareDetector\Data\SDF503.DB
c:\program files\SpywareDetector\Data\SDF504.DB
c:\program files\SpywareDetector\Data\SDF505.DB
c:\program files\SpywareDetector\Data\SDF506.DB
c:\program files\SpywareDetector\Data\SDF507.DB
c:\program files\SpywareDetector\Data\SDF508.DB
c:\program files\SpywareDetector\Data\SDF509.DB
c:\program files\SpywareDetector\Data\SDF510.DB
c:\program files\SpywareDetector\Data\SDF512.DB
c:\program files\SpywareDetector\Data\SDF513.DB
c:\program files\SpywareDetector\Data\SDF514.DB
c:\program files\SpywareDetector\Data\SDF515.DB
c:\program files\SpywareDetector\Data\SDF516.DB
c:\program files\SpywareDetector\Data\SDF517.DB
c:\program files\SpywareDetector\Data\SDF518.DB
c:\program files\SpywareDetector\Data\SDF519.DB
c:\program files\SpywareDetector\Data\SDF520.DB
c:\program files\SpywareDetector\Data\SDF521.DB
c:\program files\SpywareDetector\Data\SDF522.DB
c:\program files\SpywareDetector\Data\SDF523.DB
c:\program files\SpywareDetector\Data\SDF524.DB
c:\program files\SpywareDetector\Data\SDF525.DB
c:\program files\SpywareDetector\Data\SDF526.DB
c:\program files\SpywareDetector\Data\SDF527.DB
c:\program files\SpywareDetector\Data\SDF528.DB
c:\program files\SpywareDetector\Data\SDF529.DB
c:\program files\SpywareDetector\Data\SDF530.DB
c:\program files\SpywareDetector\Data\SDF531.DB
c:\program files\SpywareDetector\Data\SDF532.DB
c:\program files\SpywareDetector\Data\SDF533.DB
c:\program files\SpywareDetector\Data\SDF534.DB
c:\program files\SpywareDetector\Data\SDF535.DB
c:\program files\SpywareDetector\Data\SDF536.DB
c:\program files\SpywareDetector\Data\SDF537.DB
c:\program files\SpywareDetector\Data\SDF538.DB
c:\program files\SpywareDetector\Data\SDF539.DB
c:\program files\SpywareDetector\Data\SDF540.DB
c:\program files\SpywareDetector\Data\SDF541.DB
c:\program files\SpywareDetector\Data\SDF542.DB
c:\program files\SpywareDetector\Data\SDF543.DB
c:\program files\SpywareDetector\Data\SDINFO.DB
c:\program files\SpywareDetector\Data\SDK10.DB
c:\program files\SpywareDetector\Data\SDK12.DB
c:\program files\SpywareDetector\Data\SDK13.DB
c:\program files\SpywareDetector\Data\SDK14.DB
c:\program files\SpywareDetector\Data\SDK15.DB
c:\program files\SpywareDetector\Data\SDK16.DB
c:\program files\SpywareDetector\Data\SDK17.DB
c:\program files\SpywareDetector\Data\SDK20.DB
c:\program files\SpywareDetector\Data\SDK21.DB
c:\program files\SpywareDetector\Data\SDK30.DB
c:\program files\SpywareDetector\Data\SDK31.DB
c:\program files\SpywareDetector\Data\SDK32.DB
c:\program files\SpywareDetector\Data\SDK33.DB
c:\program files\SpywareDetector\Data\SDK34.DB
c:\program files\SpywareDetector\Data\SDK35.DB
c:\program files\SpywareDetector\Data\SDk36.DB
c:\program files\SpywareDetector\Data\SDk37.DB
c:\program files\SpywareDetector\Data\SDk38.DB
c:\program files\SpywareDetector\Data\SDK42.DB
c:\program files\SpywareDetector\Data\SDK43.DB
c:\program files\SpywareDetector\Data\SDK9.DB
c:\program files\SpywareDetector\Data\sdn.db
c:\program files\SpywareDetector\Data\SDR1.DB
c:\program files\SpywareDetector\Data\SDR2.DB
c:\program files\SpywareDetector\Data\SDR3.DB
c:\program files\SpywareDetector\Data\SDS1.DB
c:\program files\SpywareDetector\Data\SDS2.DB
c:\program files\SpywareDetector\Data\SDV.DB
c:\program files\SpywareDetector\Data\SDV10.DB
c:\program files\SpywareDetector\Data\SDV11.DB
c:\program files\SpywareDetector\Data\SDv13.DB
c:\program files\SpywareDetector\Data\SDv15.DB
c:\program files\SpywareDetector\Data\SDv16.DB
c:\program files\SpywareDetector\Data\SDv17.DB
c:\program files\SpywareDetector\Data\SDv18.DB
c:\program files\SpywareDetector\Data\SDv19.DB
c:\program files\SpywareDetector\Data\SDv20.DB
c:\program files\SpywareDetector\Data\SDv25.DB
c:\program files\SpywareDetector\Data\SDv30.DB
c:\program files\SpywareDetector\Data\SDv32.DB
c:\program files\SpywareDetector\Data\SDv36.DB
c:\program files\SpywareDetector\Data\SDv37.DB
c:\program files\SpywareDetector\Data\SDV38.DB
c:\program files\SpywareDetector\Data\SDV9.DB
c:\program files\SpywareDetector\Data\SDVS1.DB
c:\program files\SpywareDetector\Data\SDVS2.DB
c:\program files\SpywareDetector\Data\SDVS3.DB
c:\program files\SpywareDetector\Data\SDVS4.DB
c:\program files\SpywareDetector\Data\SDVS5.DB
c:\program files\SpywareDetector\Data\SDVS6.DB
c:\program files\SpywareDetector\Data\SDVS7.DB
c:\program files\SpywareDetector\Data\SDVS8.DB
c:\program files\SpywareDetector\Data\SDWA.DB
c:\program files\SpywareDetector\Data\SDWH.db
c:\program files\SpywareDetector\Data\SDWK.db
c:\program files\SpywareDetector\Data\SDWN.DB
c:\program files\SpywareDetector\Data\SDWS.DB
c:\program files\SpywareDetector\Data\SM1.db
c:\program files\SpywareDetector\Data\SM2.db
c:\program files\SpywareDetector\Data\Worms.ini
c:\program files\SpywareDetector\DisasmEngineDll.dll
c:\program files\SpywareDetector\ExcludeDB.db
c:\program files\SpywareDetector\FileSignature.dll
c:\program files\SpywareDetector\HostDummy.ini
c:\program files\SpywareDetector\hostlistSD
c:\program files\SpywareDetector\HostListSD.ini
c:\program files\SpywareDetector\hosts.backup
c:\program files\SpywareDetector\Infolsp.dll
c:\program files\SpywareDetector\KeyLoggerHandler.dll
c:\program files\SpywareDetector\KeyLoggerScanner.dll
c:\program files\SpywareDetector\KeyLoggerScanner.exe
c:\program files\SpywareDetector\LiveUpdateSD.exe
c:\program files\SpywareDetector\Log.htm
c:\program files\SpywareDetector\Log\ExecSDLog.txt
c:\program files\SpywareDetector\Log\Export.txt
c:\program files\SpywareDetector\Log\MD5SDLog.txt
c:\program files\SpywareDetector\Log\RootKitLog.txt
c:\program files\SpywareDetector\Log\SDLiveupdateLog.txt
c:\program files\SpywareDetector\Log\SDLog.txt
c:\program files\SpywareDetector\Log\SplSpyLog.txt
c:\program files\SpywareDetector\Log\SystemLog.txt
c:\program files\SpywareDetector\Log\VoucherLog.txt
c:\program files\SpywareDetector\MainUI.gif
c:\program files\SpywareDetector\MAxNews.txt
c:\program files\SpywareDetector\News.txt
c:\program files\SpywareDetector\Option.dll
c:\program files\SpywareDetector\RestartTool.DLL
c:\program files\SpywareDetector\RestartTool.exe
c:\program files\SpywareDetector\ScannerExtension.exe
c:\program files\SpywareDetector\SDActiveMonitor.chm
c:\program files\SpywareDetector\SDActiveMonitor.exe
c:\program files\SpywareDetector\SDActMon.sys
c:\program files\SpywareDetector\SDActMon2K.sys
c:\program files\SpywareDetector\SDAntiRtKt.sys
c:\program files\SpywareDetector\SDEarlyDelete.log
c:\program files\SpywareDetector\SDLiveupdate\SDAdvScan.exe
c:\program files\SpywareDetector\SDLiveupdate\SDComplexSpy.exe
c:\program files\SpywareDetector\SDLiveupdate\SDDatabase.exe
c:\program files\SpywareDetector\SDLiveupdate\SDKeylogger.exe
c:\program files\SpywareDetector\SDLiveupdate\SDProduct.exe
c:\program files\SpywareDetector\SDLiveupdate\SDRootkit.exe
c:\program files\SpywareDetector\SDLiveupdate\SDVirus.exe
c:\program files\SpywareDetector\SDLiveupdate\ServerVersion.txt
c:\program files\SpywareDetector\SDMainService.exe
c:\program files\SpywareDetector\SDRemoveDB.db
c:\program files\SpywareDetector\SDRestrictedSites.ini
c:\program files\SpywareDetector\SDService.exe
c:\program files\SpywareDetector\SDSystemtray.chm
c:\program files\SpywareDetector\SDVirusScanner.dll
c:\program files\SpywareDetector\SDWormsToDelete.ini
c:\program files\SpywareDetector\SendReport.exe
c:\program files\SpywareDetector\Setting\blockActivex.reg
c:\program files\SpywareDetector\Setting\CurrentSettings.ini
c:\program files\SpywareDetector\Setting\English_Strings.ini
c:\program files\SpywareDetector\Setting\exe.dat
c:\program files\SpywareDetector\Setting\exefile.dat
c:\program files\SpywareDetector\Setting\Export.ini
c:\program files\SpywareDetector\Setting\HostDummy.ini
c:\program files\SpywareDetector\Setting\hostInsert.ini
c:\program files\SpywareDetector\Setting\Restricted.reg
c:\program files\SpywareDetector\Setting\RootKitWhiteDB.ini
c:\program files\SpywareDetector\Setting\SDWormsToDelete.ini
c:\program files\SpywareDetector\Setting\UnReg.reg
c:\program files\SpywareDetector\Setting\Voucher_English_Strings.ini
c:\program files\SpywareDetector\Setting\vssver.scc
c:\program files\SpywareDetector\Setting\WinsockBkp-Win2K.reg
c:\program files\SpywareDetector\Setting\WinsockBkp-Win98.reg
c:\program files\SpywareDetector\Setting\WinsockBkp-WinME.reg
c:\program files\SpywareDetector\Setting\WinsockBkp-WinVista.reg
c:\program files\SpywareDetector\Setting\WinsockBkp-WinXP.reg
c:\program files\SpywareDetector\Setting\WinsockBkp-WinXPHE.reg
c:\program files\SpywareDetector\Setting\wormcounts.ini
c:\program files\SpywareDetector\SignatureScanner.dll
c:\program files\SpywareDetector\SMTPDll.dll
c:\program files\SpywareDetector\SpecialSpyHandler.dll
c:\program files\SpywareDetector\SpywareDetector.chm
c:\program files\SpywareDetector\SpywareDetector.dll
c:\program files\SpywareDetector\SpywareDetector.exe
c:\program files\SpywareDetector\StartUpTipsDll.dll
c:\program files\SpywareDetector\Tips.txt
c:\program files\SpywareDetector\TrayPopUp.exe
c:\program files\SpywareDetector\ui_bg.jpg
c:\program files\SpywareDetector\unins000.dat
c:\program files\SpywareDetector\unins000.exe
c:\program files\SpywareDetector\UnReg.reg
c:\program files\SpywareDetector\VchReg.dll
c:\program files\SpywareDetector\Verinfo.ini
C:\wicnin.exe
c:\windows\Fsuya.bin
c:\windows\instsp2.exe
c:\windows\system32\drivers\UACd.sys
c:\windows\udusafuza.dll
c:\windows\Uqizoxihuvuwoxu.dat
c:\windows\wmsrary.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FADPU16E
-------\Legacy_SDMAINSVC
-------\Legacy_SDSERVICE
-------\Legacy_XDVA219
-------\Service_Fadpu16E
-------\Service_SDMainSvc
-------\Service_SDService
-------\Service_XDva219


((((((((((((((((((((((((( Files Created from 2009-03-05 to 2009-04-05 )))))))))))))))))))))))))))))))
.

2009-04-04 06:13 . 2009-04-04 06:14 <DIR> d-------- c:\program files\iTunes
2009-04-04 06:13 . 2009-04-04 06:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-04-04 06:10 . 2009-04-04 06:10 <DIR> d-------- c:\program files\Bonjour
2009-04-04 06:08 . 2009-04-04 06:09 <DIR> d-------- c:\program files\QuickTime
2009-03-29 06:08 . 2009-03-29 06:08 <DIR> d-------- c:\program files\Trend Micro
2009-03-28 14:00 . 2009-03-28 14:00 <DIR> d-------- c:\documents and settings\Tom\My desktop
2009-03-28 13:32 . 2009-03-28 13:32 <DIR> d-------- c:\documents and settings\Tom\Application Data\AVS4YOU
2009-03-28 13:32 . 2009-03-28 13:32 <DIR> d-------- c:\documents and settings\All Users\Application Data\AVS4YOU
2009-03-28 13:29 . 2009-03-28 13:31 <DIR> d-------- c:\program files\Common Files\AVSMedia
2009-03-28 13:29 . 2009-03-28 13:31 <DIR> d-------- c:\program files\AVS4YOU
2009-03-28 09:05 . 2009-03-28 09:05 <DIR> d-------- c:\documents and settings\Tom\Application Data\MSNInstaller
2009-03-28 08:59 . 2009-03-28 08:59 <DIR> d--h----- c:\windows\msdownld.tmp
2009-03-27 23:48 . 2009-04-04 23:17 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater
2009-03-25 07:53 . 2009-03-25 07:53 <DIR> d-------- c:\documents and settings\Tom\Application Data\acccore
2009-03-25 07:47 . 2009-03-25 07:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\acccore
2009-03-25 07:45 . 2009-03-25 07:49 <DIR> d-------- c:\program files\AIM6
2009-03-25 06:07 . 2009-04-05 10:15 <DIR> d-------- c:\documents and settings\Tom\Tracing
2009-03-25 06:06 . 2009-03-25 06:06 <DIR> d-------- c:\program files\Windows Live SkyDrive
2009-03-25 06:06 . 2009-03-25 06:06 <DIR> d-------- c:\program files\Windows Live
2009-03-25 06:06 . 2009-03-25 06:06 <DIR> d-------- c:\program files\Microsoft
2009-03-25 06:02 . 2009-03-25 06:02 <DIR> d-------- c:\program files\Common Files\Windows Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-05 16:07 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint
2009-04-05 15:14 --------- d-----w c:\program files\SpiralFrog
2009-04-05 05:32 --------- d-----w c:\documents and settings\Tom\Application Data\FrostWire
2009-04-05 05:04 --------- d-----w c:\program files\Incomplete
2009-04-05 05:04 --------- d-----w c:\program files\FrostWire
2009-04-04 11:13 --------- d-----w c:\program files\iPod
2009-04-04 11:13 --------- d-----w c:\program files\Common Files\Apple
2009-03-31 11:25 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-28 09:54 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-28 09:54 --------- d-----w c:\program files\Electronic Arts
2009-03-28 09:52 --------- d-----w c:\program files\Google
2009-03-28 07:03 --------- d-----w c:\program files\Steam
2009-03-25 12:47 --------- d-----w c:\documents and settings\All Users\Application Data\AOL
2009-03-25 12:46 --------- d-----w c:\program files\Common Files\AOL
2009-03-06 05:33 --------- d-----w c:\documents and settings\Tom\Application Data\Apple Computer
2009-03-06 04:59 36,864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-02-27 11:16 --------- d-----w c:\program files\Free iPod Video Converter
2009-02-27 11:15 --------- d-----w c:\program files\AviSynth 2.5
2009-02-27 10:35 --------- d-----w c:\program files\Cucusoft
2008-11-18 23:11 30 ----a-w c:\documents and settings\Tom\jagex_runescape_preferences.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-05_10.20.49.48 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2008-08-01 1103216]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2003-04-14 1491216]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2008-10-10 4789760]
"EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2009-01-09 3321856]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-27 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2005-12-06 100056]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-09-24 49152]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-29 81920]
"SpiralFrog"="c:\program files\SpiralFrog\Spiralfrog.exe" [2007-12-18 163128]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"DVDtoiPodConverter_upgrade"="c:\program files\E-Zsoft\DVDtoiPodConverter\DVDtoiPodConverter.exe" [2008-11-02 900608]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-29 61440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-03-23 58992]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-09-24 282624]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-09-24 73728]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
--a------ 2004-03-19 23:17 78960 c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2005-03-23 16:34 58992 c:\program files\Common Files\Symantec Shared\CCAPP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 20:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-06-29 00:43 8466432 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-06-29 00:43 81920 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2009-01-05 16:18 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-11-01 04:42 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
--a------ 2004-03-11 17:18 135168 c:\program files\Digital Media Reader\shwiconEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
--a------ 2005-12-06 16:45 100056 c:\progra~1\SYMNET~1\SNDMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
--a------ 2004-05-18 03:30 543232 c:\windows\zHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nForce Tray Options]
--a------ 2003-09-03 03:25 73728 c:\windows\system32\sstray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-06-29 00:43 1626112 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShowWnd]
--a------ 2003-09-19 18:09 36864 c:\windows\ShowWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a------ 2003-08-15 09:34 57344 c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Blitz 1941 Global\\BlitzClient2.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Trend Micro\\HijackThis\\HijackThis.exe"=
"c:\\Program Files\\SpiralFrog\\Spiralfrog.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\iTunes\\iTunesHelper.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3274:TCP"= 3274:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-06-30 13352]
S3 SDActMon;SDActMon;\??\c:\program files\SpywareDetector\SDActMon.sys --> c:\program files\SpywareDetector\SDActMon.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-03-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-04-05 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-27 23:48]

2009-03-28 c:\windows\Tasks\Norton AntiVirus - Scan my computer - Tom.job
- c:\progra~1\NORTON~1\Navw32.exe [2005-10-19 13:54]

2009-03-27 c:\windows\Tasks\Uniblue SpeedUpMyPC Nag.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []

2008-05-21 c:\windows\Tasks\Uniblue SpeedUpMyPC.job
- c:\program files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?o=101676&l=dis
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
FF - ProfilePath - c:\documents and settings\Tom\Application Data\Mozilla\Firefox\Profiles\nu2737cn.default\
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np32dsw.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npnul32.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin4.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin5.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin6.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPSFDMGR.dll
FF - plugin: c:\program files\Virtual Earth 3D\npVE3D.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-05 11:16:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\Tom\LOCALS~1\Temp\NEWF.tmp 7529 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1440936148-3481316508-1564428167-1006\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:89,51,ff,54,16,83,7c,db,74,52,7b,1f,ea,66,f6,4b,e2,08,57,85,7a,2e,65,
94,46,d5,44,b2,2c,d6,57,5e,b2,99,ed,35,40,e4,ba,4d,9e,46,82,6e,b2,25,c6,ac,\
"??"=hex:6a,cf,f8,a0,ac,2e,aa,62,23,d2,da,b5,c0,7b,9f,67

[HKEY_USERS\S-1-5-21-1440936148-3481316508-1564428167-1006\Software\SecuROM\License information*]
"datasecu"=hex:fb,be,68,4a,1e,ef,da,93,13,89,07,ab,46,a5,5d,d6,14,a4,91,3c,e1,
99,78,6d,a2,7f,c8,d1,a2,e1,93,08,25,e6,6f,c9,bd,bf,be,b0,20,35,bf,19,e3,ac,\
"rkeysecu"=hex:3a,70,83,d9,1a,bd,0e,1a,ed,c1,d2,a7,fe,a6,18,32
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(628)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Norton AntiVirus\IWP\NPFMNTOR.EXE
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\windows\system32\slserv.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
c:\windows\system32\msiexec.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-04-05 11:24:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-05 16:24:44
ComboFix2.txt 2009-04-05 15:22:35

Pre-Run: 44,957,548,544 bytes free
Post-Run: 44,880,457,728 bytes free

551 --- E O F --- 2008-10-24 03:30:59

#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:57 PM

Posted 06 April 2009 - 08:13 PM

Hello, Jakezim
I would like us to use ESET (NOD32)'s Online Scanner
  • Please go to ESET OnlineScan (NOD32)
  • You will then see the Terms of Use, tick the check-box infront of YES, I accept the Terms of Use
  • Now click Start
  • Should you face a Security Warning that asks if you want to install and run a file called "OnlineScanner.cab", click Yes
  • Click Start
    • Note: (the Onlinescanner will now prepare itself for running on your pc)
  • To do a full-scan, tick: "Remove found threats" and "Scan potentially unwanted applications"
  • Press Scan
  • The Onlinescan will now start and scan your pc (this could take a while)
  • When the scan has finished, it will show a screen with two tabs "overview" and "details" and the option to get information or buy software, just close the window
  • Click Start >> Run... >> type: C:\Program Files\EsetOnlineScanner\log.txt
  • The Scanresults will now open in Notepad
  • Click into the text area, right-click and chose "select all" (or use <Control>+A)
  • Right-click again and chose "Copy" (or <Control>+C)
  • Close/Exit Notepad
  • Navigate to this thread and post your log along with anything else requested from us, by right-clicking and "paste" (or ctrl+v) in the text area of the reply post you just created.
Note: For Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)

You Need to Update Windows (And other Microsoft Software)
Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

If you are using Windows XP or earlier
Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

If you are using Windows Vista
  • Click the "Start Menu" (or Windows Orb)
  • Click "All Programs"
  • Click "Windows Update"
  • On the left, choose "Change Settings"
  • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
  • Press OK and accept the UAC prompt.
    Note: You shouldn't need to check this checkbox every single time you update, only the first time.
  • Click "Check for Updates" in the upper left corner.
  • Follow the instructions to install the latest updates.
  • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
In your next reply, please include the following:
  • ESET OnlineScan's Log

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 Jakezim

Jakezim
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 08 April 2009 - 03:01 PM

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3994 (20090407)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=9f983e7004298840a426d6f728941288
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-04-08 02:42:30
# local_time=2009-04-07 09:42:30 (-0600, Central Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=378326
# found=136
# scan_time=49160
C:\Documents and Settings\Tom\Application Data\Sun\Java\Deployment\cache\6.0\51\25d09bb3-5a7f24f2 Java/TrojanDownloader.OpenStream.NAC trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\Tom\Shared\carry on burn season.mp3 WMA/TrojanDownloader.GetCodec.C trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\Tom\Shared\Sophie Moone Tiffany Diamond-Hotte.avi a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned) EC87469514C0CE39D7A229D07887AC8A
C:\Documents and Settings\Tom\Shared\Teagan Presley - Teenage Anal Princess.avi a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned) 0A0A0B47E35D557D949DC5288E100D51
C:\Documents and Settings\Tom\Shared\teagan presley bbs sc4.mpg WMA/TrojanDownloader.GetCodec.C trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Documents and Settings\Tom\Shared\voodoo child stevie ray voughn.mp3 WMA/TrojanDownloader.GetCodec.C trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\FrostWire\chasing dragon august burns [new single].au a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned) 37D17317C377AD892B8C583FA7C0C305
C:\Program Files\FrostWire\chasing dragon august burns-HQ.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned) DED5788307B26CB0D1691E2C7A75E0BC
C:\Program Files\FrostWire\Enemy At The Gates (2001).avi WMA/TrojanDownloader.GetCodec.B trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Program Files\FrostWire\Enemy At The Gates - DVDRip XViD.avi a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned) EC87469514C0CE39D7A229D07887AC8A
C:\Program Files\FrostWire\morgensteren rammstein - greatest hits.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned) 86258C909D26DB87A1C8C4FDAB932A04
C:\Program Files\FrostWire\rock me amadeus magaherz.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned) 99801F88845C5FA09D9A81022E96A561
C:\Program Files\FrostWire\still dre CD quality.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan (cleaned) 7592CB7510881F93DF6BEB483E690F35
C:\Qoobox\Quarantine\C\ajtbyh.exe.vir a variant of Win32/Kryptik.LL trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\wicnin.exe.vir Win32/TrojanDownloader.Small.OJR trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\Documents and Settings\Tom\a.exe.vir Win32/TrojanDropper.Small.NJC trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\Program Files\AskSBar\SrchAstt\2.bin\A2SRCHAS.DLL.vir Win32/Toolbar.AskSBar application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\instsp2.exe.vir Win32/TrojanDownloader.Small.EDB trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\amomqewb.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\avatotef.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\bjwtduxk.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\eadiwmfs.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\eeLmTBeg.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\eeLmTBeg.ini2.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\ekohumin.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\evodamim.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\hazagebi.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\icbvauhu.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\ighqdnww.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\iyipujil.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\koknihph.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\kvpwxded.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\lbulthjw.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\mfuuigdj.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\mrmhittr.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\orowumiz.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\pksuebsh.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\qaovdcye.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\qbkwxkdl.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\rcfqfgfl.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\sddjsjpi.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\txiifeso.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\uaspybne.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\uctafwmw.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\udadakas.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\udewuziy.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\uwyirntx.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\vufosesa.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\wavovozi.dll.vir Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\wysgkbjb.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\xiglbgni.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\xjsehusk.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\yizuwedu.dll.vir Win32/Adware.Virtumonde.NEF application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\yxyfbjdx.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\zimuworo.dll.vir Win32/Adware.Virtumonde.NEF application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\abvfqrgy.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\ackvqrwq.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\agjksokp.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\alrnorvg.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\aukosngx.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\bebxcgks.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\bnvqokmt.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\byvdbspq.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\cfspvxvx.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\cjgixovl.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\csfvxiot.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\cyholxns.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\dewhhndg.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\dkhnekau.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\dwxabrwk.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\erueufhh.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\haldquwy.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\hyuxvdqd.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\ihwdguau.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\iyaoujhj.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\iyvtksxr.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\jasjkchv.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\jifgcpmn.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\jjtmcgeu.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\jjujnhqp.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\jscslxrj.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\kkbnwjvh.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\krfgfyfs.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\kuyflhjq.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\kxddpplb.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\lfdxjvgf.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\lnsglycq.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\metfmpcu.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\mjgblwpw.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\mrmfusgs.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\nnckrygv.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\nqeddxlp.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\odsulcju.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\ovycgdfw.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\pavjpqkh.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\pnxomvfe.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\qbxhstxg.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\qxcmnytx.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\rabmxhmj.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\rfeahgyi.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\rmdlothh.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\sbnqyucq.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\stlkfofc.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\swcthwjb.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\tiqivfvm.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\ucjsykif.exe.bad Win32/Agent.ANR trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\uinnjsxq.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\urmbgwyl.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\utrtvolt.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\vytdhbms.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\wcodxkoj.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\xbehajvd.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\xmrxdmwf.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\xuktomba.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\ybfpsknx.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\ymvjanjn.exe.bad Win32/Adware.Ezula application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\acjmricp.dll Win32/Adware.SuperJuan application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\bulchruy.tmp Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\cyoegx.dll Win32/Adware.SuperJuan application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\doqiyqmw.dll Win32/Adware.SuperJuan application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\etglbsus.tmp Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\fvpdpd.dll a variant of Win32/Adware.Virtumonde.NEB application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\gscqleqx.dll a variant of Win32/Adware.Virtumonde.NEB application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\hlgkqytn.dll Win32/Adware.SuperJuan application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\juyqnsqx.dll Win32/Adware.SuperJuan application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\lomehane.exe Win32/Agent.PDG trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\nubamiko.exe Win32/Agent.PDG trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\qqstv.tmp Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\rgiumlxm.tmp Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\rlscmc.dll Win32/Adware.SuperJuan application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\siyipino.exe Win32/Agent.PDG trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\tuafjk.dll Win32/Adware.SuperJuan application (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\yelesato.exe Win32/Agent.PDG trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\yezenata.exe Win32/Agent.PDG trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\zadohilo.exe Win32/Agent.PDG trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\Win\svchost.exe Win32/TrojanDropper.VB.HX trojan (unable to clean - deleted) 00000000000000000000000000000000

#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:57 PM

Posted 08 April 2009 - 11:35 PM

*Looks* a lot better. How are things running?

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 Jakezim

Jakezim
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 09 April 2009 - 04:30 PM

It seems pretty good.
Thanks!
I'll post again if there's more trouble.

#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:57 PM

Posted 09 April 2009 - 09:49 PM

Hello, Jakezim
Congratulations! You now appear clean! :thumbup2:

Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware
We Need to Remove ComboFix
  • Please go to Start -> Run
  • Enter "ComboFix /u" (without quotes). Note the space betwen "ComboFix" and "/u", it needs to be there.
    Posted Image
  • Press OK (Or hit enter).
  • Allow ComboFix to remove itself.
We Need to Clean Up Our Mess
  • Please download OTCleanIt from one of the following mirrors and save it to your desktop:
  • Double click the Posted Image icon.
  • Push the large "Cleanup" button.
  • Allow your system to reboot.
Recommendations
Below are some recommendations to lower your chances of (re)infection.
  • Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  • Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    • Click the "Start Menu" (or Windows Orb)
    • Click "All Programs"
    • Click "Windows Update"
    • On the left, choose "Change Settings"
    • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    • Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    • Click "Check for Updates" in the upper left corner.
    • Follow the instructions to install the latest updates.
    • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :).
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:57 PM

Posted 15 April 2009 - 09:51 AM

Hello, Jakezim
Since this issue appears resolved, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users