Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

nubobevu.dll found!!!


  • Please log in to reply
19 replies to this topic

#1 curlyguest

curlyguest

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 30 March 2009 - 09:56 PM

Hi,

Super Antispyware have found nubobevu.dll on my system. After reboot I received a run 32 error message. The PC is running slower than before...

Here you are the DDS log.

Cheers!

DDS (Ver_09-03-16.01) - NTFSx86
Run by Bora at 22:46:13.64 on 30/03/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1216 [GMT -4:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\AWC\AWC.exe
C:\yz\YzDock.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Bora\My Documents\Downloads\utorrent.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Bora\Desktop\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com
BHO: {70d3e213-b9a6-47d7-ab18-d2c105236655} - c:\windows\system32\migezomu.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: StylerToolBar: {d2f8f919-690b-4ea2-9fa7-a203d1e04f75} - c:\program files\styler\tb\StylerTB.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [JMB36X IDE Setup] c:\windows\jm\JMInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\JMRaidSetup.exe boot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [lutavatemi] Rundll32.exe "c:\windows\system32\konazuki.dll",s
mRun: [0c22f73b] rundll32.exe "c:\windows\system32\nubobevu.dll",b
mRun: [CPM0f11c4a7] Rundll32.exe "c:\windows\system32\ludotoja.dll",a
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\bora\startm~1\programs\startup\shortc~1.lnk - c:\yz\YzDock.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\awc.lnk - c:\program files\awc\AWC.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: cbXpopmL - cbXpopmL.dll
AppInit_DLLs: karna.dat lljlvy.dll c:\windows\system32\jelurifo.dll c:\windows\system32\ludotoja.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli c:\windows\system32\jelurifo.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bora\applic~1\mozilla\firefox\profiles\c8mi3lka.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig

============= SERVICES / DRIVERS ===============

R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2008-10-8 160792]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-9-3 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 55024]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-10-8 40840]
S3 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-10-8 66952]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-10-8 81288]
S3 MXBULK;DualCam Still, MXBulk3.Sys;c:\windows\system32\drivers\mxbulk3.sys --> c:\windows\system32\drivers\MXBulk3.sys [?]
S3 MXCap;DSC-06 Video Camera;c:\windows\system32\drivers\mxcap3.sys --> c:\windows\system32\drivers\MXCap3.sys [?]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-10-8 356920]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-10-8 1079176]

=============== Created Last 30 ================

2009-03-30 17:10 2,502,317 ---sh--- c:\windows\system32\uvebobun.ini
2009-03-30 17:05 59,801 a------- c:\windows\system32\prunnet.exe
2009-03-21 14:05 20,992 ac------ c:\windows\system32\dllcache\dshowext.ax
2009-03-21 14:05 20,992 a------- c:\windows\system32\dshowext.ax
2009-03-20 18:19 <DIR> --d----- C:\IPOD
2009-03-13 19:28 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-03-13 19:28 23,848 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-13 19:28 <DIR> --d----- c:\program files\iPod
2009-03-13 19:28 <DIR> --d----- c:\program files\iTunes
2009-03-13 19:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-13 19:27 <DIR> --d----- c:\program files\Bonjour
2009-03-13 19:26 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-13 19:26 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-03-13 19:25 <DIR> --d----- c:\windows\system32\Adobe
2009-03-08 20:25 <DIR> --d----- c:\program files\Windows XP Fun Pack
2009-03-07 20:46 <DIR> --d----- c:\program files\Western Digital Corporation
2009-03-07 20:46 20,992 a------- c:\windows\jestertb.dll

==================== Find3M ====================

2009-03-30 17:10 61,440 a--sh--- c:\windows\system32\segudedu.exe
2009-01-26 17:49 58,620 a--sh--- c:\windows\system32\ycKknWFe.ini2
2007-11-25 16:45 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
0000-00-00 00:00 47,616 a--sh--- c:\windows\system32\jelurifo.dll
0000-00-00 00:00 47,616 a--sh--- c:\windows\system32\konazuki.dll

============= FINISH: 22:46:28.00 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:22 PM

Posted 01 April 2009 - 11:10 PM

Hello curlyguest,

Please disable Spyware Doctor while we run Malwarebytes' Anti-Malware, as it will prevent it from working properly.
To disable Spyware Doctor from running on your system startup:
1. First, disable the OnGuard Tools. This way, when you exit Spyware Doctor, these tools won't stay resident in the background.
2. Click the "Settings" button on the left side.
3. Click the "Startup Settings" link.
4. Uncheck "Run at Windows Startup".
5. Click the "Apply" button.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan.
The scan may take some time to finish, so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Copy and Paste the entire Malwarebytes' Anti-Malware report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediatly.

If you encounter this message:"c:\program files\malwarebytes' Anti-Malware\mbamext.dll Unable to register the dll/ocx: RegSvr32 failed with exit code 0x5" Click on ignore mbamext.dll

Edited by SifuMike, 01 April 2009 - 11:13 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 curlyguest

curlyguest
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 02 April 2009 - 06:49 PM

Mike Sifu,

Thanks for the help. I performed a quick scan followed by a full scan. Here you are the results.

Malwarebytes' Anti-Malware 1.35
Database version: 1927
Windows 5.1.2600 Service Pack 3

02/04/2009 7:00:47 PM
mbam-log-2009-04-02 (19-00-47).txt

Scan type: Quick Scan
Objects scanned: 67654
Time elapsed: 2 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 8
Registry Values Infected: 5
Registry Data Items Infected: 11
Folders Infected: 0
Files Infected: 22

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\zatarozu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\zefumiwu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\bonopefo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\mayonibe.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\fugajezu.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{70d3e213-b9a6-47d7-ab18-d2c105236655} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{70d3e213-b9a6-47d7-ab18-d2c105236655} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{70d3e213-b9a6-47d7-ab18-d2c105236655} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\seneka (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\seneka (Rootkit.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0c22f73b (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm0f11c4a7 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lutavatemi (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\zefumiwu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\zefumiwu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\mayonibe.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\mayonibe.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\mayonibe.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\fugajezu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\uzejaguf.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\petazoyi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\iyozatep.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zefumiwu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\zatarozu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\bonopefo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\mayonibe.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\mogeviga.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\segudedu.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekahxtmexjl.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\senekakloluwxr.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\senekamexmeyxw.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\prunnet.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\konazuki.dll.tmp (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\jelurifo.dll.tmp (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\yafoyoni.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zesanido.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\senekaevdjnkvp.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekacbsoyqxm.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekaphqoqbit.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\seneka.sys (Trojan.Agent) -> Quarantined and deleted successfully.

Malwarebytes' Anti-Malware 1.35
Database version: 1927
Windows 5.1.2600 Service Pack 3

02/04/2009 7:33:31 PM
mbam-log-2009-02-04 (19-33-31).txt

Scan type: Full Scan (C:\|F:\|Z:\|)
Objects scanned: 197945
Time elapsed: 35 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\seneka (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{9B8EB6B4-73B8-4030-96E4-AE548411DEBA}\RP377\A0033172.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9B8EB6B4-73B8-4030-96E4-AE548411DEBA}\RP377\A0033175.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9B8EB6B4-73B8-4030-96E4-AE548411DEBA}\RP377\A0033176.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9B8EB6B4-73B8-4030-96E4-AE548411DEBA}\RP377\A0033208.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\senekarqpxehci.sys (Trojan.Agent) -> Quarantined and deleted successfully.

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:22 PM

Posted 02 April 2009 - 08:40 PM

Hi curlyguest,

We removed part of it but more is remaining. We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.


Please disable Spyware Doctor with AntiVirus as it will prevent ComboFix from working properly.

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop.

Please install Recovery Console as that is our safety net.
.
Post the log from ComboFix in your next reply,


A caution -
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 curlyguest

curlyguest
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 03 April 2009 - 04:23 PM

Cheers!

Here you are the log

ComboFix 09-04-01.01 - Bora 2009-04-03 8:43:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1637 [GMT -4:00]
Running from: c:\documents and settings\Bora\Desktop\Downloads\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\mefvhhqw.ini
c:\windows\system32\uvebobun.ini
c:\windows\system32\ycKknWFe.ini
c:\windows\system32\ycKknWFe.ini2
c:\windows\Tasks\vvfryzgy.job
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-03-03 to 2009-04-03 )))))))))))))))))))))))))))))))
.

2009-03-31 18:57 . 2009-03-31 18:57 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-31 18:57 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-31 18:57 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-21 14:05 . 2008-04-13 20:12 20,992 --a------ c:\windows\system32\dshowext.ax
2009-03-21 14:05 . 2008-04-13 20:12 20,992 --a--c--- c:\windows\system32\dllcache\dshowext.ax
2009-03-20 18:19 . 2009-03-29 19:42 <DIR> d-------- C:\IPOD
2009-03-13 19:28 . 2009-03-13 19:28 <DIR> d-------- c:\program files\iTunes
2009-03-13 19:28 . 2009-03-13 19:28 <DIR> d-------- c:\program files\iPod
2009-03-13 19:28 . 2009-03-13 21:12 <DIR> d-------- c:\documents and settings\Bora\Application Data\Apple Computer
2009-03-13 19:28 . 2009-03-13 19:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-13 19:28 . 2008-04-17 12:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2009-03-13 19:28 . 2009-01-15 12:19 23,848 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-13 19:27 . 2009-03-13 19:27 <DIR> d-------- c:\program files\QuickTime
2009-03-13 19:27 . 2009-03-13 19:27 <DIR> d-------- c:\program files\Bonjour
2009-03-13 19:27 . 2009-03-13 19:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2009-03-13 19:26 . 2009-03-13 19:28 <DIR> d-------- c:\program files\Common Files\Apple
2009-03-13 19:26 . 2009-03-13 19:26 <DIR> d-------- c:\program files\Apple Software Update
2009-03-13 19:26 . 2009-03-13 19:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-03-13 19:26 . 2009-03-05 23:59 1,900,544 --a------ c:\windows\system32\usbaaplrc.dll
2009-03-13 19:26 . 2009-03-05 23:59 36,864 --a------ c:\windows\system32\drivers\usbaapl.sys
2009-03-13 19:25 . 2009-03-13 19:29 <DIR> d-------- c:\windows\system32\Adobe
2009-03-08 20:25 . 2009-03-08 20:25 <DIR> d-------- c:\program files\Windows XP Fun Pack
2009-03-07 20:46 . 2009-03-07 20:46 <DIR> d-------- c:\program files\Western Digital Corporation

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-03 03:32 --------- d-----w c:\documents and settings\Bora\Application Data\uTorrent
2009-04-03 02:50 --------- d-----w c:\documents and settings\Bora\Application Data\Skype
2009-04-02 21:45 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-30 00:05 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-24 02:38 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-03-24 02:38 --------- d-----r c:\program files\Skype
2009-03-23 20:01 --------- d-----w c:\documents and settings\Bora\Application Data\skypePM
2009-02-27 01:02 --------- d-----w c:\program files\WorldOfGooDemo
2009-02-27 01:02 --------- d-----w c:\documents and settings\All Users\Application Data\2DBoy
2009-02-05 21:51 --------- d-----w c:\program files\Common Files\Elecard
2007-11-25 20:45 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-30 36864]
"36X Raid Configurer"="c:\windows\system32\JMRaidSetup.exe" [2007-02-06 1953792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-29 136600]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-03-13 7700480]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\Bora\Start Menu\Programs\Startup\
Shortcut to YzDock.lnk - c:\yz\YzDock.exe [2007-09-22 386560]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AWC.lnk - c:\program files\AWC\AWC.exe [2005-04-24 577536]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ SDEarlyDelete\0autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Bora^Start Menu^Programs^Startup^Styler.lnk]
path=c:\documents and settings\Bora\Start Menu\Programs\Startup\Styler.lnk
backup=c:\windows\pss\Styler.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-12-23 18:05 143360 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-03-13 01:57 7700480 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-03-13 01:57 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-04-09 08:23 200704 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS11 Preload]
--a------ 2007-07-23 13:55 341232 c:\program files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 06:43 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-03-13 01:58 1622016 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Documents and Settings\\Bora\\My Documents\\Downloads\\utorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-09-03 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-09-03 55024]
S3 MXBULK;DualCam Still, MXBulk3.Sys;c:\windows\system32\Drivers\MXBulk3.sys --> c:\windows\system32\Drivers\MXBulk3.sys [?]
S3 MXCap;DSC-06 Video Camera;c:\windows\system32\DRIVERS\MXCap3.sys --> c:\windows\system32\DRIVERS\MXCap3.sys [?]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-09-03 7408]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e3f0423a-712c-11dd-b2c7-001a4d4f73f3}]
\Shell\AutoRun\command - I:\Setup.exe
.
- - - - ORPHANS REMOVED - - - -

Notify-cbXpopmL - cbXpopmL.dll

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:22 PM

Posted 03 April 2009 - 07:02 PM

Hi curlyguest ,

That log has been trucated. :thumbup2:
Please post the entire Combofix log. You will find it called c:\ComboFix.txt
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 curlyguest

curlyguest
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 03 April 2009 - 09:36 PM

Not sure how that happened... my bad!

ComboFix 09-04-01.01 - Bora 2009-04-03 8:43:19.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1637 [GMT -4:00]
Running from: c:\documents and settings\Bora\Desktop\Downloads\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\mefvhhqw.ini
c:\windows\system32\uvebobun.ini
c:\windows\system32\ycKknWFe.ini
c:\windows\system32\ycKknWFe.ini2
c:\windows\Tasks\vvfryzgy.job
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-03-03 to 2009-04-03 )))))))))))))))))))))))))))))))
.

2009-03-31 18:57 . 2009-03-31 18:57 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-31 18:57 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-31 18:57 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-21 14:05 . 2008-04-13 20:12 20,992 --a------ c:\windows\system32\dshowext.ax
2009-03-21 14:05 . 2008-04-13 20:12 20,992 --a--c--- c:\windows\system32\dllcache\dshowext.ax
2009-03-20 18:19 . 2009-03-29 19:42 <DIR> d-------- C:\IPOD
2009-03-13 19:28 . 2009-03-13 19:28 <DIR> d-------- c:\program files\iTunes
2009-03-13 19:28 . 2009-03-13 19:28 <DIR> d-------- c:\program files\iPod
2009-03-13 19:28 . 2009-03-13 21:12 <DIR> d-------- c:\documents and settings\Bora\Application Data\Apple Computer
2009-03-13 19:28 . 2009-03-13 19:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-13 19:28 . 2008-04-17 12:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2009-03-13 19:28 . 2009-01-15 12:19 23,848 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-13 19:27 . 2009-03-13 19:27 <DIR> d-------- c:\program files\QuickTime
2009-03-13 19:27 . 2009-03-13 19:27 <DIR> d-------- c:\program files\Bonjour
2009-03-13 19:27 . 2009-03-13 19:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2009-03-13 19:26 . 2009-03-13 19:28 <DIR> d-------- c:\program files\Common Files\Apple
2009-03-13 19:26 . 2009-03-13 19:26 <DIR> d-------- c:\program files\Apple Software Update
2009-03-13 19:26 . 2009-03-13 19:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-03-13 19:26 . 2009-03-05 23:59 1,900,544 --a------ c:\windows\system32\usbaaplrc.dll
2009-03-13 19:26 . 2009-03-05 23:59 36,864 --a------ c:\windows\system32\drivers\usbaapl.sys
2009-03-13 19:25 . 2009-03-13 19:29 <DIR> d-------- c:\windows\system32\Adobe
2009-03-08 20:25 . 2009-03-08 20:25 <DIR> d-------- c:\program files\Windows XP Fun Pack
2009-03-07 20:46 . 2009-03-07 20:46 <DIR> d-------- c:\program files\Western Digital Corporation

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-03 03:32 --------- d-----w c:\documents and settings\Bora\Application Data\uTorrent
2009-04-03 02:50 --------- d-----w c:\documents and settings\Bora\Application Data\Skype
2009-04-02 21:45 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-30 00:05 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-24 02:38 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-03-24 02:38 --------- d-----r c:\program files\Skype
2009-03-23 20:01 --------- d-----w c:\documents and settings\Bora\Application Data\skypePM
2009-02-27 01:02 --------- d-----w c:\program files\WorldOfGooDemo
2009-02-27 01:02 --------- d-----w c:\documents and settings\All Users\Application Data\2DBoy
2009-02-05 21:51 --------- d-----w c:\program files\Common Files\Elecard
2007-11-25 20:45 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-30 36864]
"36X Raid Configurer"="c:\windows\system32\JMRaidSetup.exe" [2007-02-06 1953792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-29 136600]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-03-13 7700480]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\Bora\Start Menu\Programs\Startup\
Shortcut to YzDock.lnk - c:\yz\YzDock.exe [2007-09-22 386560]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AWC.lnk - c:\program files\AWC\AWC.exe [2005-04-24 577536]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ SDEarlyDelete\0autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Bora^Start Menu^Programs^Startup^Styler.lnk]
path=c:\documents and settings\Bora\Start Menu\Programs\Startup\Styler.lnk
backup=c:\windows\pss\Styler.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-12-23 18:05 143360 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-03-13 01:57 7700480 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-03-13 01:57 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-04-09 08:23 200704 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS11 Preload]
--a------ 2007-07-23 13:55 341232 c:\program files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 06:43 69632 c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-03-13 01:58 1622016 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Documents and Settings\\Bora\\My Documents\\Downloads\\utorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-09-03 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-09-03 55024]
S3 MXBULK;DualCam Still, MXBulk3.Sys;c:\windows\system32\Drivers\MXBulk3.sys --> c:\windows\system32\Drivers\MXBulk3.sys [?]
S3 MXCap;DSC-06 Video Camera;c:\windows\system32\DRIVERS\MXCap3.sys --> c:\windows\system32\DRIVERS\MXCap3.sys [?]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-09-03 7408]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e3f0423a-712c-11dd-b2c7-001a4d4f73f3}]
\Shell\AutoRun\command - I:\Setup.exe
.
- - - - ORPHANS REMOVED - - - -

Notify-cbXpopmL - cbXpopmL.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Bora\Application Data\Mozilla\Firefox\Profiles\c8mi3lka.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-03 08:45:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-03 8:47:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-03 12:47:18

Pre-Run: 11,869,458,432 bytes free
Post-Run: 11,876,900,864 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

194 --- E O F --- 2009-01-15 15:56:41

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:22 PM

Posted 03 April 2009 - 10:13 PM

Hi curlyguest,


Please disable Spyware Doctor with AntiVirus while we run ComboFix, as it will prevent it from working properly.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
c:\windows\Alcmtr.exe

Registry:: 
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"=dword:00000001

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 curlyguest

curlyguest
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 03 April 2009 - 11:17 PM

ComboFix 09-04-03.01 - Bora 2009-04-04 0:12:49.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1546 [GMT -4:00]
Running from: c:\documents and settings\Bora\Desktop\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Bora\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\Alcmtr.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Alcmtr.exe
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll

.
((((((((((((((((((((((((( Files Created from 2009-03-04 to 2009-04-04 )))))))))))))))))))))))))))))))
.

2009-04-03 17:26 . 2009-04-03 17:26 <DIR> d-------- c:\windows\LastGood
2009-03-31 18:57 . 2009-03-31 18:57 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-31 18:57 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-31 18:57 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-21 14:05 . 2008-04-13 20:12 20,992 --a------ c:\windows\system32\dshowext.ax
2009-03-21 14:05 . 2008-04-13 20:12 20,992 --a--c--- c:\windows\system32\dllcache\dshowext.ax
2009-03-20 18:19 . 2009-03-29 19:42 <DIR> d-------- C:\IPOD
2009-03-13 19:28 . 2009-03-13 19:28 <DIR> d-------- c:\program files\iTunes
2009-03-13 19:28 . 2009-03-13 19:28 <DIR> d-------- c:\program files\iPod
2009-03-13 19:28 . 2009-03-13 21:12 <DIR> d-------- c:\documents and settings\Bora\Application Data\Apple Computer
2009-03-13 19:28 . 2009-03-13 19:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-13 19:28 . 2008-04-17 12:12 107,368 --a------ c:\windows\system32\GEARAspi.dll
2009-03-13 19:28 . 2009-01-15 12:19 23,848 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-13 19:27 . 2009-03-13 19:27 <DIR> d-------- c:\program files\QuickTime
2009-03-13 19:27 . 2009-03-13 19:27 <DIR> d-------- c:\program files\Bonjour
2009-03-13 19:27 . 2009-03-13 19:28 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2009-03-13 19:26 . 2009-03-13 19:28 <DIR> d-------- c:\program files\Common Files\Apple
2009-03-13 19:26 . 2009-03-13 19:26 <DIR> d-------- c:\program files\Apple Software Update
2009-03-13 19:26 . 2009-03-13 19:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-03-13 19:26 . 2009-03-05 23:59 1,900,544 --a------ c:\windows\system32\usbaaplrc.dll
2009-03-13 19:26 . 2009-03-05 23:59 36,864 --a------ c:\windows\system32\drivers\usbaapl.sys
2009-03-13 19:25 . 2009-03-13 19:29 <DIR> d-------- c:\windows\system32\Adobe
2009-03-08 20:25 . 2009-03-08 20:25 <DIR> d-------- c:\program files\Windows XP Fun Pack
2009-03-07 20:46 . 2009-03-07 20:46 <DIR> d-------- c:\program files\Western Digital Corporation

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-04 03:23 --------- d-----w c:\documents and settings\Bora\Application Data\Skype
2009-04-04 03:12 --------- d-----w c:\documents and settings\Bora\Application Data\uTorrent
2009-04-02 21:45 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-30 00:05 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-24 02:38 --------- d-----w c:\documents and settings\All Users\Application Data\Skype
2009-03-24 02:38 --------- d-----r c:\program files\Skype
2009-03-23 20:01 --------- d-----w c:\documents and settings\Bora\Application Data\skypePM
2009-02-27 01:02 --------- d-----w c:\program files\WorldOfGooDemo
2009-02-27 01:02 --------- d-----w c:\documents and settings\All Users\Application Data\2DBoy
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-05 21:51 --------- d-----w c:\program files\Common Files\Elecard
2007-11-25 20:45 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-04-03_ 8.46.37.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-05 06:54:55 144,896 -c----w c:\windows\system32\dllcache\schannel.dll
+ 2008-06-17 19:02:19 8,461,312 -c----w c:\windows\system32\dllcache\shell32.dll
- 2008-09-15 12:12:56 1,846,400 -c----w c:\windows\system32\dllcache\win32k.sys
+ 2009-02-09 11:13:27 1,846,784 -c----w c:\windows\system32\dllcache\win32k.sys
- 2007-06-12 03:51:12 10,834,944 -c--a-w c:\windows\system32\dllcache\wmp.dll
+ 2008-11-11 22:34:42 10,838,016 -c--a-w c:\windows\system32\dllcache\wmp.dll
+ 2009-02-25 16:55:00 24,768,960 ----a-w c:\windows\system32\MRT.exe
- 2008-04-14 00:12:05 144,384 ----a-w c:\windows\system32\schannel.dll
+ 2008-12-05 06:54:55 144,896 ----a-w c:\windows\system32\schannel.dll
- 2007-11-30 12:39:22 17,272 ------w c:\windows\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll
- 2007-08-11 00:46:18 26,488 ----a-w c:\windows\system32\spupdsvc.exe
+ 2007-07-27 13:41:38 26,488 ----a-w c:\windows\system32\spupdsvc.exe
- 2007-06-12 03:51:12 10,834,944 ----a-w c:\windows\system32\wmp.dll
+ 2008-11-11 22:34:42 10,838,016 ----a-w c:\windows\system32\wmp.dll
+ 2009-04-03 21:17:35 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6ac.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-30 36864]
"36X Raid Configurer"="c:\windows\system32\JMRaidSetup.exe" [2007-02-06 1953792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-29 136600]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-03-13 7700480]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\Bora\Start Menu\Programs\Startup\
Shortcut to YzDock.lnk - c:\yz\YzDock.exe [2007-09-22 386560]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AWC.lnk - c:\program files\AWC\AWC.exe [2005-04-24 577536]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ SDEarlyDelete\0autocheck autochk *

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=c:\windows\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Bora^Start Menu^Programs^Startup^Styler.lnk]
path=c:\documents and settings\Bora\Start Menu\Programs\Startup\Styler.lnk
backup=c:\windows\pss\Styler.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-12-23 18:05 143360 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 00:47 31016 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-03-13 01:57 7700480 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-03-13 01:57 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-04-09 08:23 200704 c:\program files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS11 Preload]
--a------ 2007-07-23 13:55 341232 c:\program files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-03-13 01:58 1622016 c:\windows\system32\nwiz.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Documents and Settings\\Bora\\My Documents\\Downloads\\utorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-09-03 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-09-03 55024]
S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2007-08-28 26488]
S3 MXBULK;DualCam Still, MXBulk3.Sys;c:\windows\system32\Drivers\MXBulk3.sys --> c:\windows\system32\Drivers\MXBulk3.sys [?]
S3 MXCap;DSC-06 Video Camera;c:\windows\system32\DRIVERS\MXCap3.sys --> c:\windows\system32\DRIVERS\MXCap3.sys [?]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-09-03 7408]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e3f0423a-712c-11dd-b2c7-001a4d4f73f3}]
\Shell\AutoRun\command - I:\Setup.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Bora\Application Data\Mozilla\Firefox\Profiles\c8mi3lka.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-04 00:13:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-04-04 0:14:31
ComboFix-quarantined-files.txt 2009-04-04 04:14:29
ComboFix2.txt 2009-04-03 12:47:21

Pre-Run: 11,587,616,768 bytes free
Post-Run: 11,578,445,824 bytes free

187 --- E O F --- 2009-04-03 21:29:56


DDS (Ver_09-03-16.01) - NTFSx86
Run by Bora at 0:16:45.32 on 04/04/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1484 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\AWC\AWC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\SyncServer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Bora\Desktop\Downloads\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: StylerToolBar: {d2f8f919-690b-4ea2-9fa7-a203d1e04f75} - c:\program files\styler\tb\StylerTB.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [JMB36X IDE Setup] c:\windows\jm\JMInsIDE.exe
mRun: [36X Raid Configurer] c:\windows\system32\JMRaidSetup.exe boot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\bora\startm~1\programs\startup\shortc~1.lnk - c:\yz\YzDock.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\awc.lnk - c:\program files\awc\AWC.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bora\applic~1\mozilla\firefox\profiles\c8mi3lka.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-9-3 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 55024]
S2 spupdsvc;Windows Service Pack Installer update service;c:\windows\system32\spupdsvc.exe [2007-8-28 26488]
S3 MXBULK;DualCam Still, MXBulk3.Sys;c:\windows\system32\drivers\mxbulk3.sys --> c:\windows\system32\drivers\MXBulk3.sys [?]
S3 MXCap;DSC-06 Video Camera;c:\windows\system32\drivers\mxcap3.sys --> c:\windows\system32\drivers\MXCap3.sys [?]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]

=============== Created Last 30 ================

2009-04-04 00:12 <DIR> --d----- C:\ComboFix
2009-04-03 08:42 <DIR> a-dshr-- C:\cmdcons
2009-04-03 08:42 161,792 a------- c:\windows\SWREG.exe
2009-04-03 08:42 98,816 a------- c:\windows\sed.exe
2009-03-31 18:57 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-31 18:57 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-31 18:57 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-21 14:05 20,992 ac------ c:\windows\system32\dllcache\dshowext.ax
2009-03-21 14:05 20,992 a------- c:\windows\system32\dshowext.ax
2009-03-20 18:19 <DIR> --d----- C:\IPOD
2009-03-13 19:28 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-03-13 19:28 23,848 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-13 19:28 <DIR> --d----- c:\program files\iPod
2009-03-13 19:28 <DIR> --d----- c:\program files\iTunes
2009-03-13 19:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-13 19:27 <DIR> --d----- c:\program files\Bonjour
2009-03-13 19:26 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-13 19:26 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-03-13 19:25 <DIR> --d----- c:\windows\system32\Adobe
2009-03-08 20:25 <DIR> --d----- c:\program files\Windows XP Fun Pack
2009-03-07 20:46 <DIR> --d----- c:\program files\Western Digital Corporation

==================== Find3M ====================

2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2007-11-25 16:45 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat

============= FINISH: 0:16:51.26 ===============

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:22 PM

Posted 03 April 2009 - 11:39 PM

Hi curlyguest,
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java SE Runtime Environment (JRE) 6 Update 13.
  • Click the "Download" button to the right.
  • At the Select Platform and Language for your download drop down box
    Select Windows and Mult-Language
  • Check the box that says: "Accept License Agreement" then press Continue ( Selecting Windows will give you the 32 bit version. )
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language jre-6u13-windows-i586-p.exe and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java™ 6 Update 11
    Java™ 6 Update 7
    J2SE Runtime Environment 5.0 Update 6
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.


Please disable Spyware Doctor with AntiVirus while we run Kaspersky Online Scanner, as it will prevent it from working properly.

Close any open browsers

Please do a scan with Kaspersky Online Scanner

You can refer to this animation by sundavis.


Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Edited by SifuMike, 03 April 2009 - 11:43 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 curlyguest

curlyguest
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 04 April 2009 - 12:58 PM

KOS results

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, April 4, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, April 04, 2009 15:36:32
Records in database: 2010107
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
Z:\

Scan statistics:
Files scanned: 124594
Threat name: 1
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 03:24:25


File name / Threat name / Threats count
C:\Documents and Settings\Bora\DoctorWeb\Quarantine\A0024464.exe Infected: not-a-virus:WebToolbar.Win32.WhenU.a 1
C:\Documents and Settings\Bora\DoctorWeb\Quarantine\bsplayer211[1].940_clip.exe Infected: not-a-virus:WebToolbar.Win32.WhenU.a 1

The selected area was scanned.

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:22 PM

Posted 04 April 2009 - 01:02 PM

Hi curlyguest,

How is the computer running?

We still have to do some program clean up.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 curlyguest

curlyguest
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 05 April 2009 - 09:38 AM

Sifu Mike,

Thank you for all the help. It seems to run just fine, the start up is slower than before but that might be due to Recovery Console.

The bigger problem is my browser is redirected when I click on a google search results...

Please let me know what is the next step.

Cheers!

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:08:22 PM

Posted 05 April 2009 - 01:14 PM

Are you using a router?

Which browser is being redirected, FireFox or IE? Are they both being redirected?


Please download GooredFix and save it to your Desktop. Double-click Goored.exe to run it. Select 1. Find Goored (no fix) by typing 1 and pressing Enter. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt). Note: Do not run Option #2 yet.

Edited by SifuMike, 05 April 2009 - 01:19 PM.
typo

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 curlyguest

curlyguest
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:11:22 PM

Posted 05 April 2009 - 06:57 PM

Yes I am. Cable connection goes to a router and then to wireless, tho the pc connected via cable not wireless.

Firefox is being directed, as I dont use IE, not sure if that one does.

GooredFix v1.92 by jpshortstuff
Log created at 19:55 on 05/04/2009 running Option #1 (Bora)
Firefox version 3.0.8 (en-US)

=====Suspect Goored Entries=====

C:\Program Files\Mozilla Firefox\extensions\{9441DF94-84BE-4738-8A06-C1B478F6ADD6}

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.8\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

Edited by curlyguest, 05 April 2009 - 06:58 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users