Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo!grb


  • This topic is locked This topic is locked
15 replies to this topic

#1 phillipypy

phillipypy

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 12 April 2009 - 09:57 PM

Hi, I was redirected from http://www.bleepingcomputer.com/forums/topic218157-15.html.

Here's my log:

DDS (Ver_09-03-16.01) - NTFSx86
Run by Phillip Yang at 21:51:55.28 on Sun 04/12/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.774 [GMT -5:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Xfire\xfire.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Phillip Yang\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {1213d0b5-4533-4d17-8925-2cffac441382} - c:\windows\system32\khfCrOgG.dll
BHO: CitiUSBrowserHelper Class: {387edf53-1cf2-4523-bc2f-13462651be8c} - c:\windows\system32\BhoCitUS.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {E8DF67A1-B618-4F3F-9E7C-CBE175ADEF5B} - No File
BHO: gFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\progra~1\flashget\getflash.dll
TB: FlashGet Bar: {e0e899ab-f487-11d5-8d29-0050ba6940e3} - c:\progra~1\flashget\fgiebar.dll
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\sony ericsson pc suite\SEPCSuite.exe" /systray /nologon
mRun: [LFAgent]
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\philli~1\startm~1\programs\startup\xfire.lnk - c:\program files\xfire\xfire.exe
IE: &Download FLV by WinAVI... - c:\program files\winavi flv converter\flv_link.htm
IE: Download All by FlashGet - c:\program files\flashget\jc_all.htm
IE: Download using FlashGet - c:\program files\flashget\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\progra~1\flashget\flashget.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - {EC83A912-7EF4-410D-9CC7-3BDAA709CA71}
DPF: {11A3221C-5A7A-4F0B-A71F-8139BDBAB504} - hxxp://login.hanbiton.com/cab/NLSnSSO.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1202781344234
DPF: {7606693A-C18D-4567-AF85-6194FF70761E} - hxxp://app.ipop.co.kr/gom/GomWeb.cab
DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {A1D886C6-4039-4451-97A9-515F5BE5D4C2} - hxxps://secwebclinic.ahnlab.com/asp/cab/mkdplus.cab
DPF: {ADCC68D4-AAEA-4338-817D-1F261D9FB759} - hxxp://www.dragongemworld.com/Active_X/ENetLauncher.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {cafeefac-0016-0000-0013-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {cafeefac-ffff-ffff-ffff-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - hxxp://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: !saswinlogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: awtstjay - awtsTJay.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 c:\windows\system32\khfCrOgG

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\philli~1\applic~1\mozilla\firefox\profiles\p6tnwn8e.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (English)
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2007-10-16 31784]
R1 sasdifsv;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 saskutil;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-3-23 72944]
R2 mcafeeframework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-4-4 103744]
R2 mcshield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2007-10-16 144704]
R2 mctaskmanager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2007-10-16 54608]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-8-23 24652]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2009-4-4 72680]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2009-4-4 33960]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2009-4-4 171272]
S1 56d3dab;56d3dab;c:\windows\system32\drivers\56d3dab.sys --> c:\windows\system32\drivers\56d3dab.sys [?]
S1 cmosa;cmosa; [x]
S2 LF30FS;LF30FS;\??\c:\program files\everstrike software\lock folder xp 3.6\lf30xp.sys --> c:\program files\everstrike software\lock folder xp 3.6\LF30XP.sys [?]
S3 CEDRIVER52;CEDRIVER52;\??\c:\program files\cheat engine\dbk32.sys --> c:\program files\cheat engine\dbk32.sys [?]
S3 cheetah1;cheetah1;\??\c:\cheetahengine\cheetah.sys --> c:\cheetahengine\cheetah.sys [?]
S3 DISK_DRIVE32;DISK_DRIVE32;\??\c:\program files\disk drove\disk_1024.sys --> c:\program files\disk drove\disk_1024.sys [?]
S3 Dua1;Dua1;\??\c:\program files\dual engine\dualengi.sys --> c:\program files\dual engine\DualEngi.sys [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-10-30 13352]
S3 KIKIDRIVER;KIKIDRIVER;\??\c:\kiki\kiki.sys --> c:\kiki\kiki.sys [?]
S3 KLIF;KLIF;\??\c:\progra~1\pctool~1\klif.sys --> c:\progra~1\pctool~1\KLIF.SYS [?]
S3 MzBot;MzBot;\??\c:\mzbot.sys --> c:\MzBot.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]
S3 NTProcDrv;Process creation detector for NT.;\??\c:\sro bot\ntprocdrv.sys --> c:\sro bot\NtProcDrv.sys [?]
S3 NUBBER;NUBBER;\??\c:\program files\noob engine\nubbk32.sys --> c:\program files\noob engine\nubbk32.sys [?]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [2008-10-30 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [2008-10-30 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [2008-10-30 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [2008-10-30 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [2008-10-30 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [2008-10-30 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [2008-10-30 115752]
S3 sasenum;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-3-23 7408]
S3 sejt1;sejt1;\??\c:\akumaengine33\sejt.sys --> c:\akumaengine33\sejt.sys [?]
S3 spuce1;spuce1;\??\c:\program files\spuce 2.0\spuce.sys --> c:\program files\spuce 2.0\spuce.sys [?]
S3 UCEDRIVER53;UCEDRIVER53;\??\c:\program files\ultimate hack pack\uce\cetc.sys --> c:\program files\ultimate hack pack\uce\cetc.sys [?]
S3 XDva011;XDva011;\??\c:\windows\system32\xdva011.sys --> c:\windows\system32\XDva011.sys [?]
S3 XDva134;XDva134;\??\c:\windows\system32\xdva134.sys --> c:\windows\system32\XDva134.sys [?]
S3 xp1;xp1;\??\c:\program files\xpengine\xp.sys --> c:\program files\xpengine\xp.sys [?]
S3 zenx1;zenx1;\??\c:\program files\zenxengine_latest\zenx.sys --> c:\program files\zenxengine_latest\zenx.sys [?]

=============== Created Last 30 ================

2009-04-11 20:20 <DIR> --d----- C:\gmer
2009-04-10 18:26 <DIR> --d----- c:\documents and settings\phillip yang\DoctorWeb
2009-04-10 10:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-10 10:17 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-04-10 10:17 <DIR> --d----- c:\docume~1\philli~1\applic~1\SUPERAntiSpyware.com
2009-04-10 00:22 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-04-10 00:20 <DIR> --d----- c:\windows\ERUNT
2009-04-10 00:16 <DIR> --d----- C:\SDFix
2009-04-09 20:28 <DIR> --d----- c:\docume~1\philli~1\applic~1\Malwarebytes
2009-04-09 20:28 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-09 20:28 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-09 20:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-09 20:28 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-09 06:37 3,506 a--sh--- c:\windows\system32\GgOrCfhk.ini2
2009-04-09 06:37 3,506 a--sh--- c:\windows\system32\GgOrCfhk.ini
2009-04-04 18:58 <DIR> --d----- C:\QUARANTINE
2009-04-04 18:52 1,495,552 a------- c:\windows\system32\epoPGPsdk.dll
2009-04-04 18:52 280 a------- c:\windows\system32\epoPGPsdk.dll.sig
2009-04-04 18:52 <DIR> --d----- c:\program files\common files\Cisco Systems
2009-04-04 18:52 171,272 a------- c:\windows\system32\drivers\mfehidk.sys
2009-04-04 18:52 72,680 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-04-04 18:52 64,168 a------- c:\windows\system32\drivers\mfeapfk.sys
2009-04-04 18:52 51,944 a------- c:\windows\system32\drivers\mfetdik.sys
2009-04-04 18:52 33,960 a------- c:\windows\system32\drivers\mfebopk.sys
2009-04-04 18:51 <DIR> --d----- c:\program files\McAfee
2009-04-04 18:51 <DIR> --d----- c:\program files\common files\McAfee
2009-04-04 10:27 108,336 a------- c:\windows\system32\mswinsck.ocx
2009-03-21 19:28 719,872 a------- c:\windows\system32\devil.dll
2009-03-21 19:28 318,976 a------- c:\windows\system32\avisynth.dll
2009-03-21 19:27 <DIR> --d----- c:\program files\AviSynth 2.5
2009-03-21 19:11 356,352 a------- c:\windows\eSellerateEngine.dll
2009-03-21 19:02 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\~0
2009-03-20 17:25 41,808 a------- c:\windows\system32\xfcodec.dll
2009-03-15 23:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\2DBoy

==================== Find3M ====================

2009-03-30 19:08 43,656 a------- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-09 06:13 1,846,784 a------- c:\windows\system32\win32k.sys
2008-07-19 23:16 22,328 a------- c:\docume~1\philli~1\applic~1\PnkBstrK.sys

============= FINISH: 21:53:21.48 ===============



Thanks.

Attached Files



BC AdBot (Login to Remove)

 


#2 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:30 AM

Posted 19 April 2009 - 11:58 AM

Hello Phillip,

Since it has been over a week since your post here, please reply soonest to advise if the same issues are present, or, if this has been fixed elsewhere.
I read your other thread and this system does have a definite rootkit infection.

Please reply very soon.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#3 phillipypy

phillipypy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 19 April 2009 - 01:43 PM

I still have it, thanks.

#4 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:30 AM

Posted 19 April 2009 - 04:51 PM

I still have it, thanks.


Hello Phillip and welcome to Bleeping Computer forums.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!
These steps are for member phillipypy only. If you are a lurker, do NOT try this on your system!

Posted ImageIf you are not phillipypy and have a similar problem, do NOT post here; start your own topic


Do not run or start any other programs while these utilities and tools are in use!
Posted Image Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.

There a mix of a serious rootkit infection here, which I will attempt to help you to remove. Please follow these instructions to get started. There will be lots more to do later. For now, I wnat to see if we can at least knock it down some.

The rootkit infections are of the variant OVFST and GAOPDX.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Download The Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in between the **** stars **** below to the clibpboard by highlighting it and then pressing Ctrl+C.
    *************************************
    Files to delete:
    C:\WINDOWS\system32\drivers\gaopdxypmrjotnybthwgmbpsdefhffncscwagb.sys
    C:\WINDOWS\system32\drivers\ovfsthtcethfrlypjgfcogiiujftkvskaydtkx.sys
    C:\WINDOWS\system32\drivers\gaopdxserv.sys
    c:\windows\system32\khfCrOgG.dll

    Drivers to delete:
    gaopdxypmrjotnybthwgmbpsdefhffncscwagb
    gaopdxypmrjotnybthwgmbpsdefhffncscwagb.sys
    ovfsthtcethfrlypjgfcogiiujftkvskaydtkx
    ovfsthtcethfrlypjgfcogiiujftkvskaydtkx.sys
    gaopdxserv
    gaopdxserv.sys
    ovfsthdsmwaslartpevgethqmyoffbtqdyfdbk

    Folders to delete:
    C:\recycler
    D:\recycler
    e:\recycler
    f:\recycler
    g:\recycler
    h:\recycler
    i:\recycler

    *************************************
  • In the avenger window, click the Paste Script from Clipboard icon, Posted Image button.
  • :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:avenger.txt into your next reply.
Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.
If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.
and then reboot the system again.
=

Posted ImageIf you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image


* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

IF you should see a message like this:
Posted Image
then, be sure to write down fully and also copy that into your next reply here and then await for my response.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-------------------------------------------------------

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.
=

RE-Enable your AntiVirus and AntiSpyware applications.

Start the DDS.scr and do a fresh new set of log reports. Your last one here was from April 12th

Reply with copies of C:\Avenger.txt
C:\Combofix.txt
and the new DDS reports

There will be lots more to do. This is just the start.

Edited by Maurice Naggar, 19 April 2009 - 07:27 PM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#5 phillipypy

phillipypy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 19 April 2009 - 07:40 PM

Thanks for the quick reply.

Here's my avenger log.

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "C:\WINDOWS\system32\drivers\gaopdxypmrjotnybthwgmbpsdefhffncscwagb.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\gaopdxypmrjotnybthwgmbpsdefhffncscwagb.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\drivers\ovfsthtcethfrlypjgfcogiiujftkvskaydtkx.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\ovfsthtcethfrlypjgfcogiiujftkvskaydtkx.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\WINDOWS\system32\drivers\gaopdxserv.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\gaopdxserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "c:\windows\system32\khfCrOgG.dll" not found!
Deletion of file "c:\windows\system32\khfCrOgG.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\gaopdxypmrjotnybthwgmbpsdefhffncscwagb" not found!
Deletion of driver "gaopdxypmrjotnybthwgmbpsdefhffncscwagb" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\gaopdxypmrjotnybthwgmbpsdefhffncscwagb.sys" not found!
Deletion of driver "gaopdxypmrjotnybthwgmbpsdefhffncscwagb.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\ovfsthtcethfrlypjgfcogiiujftkvskaydtkx" not found!
Deletion of driver "ovfsthtcethfrlypjgfcogiiujftkvskaydtkx" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\ovfsthtcethfrlypjgfcogiiujftkvskaydtkx.sys" not found!
Deletion of driver "ovfsthtcethfrlypjgfcogiiujftkvskaydtkx.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\gaopdxserv" not found!
Deletion of driver "gaopdxserv" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Driver "gaopdxserv.sys" deleted successfully.
Driver "ovfsthdsmwaslartpevgethqmyoffbtqdyfdbk" deleted successfully.

Error: folder "C:recycler" not found!
Deletion of folder "C:recycler" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "D:recycler" not found!
Deletion of folder "D:recycler" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "e:recycler" not found!
Deletion of folder "e:recycler" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "f:recycler" not found!
Deletion of folder "f:recycler" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "g:recycler" not found!
Deletion of folder "g:recycler" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "h:recycler" not found!
Deletion of folder "h:recycler" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "i:recycler" not found!
Deletion of folder "i:recycler" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

Combo-fix log

ComboFix 09-04-20.02 - Phillip Yang 04/19/2009 19:21.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.923 [GMT -5:00]
Running from: c:\documents and settings\Phillip Yang\Desktop\Combo-Fix.exe
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Phillip Yang\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\system32\command.pif
c:\windows\system32\GgOrCfhk.ini
c:\windows\system32\GgOrCfhk.ini2
c:\windows\Tasks\kdnanxyd.job

----- BITS: Possible infected sites -----

hxxp://drm.wippiespace.com
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 700416]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-07-02 393216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-03-09 37888]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-12 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-12 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-12 455168]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-03-15 185896]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-07-31 1116920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-10-17 111952]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2007-10-25 136512]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

c:\documents and settings\Phillip Yang\Start Menu\Programs\Startup\
Xfire.lnk - c:\program files\Xfire\xfire.exe [2009-4-10 3111248]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"wave2"= serwvdrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS\0aswBoot.exe /M:56828a2415506

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Xfire\\xfire.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Warcraft III\\war3.exe"=
"c:\\Program Files\\Starcraft\\StarCraft.exe"=
"c:\\Documents and Settings\\Phillip Yang\\My Documents\\listchecker\\pickup.listchecker.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Steam\\SteamApps\\tomatoofterror@yahoo.com\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\SteamApps\\tomatoofterror@yahoo.com\\team fortress 2\\hl2.exe"=
"c:\\ijji\\ENGLISH\\u_gbound.exe"=
"f:\\ijji\\ENGLISH\\Gunbound Revolution\\GunBound.gme"=
"c:\\Program Files\\Steam\\SteamApps\\tomatoofterror@yahoo.com\\insurgency\\hl2.exe"=
"c:\\Program Files\\Age of Empires III\\age3.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\world of goo\\WorldOfGoo.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23919:TCP"= 23919:TCP:BitComet 23919 TCP
"23919:UDP"= 23919:UDP:BitComet 23919 UDP
"21172:TCP"= 21172:TCP:BitComet 21172 TCP
"21172:UDP"= 21172:UDP:BitComet 21172 UDP

R1 56d3dab;56d3dab; [x]
R1 cmosa;cmosa; [x]
R2 LF30FS;LF30FS; [x]
R3 CEDRIVER52;CEDRIVER52; [x]
R3 cheetah1;cheetah1; [x]
R3 DISK_DRIVE32;DISK_DRIVE32; [x]
R3 Dua1;Dua1; [x]
R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [2008-10-31 13352]
R3 KIKIDRIVER;KIKIDRIVER; [x]
R3 MzBot;MzBot; [x]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-08-02 32512]
R3 NTProcDrv;Process creation detector for NT.; [x]
R3 NUBBER;NUBBER; [x]
R3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\DRIVERS\s0016bus.sys [2008-05-16 89256]
R3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s0016mdfl.sys [2008-05-16 15016]
R3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s0016mdm.sys [2008-05-16 120744]
R3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s0016mgmt.sys [2008-05-16 114216]
R3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\DRIVERS\s0016nd5.sys [2008-05-16 25512]
R3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s0016obex.sys [2008-05-16 110632]
R3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\DRIVERS\s0016unic.sys [2008-05-16 115752]
R3 sejt1;sejt1; [x]
R3 spuce1;spuce1; [x]
R3 UCEDRIVER53;UCEDRIVER53; [x]
R3 XDva011;XDva011; [x]
R3 XDva134;XDva134; [x]
R3 xp1;xp1; [x]
R3 zenx1;zenx1; [x]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{11d215f5-06fa-11dc-aabd-001111a24a93}]
\Shell\AutoRun\command - G:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{170d75a1-656c-11dc-ab08-001111a24a93}]
\Shell\Auto\command - auto.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6c53dc02-02c3-11db-a970-001111a24a93}]
\Shell\Auto\command - auto.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL auto.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7c5de0d4-d544-11dd-abd7-001111a24a93}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

BHO-{1213d0b5-4533-4d17-8925-2cffac441382} - c:\windows\system32\khfCrOgG.dll
HKLM-Run-LFAgent - (no file)
Notify-awtstjay - awtsTJay.dll


.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: &Download FLV by WinAVI... - c:\program files\WinAVI FLV Converter\flv_link.htm
IE: Download All by FlashGet - c:\program files\FlashGet\jc_all.htm
IE: Download using FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {{DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - {EC83A912-7EF4-410D-9CC7-3BDAA709CA71} -
DPF: {11A3221C-5A7A-4F0B-A71F-8139BDBAB504} - hxxp://login.hanbiton.com/cab/NLSnSSO.cab
DPF: {7606693A-C18D-4567-AF85-6194FF70761E} - hxxp://app.ipop.co.kr/gom/GomWeb.cab
DPF: {A1D886C6-4039-4451-97A9-515F5BE5D4C2} - hxxps://secwebclinic.ahnlab.com/asp/cab/mkdplus.cab
DPF: {ADCC68D4-AAEA-4338-817D-1F261D9FB759} - hxxp://www.dragongemworld.com/Active_X/ENetLauncher.cab
FF - ProfilePath - c:\documents and settings\Phillip Yang\Application Data\Mozilla\Firefox\Profiles\p6tnwn8e.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (English)
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-19 19:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\rootrepeal]
"ImagePath"="\??\c:\windows\system32\drivers\rootrepeal.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG08.00.00.01WORKSTATION"="90032344D2248D8A35191F1D4DEF8E082E916E625E3D542C5CB8DC135DF6BB0E0145CDF71BB465816C533B274E67C08937BD44569A4D9B938AB1C8841F3E4D82FCAD1D6A9AC0EC0D7DB5C4BEA07417E8C86943CBFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C8EDD5E5BE2F6E667A9C6AECB7A5D1407BA7FD869164D6794A2D97226D213B5554AD2B32D14A51535BAA3B5367AE2A8AEEA96B470622A06E2A704054AC15B531A007AA1CD8AE7CAE103AEF14D2B660FA6F7A7A35B93720990B8D48D1E57D6D3C08F5B2768CD16BD4E2A4511A6543954A12077279895EB8710807BADE466F051DBF494006C2EE2FB6DF8AFDD00DF4068EE95903DD38952F2AFB8E7B3546BDADFD4951EEA3E9F8FD9E39A0729895B747E926CD3E5A937F3816D80DDF0198255D4C9B940A935B976ED0E9F3BC568F76310C41FF3A52D85332A7F59F83B51EFB8C98B8A19049D3883947A7E0F8BB609AED8EF0BF904E184062D4DAA23EB101CF09D20999943B6FCB5EAE98D18D680898BD7B4F0400FC465F60974BD1F60DC0F7C71415989B6B609A3D4548843064615C2D165F67758437F238345C180FA32F96EACDB9F01324305737A6412CDFC7E6BB1D00AA5A3F1BD4ABD26C349B021FE2F6F7991AA6E0AF93FE2C578AD4A2591F3CA9DDD6C1BF60CE58DBE29CA6B3C272539C4B71893996A2441E6A243A0E6DB3612CAD11A8A83F792EB5D619FC2BA80F59BC058EB86C1184AF3D029200BB52E5FA02C87E573B6BD3747570E071C8DD6627A64318D31E17B68713A08731782CF40A35A57E727B591DD23C581242DAA68CC4B6AB348CF6381D9471D6B52AA45774D5EAF4D1F4DAA99B2140746FB068AE93B1C4F05CA752F889F96BAB835797AD32024CC28EAE341EC0AC43A18F8862D805989D67EA908B365DD121683788FA105755E17DB9238A99C5874C5686A629149F64806ADDBC0655F5B81F4195CCB3E9FAD8BB6103EF099A938F4535A03A2BF51849FA7553D2EB934844363F585DF572D4E3C169E7C83488AE6AB4FC6D7253F1C1AE94A690CB02B92E846304DFCD4F92B0094679ABC3CF3274693E93BE21A9F21F218BE93EB00389F3D0FEE06AD03340A90509CC356BA5C61DC3B9A770586F14BEEAB9BB2E5A3657258B5773A699A9BAE6FBAEF1482F3478754C4976F7EC14B798E3DBB57637BB6963867E2B8E21EC573B2B55D36DD2EFAE1FAE6614CF67B467EFA77BC463537398CF9641204B4634FA31237A30AEA06C5A9C1EA37EAF831FE227D9902FA0EDEF94962FE2752D9975880EB4747A18DEAF88CBE2F9DDB713A981F0677AEA1844A8B345B220A0E32B604C0408311C710A1E7AD2DA6DE63B3BCB7A32777B01C16A88528EDC765D68395F98B339D0D741FBFEB2268D688F8F5B80754"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(736)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3380)
c:\program files\Xfire\xfire_toucan_36594.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\windows\system32\oodag.exe
c:\windows\system32\snmp.exe
c:\program files\McAfee\Common Framework\Mctray.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-20 19:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-20 00:32

Pre-Run: 3,059,036,160 bytes free
Post-Run: 2,955,919,360 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

212 --- E O F --- 2009-03-21 02:20

DDS log


DDS (Ver_09-03-16.01) - NTFSx86
Run by Phillip Yang at 19:38:36.07 on Sun 04/19/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.845 [GMT -5:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Xfire\xfire.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Phillip Yang\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: CitiUSBrowserHelper Class: {387edf53-1cf2-4523-bc2f-13462651be8c} - c:\windows\system32\BhoCitUS.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {E8DF67A1-B618-4F3F-9E7C-CBE175ADEF5B} - No File
BHO: gFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\progra~1\flashget\getflash.dll
TB: FlashGet Bar: {e0e899ab-f487-11d5-8d29-0050ba6940e3} - c:\progra~1\flashget\fgiebar.dll
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\sony ericsson pc suite\SEPCSuite.exe" /systray /nologon
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\philli~1\startm~1\programs\startup\xfire.lnk - c:\program files\xfire\xfire.exe
IE: &Download FLV by WinAVI... - c:\program files\winavi flv converter\flv_link.htm
IE: Download All by FlashGet - c:\program files\flashget\jc_all.htm
IE: Download using FlashGet - c:\program files\flashget\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\progra~1\flashget\flashget.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - {EC83A912-7EF4-410D-9CC7-3BDAA709CA71}
DPF: {11A3221C-5A7A-4F0B-A71F-8139BDBAB504} - hxxp://login.hanbiton.com/cab/NLSnSSO.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1202781344234
DPF: {7606693A-C18D-4567-AF85-6194FF70761E} - hxxp://app.ipop.co.kr/gom/GomWeb.cab
DPF: {8ad9c840-044e-11d1-b3e9-00805f499d93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {A1D886C6-4039-4451-97A9-515F5BE5D4C2} - hxxps://secwebclinic.ahnlab.com/asp/cab/mkdplus.cab
DPF: {ADCC68D4-AAEA-4338-817D-1F261D9FB759} - hxxp://www.dragongemworld.com/Active_X/ENetLauncher.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {cafeefac-0016-0000-0013-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {cafeefac-ffff-ffff-ffff-abcdeffedcba} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} - hxxp://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\philli~1\applic~1\mozilla\firefox\profiles\p6tnwn8e.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (English)
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2007-10-16 31784]
R2 mcafeeframework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-4-4 103744]
R2 mcshield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2007-10-16 144704]
R2 mctaskmanager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2007-10-16 54608]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-8-23 24652]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2009-4-4 72680]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2009-4-4 33960]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2009-4-4 171272]
S1 56d3dab;56d3dab;c:\windows\system32\drivers\56d3dab.sys --> c:\windows\system32\drivers\56d3dab.sys [?]
S1 cmosa;cmosa; [x]
S2 LF30FS;LF30FS;\??\c:\program files\everstrike software\lock folder xp 3.6\lf30xp.sys --> c:\program files\everstrike software\lock folder xp 3.6\LF30XP.sys [?]
S3 CEDRIVER52;CEDRIVER52;\??\c:\program files\cheat engine\dbk32.sys --> c:\program files\cheat engine\dbk32.sys [?]
S3 cheetah1;cheetah1;\??\c:\cheetahengine\cheetah.sys --> c:\cheetahengine\cheetah.sys [?]
S3 DISK_DRIVE32;DISK_DRIVE32;\??\c:\program files\disk drove\disk_1024.sys --> c:\program files\disk drove\disk_1024.sys [?]
S3 Dua1;Dua1;\??\c:\program files\dual engine\dualengi.sys --> c:\program files\dual engine\DualEngi.sys [?]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-10-30 13352]
S3 KIKIDRIVER;KIKIDRIVER;\??\c:\kiki\kiki.sys --> c:\kiki\kiki.sys [?]
S3 KLIF;KLIF;\??\c:\progra~1\pctool~1\klif.sys --> c:\progra~1\pctool~1\KLIF.SYS [?]
S3 MzBot;MzBot;\??\c:\mzbot.sys --> c:\MzBot.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]
S3 NTProcDrv;Process creation detector for NT.;\??\c:\sro bot\ntprocdrv.sys --> c:\sro bot\NtProcDrv.sys [?]
S3 NUBBER;NUBBER;\??\c:\program files\noob engine\nubbk32.sys --> c:\program files\noob engine\nubbk32.sys [?]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [2008-10-30 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [2008-10-30 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [2008-10-30 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [2008-10-30 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [2008-10-30 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [2008-10-30 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [2008-10-30 115752]
S3 sejt1;sejt1;\??\c:\akumaengine33\sejt.sys --> c:\akumaengine33\sejt.sys [?]
S3 spuce1;spuce1;\??\c:\program files\spuce 2.0\spuce.sys --> c:\program files\spuce 2.0\spuce.sys [?]
S3 UCEDRIVER53;UCEDRIVER53;\??\c:\program files\ultimate hack pack\uce\cetc.sys --> c:\program files\ultimate hack pack\uce\cetc.sys [?]
S3 XDva011;XDva011;\??\c:\windows\system32\xdva011.sys --> c:\windows\system32\XDva011.sys [?]
S3 XDva134;XDva134;\??\c:\windows\system32\xdva134.sys --> c:\windows\system32\XDva134.sys [?]
S3 xp1;xp1;\??\c:\program files\xpengine\xp.sys --> c:\program files\xpengine\xp.sys [?]
S3 zenx1;zenx1;\??\c:\program files\zenxengine_latest\zenx.sys --> c:\program files\zenxengine_latest\zenx.sys [?]

=============== Created Last 30 ================

2009-04-19 19:20 <DIR> a-dshr-- C:\cmdcons
2009-04-19 19:19 161,792 a------- c:\windows\SWREG.exe
2009-04-19 19:19 98,816 a------- c:\windows\sed.exe
2009-04-19 19:09 0 a------- C:\backup.reg
2009-04-19 19:09 135,168 a------- C:\zip.exe
2009-04-19 19:09 19,286 a------- C:\cleanup.exe
2009-04-19 19:09 574 a------- C:\cleanup.bat
2009-04-14 17:57 216,064 ---shr-- c:\windows\system32\nbDX.dll
2009-04-14 17:57 54,784 ---shr-- c:\windows\system32\RLAPEDec.ax
2009-04-14 17:57 37,888 ---shr-- c:\windows\system32\RLMPCDec.ax
2009-04-14 17:57 31,232 ---shr-- c:\windows\system32\msfDX.dll
2009-04-14 17:57 227,328 ---shr-- c:\windows\system32\ac3DX.ax
2009-04-14 17:57 123,904 ---shr-- c:\windows\system32\AVCDX.ax
2009-04-14 17:56 <DIR> --d----- c:\program files\eRightSoft
2009-04-10 18:26 <DIR> --d----- c:\documents and settings\phillip yang\DoctorWeb
2009-04-10 18:23 41,808 a------- c:\windows\system32\xfcodec.dll
2009-04-10 10:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-04-10 10:17 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-04-10 00:22 578,560 ac------ c:\windows\system32\dllcache\user32.dll
2009-04-10 00:20 <DIR> --d----- c:\windows\ERUNT
2009-04-09 20:28 <DIR> --d----- c:\docume~1\philli~1\applic~1\Malwarebytes
2009-04-09 20:28 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-04-04 18:58 <DIR> --d----- C:\QUARANTINE
2009-04-04 18:52 1,495,552 a------- c:\windows\system32\epoPGPsdk.dll
2009-04-04 18:52 280 a------- c:\windows\system32\epoPGPsdk.dll.sig
2009-04-04 18:52 <DIR> --d----- c:\program files\common files\Cisco Systems
2009-04-04 18:52 171,272 a------- c:\windows\system32\drivers\mfehidk.sys
2009-04-04 18:52 72,680 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-04-04 18:52 64,168 a------- c:\windows\system32\drivers\mfeapfk.sys
2009-04-04 18:52 51,944 a------- c:\windows\system32\drivers\mfetdik.sys
2009-04-04 18:52 33,960 a------- c:\windows\system32\drivers\mfebopk.sys
2009-04-04 18:51 <DIR> --d----- c:\program files\McAfee
2009-04-04 18:51 <DIR> --d----- c:\program files\common files\McAfee
2009-04-04 10:27 108,336 a------- c:\windows\system32\mswinsck.ocx
2009-03-21 19:28 719,872 a------- c:\windows\system32\devil.dll
2009-03-21 19:28 318,976 a------- c:\windows\system32\avisynth.dll
2009-03-21 19:27 <DIR> --d----- c:\program files\AviSynth 2.5
2009-03-21 19:11 356,352 a------- c:\windows\eSellerateEngine.dll
2009-03-21 19:02 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\~0

==================== Find3M ====================

2009-03-30 19:08 43,656 a------- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-02-09 06:13 1,846,784 a------- c:\windows\system32\win32k.sys
2008-07-19 23:16 22,328 a------- c:\docume~1\philli~1\applic~1\PnkBstrK.sys
2006-05-03 05:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2007-02-21 06:47 31,232 ---shr-- c:\windows\system32\msfDX.dll
2008-03-16 08:30 216,064 ---shr-- c:\windows\system32\nbDX.dll

============= FINISH: 19:39:11.47 ===============


Thanks.

Inserted copy of Attach.txt ~ Maurice Naggar

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 11/20/2005 5:21:57 PM
System Uptime: 4/19/2009 7:24:27 PM (0 hours ago)

Motherboard: Dell Inc. | | 0U7077
Processor: Intel® Pentium® 4 CPU 3.20GHz | Microprocessor | 3192/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 51 GiB total, 2.778 GiB free.
D: is CDROM (CDFS)
E: is CDROM (CDFS)
F: is FIXED (NTFS) - 98 GiB total, 12.226 GiB free.

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP886: 4/4/2009 10:54:36 AM - System Checkpoint
RP887: 4/4/2009 10:54:36 AM - Installed Compatibility Pack for the 2007 Office system
RP888: 4/4/2009 10:54:36 AM - Software Distribution Service 3.0
RP889: 4/4/2009 10:54:36 AM - System Checkpoint
RP890: 4/4/2009 10:54:36 AM - System Checkpoint
RP891: 4/4/2009 10:54:36 AM - System Checkpoint
RP892: 4/4/2009 10:54:36 AM - Installed GiPo@FileUtilities 3.2
RP893: 4/4/2009 10:54:36 AM - Removed GiPo@FileUtilities 3.2
RP894: 4/4/2009 10:54:36 AM - Software Distribution Service 3.0
RP895: 4/4/2009 10:54:36 AM - System Checkpoint
RP896: 4/4/2009 10:54:36 AM - System Checkpoint
RP897: 4/4/2009 10:54:36 AM - System Checkpoint
RP898: 4/4/2009 10:54:36 AM - System Checkpoint
RP899: 4/4/2009 10:54:37 AM - System Checkpoint
RP900: 4/4/2009 10:54:37 AM - System Checkpoint
RP901: 4/4/2009 10:54:37 AM - System Checkpoint
RP902: 4/4/2009 10:54:37 AM - System Checkpoint
RP903: 4/4/2009 10:54:37 AM - System Checkpoint
RP904: 4/4/2009 10:54:37 AM - Software Distribution Service 3.0
RP905: 4/4/2009 10:54:37 AM - System Checkpoint
RP906: 4/4/2009 10:54:37 AM - System Checkpoint
RP907: 4/4/2009 10:54:37 AM - System Checkpoint
RP908: 4/4/2009 10:54:37 AM - System Checkpoint
RP909: 4/4/2009 10:54:37 AM - System Checkpoint
RP910: 4/4/2009 10:54:37 AM - Installed Age of Empires III
RP911: 4/4/2009 10:54:37 AM - System Checkpoint
RP912: 4/4/2009 10:54:37 AM - System Checkpoint
RP913: 4/4/2009 10:54:37 AM - Software Distribution Service 3.0
RP914: 4/4/2009 10:54:37 AM - System Checkpoint
RP915: 4/4/2009 10:54:37 AM - System Checkpoint
RP916: 4/4/2009 10:54:37 AM - System Checkpoint
RP917: 4/4/2009 10:54:37 AM - System Checkpoint
RP918: 4/4/2009 10:54:37 AM - Software Distribution Service 3.0
RP919: 4/4/2009 10:54:37 AM - System Checkpoint
RP920: 4/4/2009 10:54:37 AM - System Checkpoint
RP921: 4/4/2009 10:54:37 AM - System Checkpoint
RP922: 4/4/2009 10:54:37 AM - System Checkpoint
RP923: 4/4/2009 10:54:37 AM - System Checkpoint
RP924: 4/4/2009 10:54:37 AM - System Checkpoint
RP925: 4/4/2009 10:54:37 AM - System Checkpoint
RP926: 4/4/2009 10:54:37 AM - Software Distribution Service 3.0
RP927: 4/4/2009 10:54:37 AM - System Checkpoint
RP928: 4/4/2009 10:54:37 AM - System Checkpoint
RP929: 4/4/2009 10:54:37 AM - System Checkpoint
RP930: 4/4/2009 10:54:37 AM - System Checkpoint
RP931: 4/4/2009 10:54:37 AM - System Checkpoint
RP932: 4/4/2009 10:54:37 AM - System Checkpoint
RP933: 4/4/2009 10:54:37 AM - System Checkpoint
RP934: 4/4/2009 10:54:37 AM - System Checkpoint
RP935: 4/4/2009 10:54:37 AM - System Checkpoint
RP936: 4/4/2009 10:54:37 AM - System Checkpoint
RP937: 4/4/2009 10:54:37 AM - System Checkpoint
RP938: 4/4/2009 10:54:37 AM - System Checkpoint
RP939: 4/4/2009 10:54:37 AM - System Checkpoint
RP940: 4/4/2009 10:54:38 AM - Last known good configuration
RP941: 4/4/2009 10:54:38 AM - Restore Operation
RP942: 4/4/2009 6:52:01 PM - Installed McAfee VirusScan Enterprise
RP943: 4/4/2009 7:53:16 PM - Removed Ad-Aware SE Personal
RP944: 4/5/2009 10:03:27 PM - System Checkpoint
RP945: 4/6/2009 6:52:14 PM - Installed Java™ 6 Update 13
RP946: 4/7/2009 11:19:15 PM - System Checkpoint
RP947: 4/9/2009 12:47:50 AM - System Checkpoint
RP948: 4/10/2009 1:03:36 AM - System Checkpoint
RP949: 4/10/2009 10:17:28 AM - Installed SUPERAntiSpyware Free Edition
RP950: 4/12/2009 2:35:40 AM - System Checkpoint
RP951: 4/13/2009 3:08:33 AM - System Checkpoint
RP952: 4/14/2009 3:44:34 AM - System Checkpoint
RP953: 4/15/2009 8:50:42 AM - System Checkpoint
RP954: 4/16/2009 9:08:39 AM - System Checkpoint
RP955: 4/17/2009 9:44:33 AM - System Checkpoint
RP956: 4/18/2009 10:20:33 AM - System Checkpoint
RP957: 4/19/2009 10:44:28 AM - System Checkpoint
RP958: 4/19/2009 5:28:05 PM - Removed SUPERAntiSpyware Free Edition
RP959: 4/19/2009 7:19:54 PM - ComboFix created restore point

==== Installed Programs ======================

AC Tool
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Photoshop CS
Adobe Reader 8.1.3
Adobe Shockwave Player 11
Age of Empires III
AOL Instant Messenger
Apple Software Update
ATI - Software Uninstall Utility
ATI Display Driver
AutoUpdate
Avanquest update
BitComet 0.70
BitTorrent 5.0.9
Broadcom Gigabit Integrated Controller
Cheat Engine 5.4
Compatibility Pack for the 2007 Office system
Counter-Strike
Counter-Strike: Source
Creative MediaSource 5
Creative Removable Disk Manager
Creative System Information
Creative ZEN Vision M Series
Critical Update for Windows Media Player 11 (KB959772)
Dell Driver Reset Tool
Direct Show Ogg Vorbis Filter (remove only)
DivX
DivX Player
DivX Web Player
Envy Ragnarok Online
FlashGet(JetCar)
Fraps (remove only)
Guild Wars
Gunbound Revolution
hla v1.82
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
ijji
ijji Auto Installer
Insurgency
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java™ 6 Update 13
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Runtime Environment 6 Update 1
Left 4 Dead
Macromedia Flash Player 8
Macromedia Shockwave Player
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft AppLocale
Microsoft Calculator Plus
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office XP Professional with FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Application Compatibility Database
Mozilla Firefox (3.0.8)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
O&O Defrag Professional Edition
Ragnarok Online
RealPlayer
Rhapsody Player Engine
Roxio Drag-to-Disc
Ruff-Rose V789
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Sony Ericsson PC Suite 4.010.00
SoundMAX
Source SDK Base
Starcraft
Steam™
SUPER © Version 2009.bld.35 (Jan 5, 2009)
Team Fortress 2
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Service
Ventrilo Client
VideoLAN VLC media player 0.8.5
Viewpoint Media Player
Warcraft III: All Products
WebFldrs XP
Winamp
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix - KB895316
Windows Media Player 11
Windows XP Service Pack 3
WinPcap 3.1
WinRAR archiver
World of Goo
Xfire (remove only)
ZENcast Organizer

==== Event Viewer Messages From Past Week ========

4/19/2009 7:26:19 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
4/19/2009 7:26:19 PM, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
4/19/2009 7:13:51 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PCIIde
4/19/2009 7:13:19 PM, error: Service Control Manager [7000] - The LF30FS service failed to start due to the following error: The system cannot find the path specified.
4/19/2009 7:13:02 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
4/19/2009 5:28:43 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
4/19/2009 5:28:14 PM, error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: Cannot create a file when that file already exists.
4/19/2009 5:22:26 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
4/18/2009 7:31:28 PM, error: Service Control Manager [7028] - The wuauserv Registry key denied access to SYSTEM account programs so the Service Control Manager took ownership of the Registry key.
4/18/2009 12:53:57 PM, error: Service Control Manager [7034] - The McAfee McShield service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================

Attached Files


Edited by Maurice Naggar, 19 April 2009 - 09:53 PM.


#6 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:30 AM

Posted 19 April 2009 - 10:08 PM

Hello Phillip,

2 rootkit drivers were removed in the last pass, which is good progress:

Driver "gaopdxserv.sys" deleted successfully.
Driver "ovfsthdsmwaslartpevgethqmyoffbtqdyfdbk" deleted successfully.


We are going to use Avenger once more to look for potential malware hideouts.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in between the **** stars **** to the clibpboard by highlighting it and then pressing Ctrl+C.
    *******************************************************
    Folders to delete:
    C:\recycler
    D:\recycler
    e:\recycler
    f:\recycler
    g:\recycler
    h:\recycler
    i:\recycler

    *******************************************************
  • In the avenger window, click the Paste Script from Clipboard icon, Posted Image button.
  • :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.
Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.
If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.
and then reboot the system again.

Start your MBAM.
Click the Settings Tab. Make sure all option lines have a checkmark.
Click the Update tab. Press the "Check for Updates" button.
At this time, the current definitions are # 2009 or later. The latest program version is 1.36 (released April 6)

When done, click the Scanner tab.
Do a Quick Scan.

I believe you already have the GMER tool from before.
  • Double-click Gmer.exe to run the program.
  • When the program opens, click the >>> Tab
  • On the right-side, check all the items to be scanned, but leave "Show All" unchecked
  • Select all drives that are connected to your system to be scanned
  • Click the Scan button
  • When the scan is finished, click Copy to save the scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Save the gmer scan log and post it in your next reply.
  • Close Gmer
  • Open a command prompt (Start | run |type cmd and hit Enter)
  • Type or paste the following to unload the Gmer driver:
    • net stop gmer
  • Hit Enter
  • Exit the command prompt.
Please reply with a copy of contents of C:\Avenger.txt
the MBAM scan log
and the last Gmer scan log
and advise, How is your system now ?

Be sure to do a Preview prior to pressing Submit because all reports may not fit into 1 single reply. You'll likely have to do more than 1 reply.
Do NOT place the logs as attachments, but copy them in-line. Thank you.

Edited by Maurice Naggar, 19 April 2009 - 10:11 PM.

~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#7 phillipypy

phillipypy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 20 April 2009 - 09:06 PM

Hey,
When I put the script into The Avenger and hit execute I get this message "It appears that The Avenger has already been queued for execution on next reboot. It is strongly recommended to reboot and allow pending operations to complete before executing another script. Are you sure you want to continue?"

So I hit No and it asked me "Do you want to reboot now?" So I hit yes. Then when it was rebooting, my computer got stucked on the saving settings screen. Which made me think; the first time I ran The Avenger it also got stuck on the saving settings screen so I just manually rebooted it. So I waited 10 minutes and it was still on that screen so I manually rebooted and tried to run The Avenger again and I get the same first error message again.

What should I do?
Thanks.

#8 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:30 AM

Posted 20 April 2009 - 10:36 PM

Close Avenger if it is running. Logoff and restart the system, for a new fresh start. Repeat that one more time.
Now, proceed with my last stated steps.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#9 phillipypy

phillipypy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 21 April 2009 - 05:59 PM

Now it's happening even if I don't run The Avenger.
When I try to restart or shut down my computer, it always get stuck at Saving Settings.
So I have to hold the power button or unplug my computer.

#10 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:30 AM

Posted 22 April 2009 - 07:59 PM

Let's stop trying to run anything. Have you restarted the system and do you have a steady, stable normal mode Windows running ?
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#11 phillipypy

phillipypy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 22 April 2009 - 10:59 PM

To restart my computer, I have to either hold the power button or pull the plug.
My Windows seems fine. The only problems I have now is that my computer is running very slowly and I get redirected to various websites when I look things up on google. Those are the only problems that are sticking out right now.


EDIT.
I'll be gone from April 24 to April 26. Thanks.

Edited by phillipypy, 23 April 2009 - 09:56 PM.


#12 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:30 AM

Posted 24 April 2009 - 06:07 AM

At your next opportunity, do the following.
Located the exe for MalwareBytes AntiMalware, mbam.exe and Rename to to some unique name, Alpa.exe
Start your Alpha {MBAM}.
Click the Settings Tab. Make sure all option lines have a checkmark.
Click the Update tab. Press the "Check for Updates" button.

When done, click the Scanner tab.
Do a Quick Scan.

Next, Download the latest version of HijackThis Installer

Save the HJT Installer to your desktop or the folder of your choice, then navigate to that folder and double-click HJTInstall.exe to start the installation.

When the Trend Micro HJT install box appears, click Install.

HijackThis (HJT) will be installed in the C:\Program Files\Trend Micro\HijackThis folder by default and a desktop shortcut will be created.

In the HijackThis folder, Rename "hijackthis.exe" to Bravo.exe
Now, run Bravo and do a Scan and Save log.

Reply with a copy of the MBAM scan log, and the log from HijackThis.

Tell me if the browser hijacks are happening in Internet Explorer, or Firefox, or some other browser.
As long as you got briwser hijacks, do not try to use your browser to surf the net, please.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#13 phillipypy

phillipypy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 26 April 2009 - 05:38 PM

Hey,
Here's the mbam scan

Malwarebytes' Anti-Malware 1.36
Database version: 2046
Windows 5.1.2600 Service Pack 3

4/26/2009 5:35:57 PM
mbam-log-2009-04-26 (17-35-57).txt

Scan type: Quick Scan
Objects scanned: 85339
Time elapsed: 5 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Here's the Hijackthis log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:38:01 PM, on 4/26/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\oodag.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\bravo.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: CitiUSBrowserHelper Class - {387EDF53-1CF2-4523-BC2F-13462651BE8C} - C:\WINDOWS\system32\BhoCitUS.dll
O2 - BHO: scriptproxy - {7db2d5a0-7241-4e79-b68d-6309f01c5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: WinAVI FLVSense - {E8DF67A1-B618-4F3F-9E7C-CBE175ADEF5B} - (no file)
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe
O8 - Extra context menu item: &Download FLV by WinAVI... - C:\Program Files\WinAVI FLV Converter\flv_link.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: WinAVI FLV Manager - {DE365254-2F9B-4908-9E3A-7AAA6EC90BCC} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [java_sun] Java (Sun)
O16 - DPF: {11A3221C-5A7A-4F0B-A71F-8139BDBAB504} (NlsComm Component Class) - http://login.hanbiton.com/cab/NLSnSSO.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1202781344234
O16 - DPF: {7606693A-C18D-4567-AF85-6194FF70761E} - http://app.ipop.co.kr/gom/GomWeb.cab
O16 - DPF: {A1D886C6-4039-4451-97A9-515F5BE5D4C2} (mkdplusCtrl Class) - https://secwebclinic.ahnlab.com/asp/cab/mkdplus.cab
O16 - DPF: {ADCC68D4-AAEA-4338-817D-1F261D9FB759} (ENetLauncher Control) - http://www.dragongemworld.com/Active_X/ENetLauncher.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownlo...GPlugin9USA.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (javaquickstarterservice) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (mcafeeframework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (mcshield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (mctaskmanager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Roxio UPnP Renderer 9 - Unknown owner - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe (file missing)
O23 - Service: Roxio Upnp Server 9 - Unknown owner - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe (file missing)
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8926 bytes


Thanks.

#14 Maurice Naggar

Maurice Naggar

    Eradicator de malware


  • Malware Response Team
  • 1,088 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:01:30 AM

Posted 26 April 2009 - 06:08 PM

Please download GooredFix and save it to your Desktop.
Now double-click Goored.exe on your Desktop to run it.
Select 2. Fix Goored by typing 2 and pressing Enter. Make sure all instances of Firefox are closed at this point. Type y at the prompt and press Enter again.
A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

Reply with a copy of Goored.txt, and let me know if there's any more browser hijacks.
The last logs you posted are fine.
~Maurice Naggar
MS-MVP (Oct 2002 - Sept 2010)

#15 phillipypy

phillipypy
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:01:30 AM

Posted 26 April 2009 - 06:40 PM

Oh awesome, it seems like there's no more browser hijacks.
Thanks!
Here's the log.

GooredFix v1.92 by jpshortstuff
Log created at 18:39 on 26/04/2009 running Option #2 (Phillip Yang)
Firefox version 3.0.9 (en-US)

=====Goored Deletions=====
C:\Program Files\Mozilla Firefox\extensions\{23252203-86BA-43B4-82C0-1410ABEC8CAF}
->Backing up folder... Done.
->Emptying folder... Done.
->Deleting folder... Done.

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.9\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.9\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users