Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

virtumonde virus :[


  • This topic is locked This topic is locked
50 replies to this topic

#1 darrickshin

darrickshin

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 27 April 2009 - 10:01 PM

I've had several problems that i hope you guys can help me fix. First off, when i start my computer... it bleeps once. (i dont know if thats anything bad... but since the website is called bleepingcomputer... i thought it probably did. When i log on, i get several popups saying that some randomly named process was denied access. I am also constantly bombarded by popup ad's and when i check my process list, i see IEXPLORER.EXE (all caps) and i dont use internet explorer at all. Additionally, when i end that process, it just comes back eventually.

I have tried using various spyware removal programs such as spyware search & destroy and AVG free edition, they detect the problem, but "fixing" doesnt actually work.

sooo please help me :]


DDS (Ver_09-03-16.01) - NTFSx86
Run by com at 19:35:50.12 on Mon 04/27/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.87 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\com\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {3d753665-23d4-4348-9e61-9eea3171c1ba} - c:\windows\system32\bevozeti.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: ooVoo Toolbar: {a057a204-bacc-4d26-8087-36ee87e26986} - c:\progra~1\oovoot~1\OOVOOT~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ooVoo Toolbar: {a057a204-bacc-4d26-8087-36ee87e26986} - c:\progra~1\oovoot~1\OOVOOT~1.DLL
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [vohalezima] Rundll32.exe "c:\windows\system32\darunuwe.dll",s
mRun: [CPMc7997fd6] Rundll32.exe "c:\windows\system32\noyilole.dll",a
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\ c:\windows\system32\rigivika.dll c:\windows\system32\tobuvuzi.dll c:\windows\system32\tuhemoye.dll c:\windows\system32\biserano.dll c:\windows\system32\ c:\windows\system32\ c:\windows\system32\yolavore.dll c:\windows\system32\motatuwo.dll c:\windows\system32\noyilole.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\noyilole.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\noyilole.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
LSA: Notification Packages = scecli c:\windows\system32\vahuyayu.dll c:\windows\system32\tobuvuzi.dll c:\windows\system32\tuhemoye.dll c:\windows\system32\motatuwo.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\com\applic~1\mozilla\firefox\profiles\eo4s1in9.default\
FF - plugin: c:\documents and settings\com\application data\mozilla\firefox\profiles\eo4s1in9.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\com\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R2 CAMTHWDM;WebcamMax, WDM Video Capture;c:\windows\system32\drivers\CAMTHWDM.sys [2009-2-25 941784]
S3 AYDrvSP_ALYAC;AYDrvSP_ALYAC;c:\program files\estsoft\alyac\AYDrvSP.sys [2009-1-14 24312]
S3 CIF USB CAMERA Service;CIF USB CAMERA;c:\windows\system32\drivers\pfc027.sys [2009-1-19 112380]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-1-25 24652]

=============== Created Last 30 ================

2009-04-27 19:26 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-04-27 19:25 <DIR> --d----- c:\program files\Panda Security
2009-04-27 18:00 121 ---sh--- c:\windows\system32\uviludof.ini
2009-04-26 23:56 1,427,803 ---sh--- c:\windows\system32\odizehab.ini
2009-04-26 00:30 <DIR> --d----- c:\program files\BitPim
2009-04-25 22:46 22,912 a------- c:\windows\system32\drivers\lgusbmodem.sys
2009-04-25 22:46 21,248 a------- c:\windows\system32\drivers\lgusbdiag.sys
2009-04-25 22:46 12,672 a------- c:\windows\system32\drivers\lgusbbus.sys
2009-04-25 22:46 <DIR> --d----- c:\program files\LG Electronics
2009-04-23 17:36 17,536 a------- c:\windows\system32\drivers\grmn0200.sys
2009-04-23 17:36 17,024 a------- c:\windows\system32\drivers\grmngen.sys
2009-04-23 17:36 16,512 a------- c:\windows\system32\drivers\grmn0400.sys
2009-04-23 17:36 11,776 a------- c:\windows\system32\drivers\grmn1200.sys
2009-04-23 17:36 7,296 a------- c:\windows\system32\drivers\grmnusb.sys
2009-04-23 17:34 <DIR> --d----- C:\Garmin
2009-04-23 17:34 1,995 ---sh--- c:\windows\system32\zitosaba.exe
2009-04-23 17:34 1,995 ---sh--- c:\windows\system32\nasikaje.dll
2009-04-23 17:34 1,995 ---sh--- c:\windows\system32\gehotimi.dll
2009-04-16 19:25 19,488 a------- c:\windows\system32\AAWService_2009_04_16_19_25_17.dmp
2009-04-16 19:22 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-04-16 18:35 443 a------- c:\windows\wininit.ini
2009-04-16 17:45 10,520 -------- c:\windows\system32\avgrsstx.dll.install_backup
2009-04-16 17:26 1,409,808 ---sh--- c:\windows\system32\ebumefok.tmp
2009-04-16 17:22 <DIR> --d----- c:\program files\common files\INCA Shared
2009-04-16 17:17 3,416 a------- c:\windows\system32\PerfStringBackup.TMP
2009-04-11 17:31 <DIR> --d----- c:\docume~1\alluse~1\applic~1\WebcamMax

==================== Find3M ====================

2009-04-27 18:00 98,816 a--sh--- c:\windows\system32\fodulivu.dll
2009-04-27 18:00 104,960 a--sh--- c:\windows\system32\noyilole.dll
2009-04-27 18:00 59,904 a--sh--- c:\windows\system32\nepimari.exe
2009-04-26 23:56 67,584 a--sh--- c:\windows\system32\lerobido.dll
2009-04-26 23:56 97,792 a--sh--- c:\windows\system32\bahezido.dll
2009-04-26 23:56 105,984 a--sh--- c:\windows\system32\yejimoya.dll
2009-04-26 23:56 60,928 a--sh--- c:\windows\system32\yozuyosa.exe
2009-04-25 21:02 46,592 a--sh--- c:\windows\system32\peyuvaba.exe
2009-04-25 09:02 47,616 a--sh--- c:\windows\system32\mosowisi.exe
2009-04-21 23:27 47,104 a--sh--- c:\windows\system32\yovalono.exe
2009-03-21 14:42 3,120 a------- c:\windows\system32\2d2ca2ce-704a-428c-8cbe-0736b29190aa.dll
2009-02-24 21:33 104,182 a------- c:\windows\hpoins04.dat
2009-02-15 00:10 410,984 a------- c:\windows\system32\deploytk.dll

============= FINISH: 19:38:01.82 ===============










thank you! :D

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 28 April 2009 - 03:50 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.Link 1
Link 2
Link 3
Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 darrickshin

darrickshin
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 28 April 2009 - 03:50 PM

First of all THANK YOU!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:48:42 PM, on 4/28/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Nexon\MapleStory\npkcmsvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: ooVoo Toolbar - {A057A204-BACC-4D26-8087-36EE87E26986} - C:\PROGRA~1\OOVOOT~1\OOVOOT~1.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: ooVoo Toolbar - {A057A204-BACC-4D26-8087-36EE87E26986} - C:\PROGRA~1\OOVOOT~1\OOVOOT~1.DLL
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\MapleStory\npkcmsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 3878 bytes
















ComboFix 09-04-27.05 - com 04/28/2009 13:17.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.511.272 [GMT -7:00]
Running from: c:\documents and settings\com\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\avazayor.ini
c:\windows\system32\bahezido.dll
c:\windows\system32\bevozeti.dll
c:\windows\system32\darunuwe.dll
c:\windows\system32\fodulivu.dll
c:\windows\system32\gehotimi.dll
c:\windows\system32\lerobido.dll
c:\windows\system32\logapaju.dll
c:\windows\system32\motatuwo.dll
c:\windows\system32\nasikaje.dll
c:\windows\system32\noyilole.dll
c:\windows\system32\odizehab.ini
c:\windows\system32\royazava.dll
c:\windows\system32\uviludof.ini
c:\windows\system32\yejimoya.dll
c:\windows\system32\zitosaba.exe

----- BITS: Possible infected sites -----

hxxp://82.98.235.205
.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-28 )))))))))))))))))))))))))))))))
.

2009-04-28 02:26 . 2008-06-19 23:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-04-28 02:25 . 2009-04-28 02:25 -------- d-----w c:\program files\Panda Security
2009-04-26 07:30 . 2009-04-26 07:30 -------- d-----w c:\program files\BitPim
2009-04-26 05:46 . 2007-04-09 16:53 12672 ----a-w c:\windows\system32\drivers\lgusbbus.sys
2009-04-26 05:46 . 2007-04-09 16:56 21248 ----a-w c:\windows\system32\drivers\lgusbdiag.sys
2009-04-26 05:46 . 2007-04-09 16:55 22912 ----a-w c:\windows\system32\drivers\lgusbmodem.sys
2009-04-26 05:46 . 2009-04-26 05:46 -------- d-----w c:\program files\LG Electronics
2009-04-24 00:56 . 2009-04-24 00:56 -------- d-----w c:\documents and settings\com\Local Settings\Application Data\Help
2009-04-24 00:36 . 2006-07-11 19:50 11776 ----a-w c:\windows\system32\drivers\grmn1200.sys
2009-04-24 00:36 . 2006-04-11 19:51 16512 ----a-w c:\windows\system32\drivers\grmn0400.sys
2009-04-24 00:36 . 2006-02-20 18:25 17536 ----a-w c:\windows\system32\drivers\grmn0200.sys
2009-04-24 00:36 . 2003-09-23 14:42 17024 ----a-w c:\windows\system32\drivers\grmngen.sys
2009-04-24 00:36 . 2003-09-23 14:42 7296 ----a-w c:\windows\system32\drivers\grmnusb.sys
2009-04-24 00:34 . 2009-04-25 01:02 -------- d-----w C:\Garmin
2009-04-17 02:22 . 2009-04-25 19:29 -------- d--h--w C:\$AVG8.VAULT$
2009-04-17 00:48 . 2009-04-21 02:00 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-17 00:22 . 2009-04-17 00:22 -------- d-----w c:\documents and settings\All Users\Application Data\CyberLink
2009-04-17 00:22 . 2009-04-17 00:22 -------- d-----w c:\documents and settings\com\Application Data\DivX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 02:03 . 2009-02-14 06:55 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-28 02:02 . 2009-02-25 06:44 -------- d-----w c:\program files\ManyCam 2.3
2009-04-28 01:00 . 2009-01-28 01:00 59904 --sha-w c:\windows\system32\nepimari.exe
2009-04-27 06:56 . 2009-01-27 06:56 60928 --sha-w c:\windows\system32\yozuyosa.exe
2009-04-26 05:46 . 2009-01-07 23:05 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-26 04:02 . 2009-01-26 04:02 46592 --sha-w c:\windows\system32\peyuvaba.exe
2009-04-25 16:02 . 2009-01-25 16:02 47616 --sha-w c:\windows\system32\mosowisi.exe
2009-04-22 06:27 . 2009-01-22 06:27 47104 --sha-w c:\windows\system32\yovalono.exe
2009-04-17 00:26 . 2009-04-17 00:26 1409808 --sh--w c:\windows\system32\ebumefok.tmp
2009-04-17 00:22 . 2009-03-21 21:42 -------- d-----w c:\program files\AARONS CLIKER
2009-04-17 00:22 . 2009-04-17 00:22 -------- d-----w c:\program files\Common Files\INCA Shared
2009-04-17 00:22 . 2009-03-15 09:09 -------- d-----w c:\program files\Sol Edit
2009-04-17 00:22 . 2009-02-22 23:32 -------- d-----w c:\program files\FrostWire
2009-04-17 00:21 . 2009-03-08 03:03 -------- d-----w c:\program files\DivX
2009-04-17 00:17 . 2009-04-17 00:17 3416 ----a-w c:\windows\system32\PerfStringBackup.TMP
2009-04-12 00:31 . 2009-02-25 07:21 -------- d-----w c:\program files\WebcamMax
2009-03-21 21:42 . 2009-03-21 21:42 3120 ----a-w c:\windows\system32\2d2ca2ce-704a-428c-8cbe-0736b29190aa.dll
2009-03-15 20:20 . 2009-02-23 19:02 -------- d-----w c:\program files\Incomplete
2009-02-25 04:33 . 2009-02-14 08:23 104182 ----a-w c:\windows\hpoins04.dat
2009-02-24 03:05 . 2009-02-24 03:05 0 ----a-w c:\windows\nsreg.dat
2009-02-18 02:36 . 2009-02-18 02:36 126 ----a-w c:\documents and settings\com\Local Settings\Application Data\fusioncache.dat
2009-02-15 07:10 . 2009-02-15 07:10 410984 ----a-w c:\windows\system32\deploytk.dll
2009-02-01 08:15 . 2009-01-11 03:06 75032 ----a-w c:\documents and settings\com\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-01-27 06:55 . 2009-01-27 06:55 67072 --sha-w c:\windows\system32\palozora.dll.tmp
2009-01-27 06:55 . 2009-01-27 06:55 67072 --sha-w c:\windows\system32\ronufepa.dll.tmp
2009-01-27 06:55 . 2009-01-27 06:55 67072 --sha-w c:\windows\system32\wodezoga.dll.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-8087-36EE87E26986}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2006-02-28 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2006-02-28 158208]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"MIDI1"= SYNCOR11.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)
"RichVideo"=2 (0x2)
"MDM"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"ALYac_PZSrv"=2 (0x2)
"Bonjour Service"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\com\\Application Data\\Microsoft\\Installer\\{1D896BB2-9A72-41AE-A63A-A0BB6BC85409}\\MapleStory.exe1_B5557BF94A5A402290AB812015E360B0.exe"=
"c:\\Program Files\\ooVoo\\ooVoo.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675

R3 AYDrvSP_ALYAC;AYDrvSP_ALYAC;c:\program files\ESTsoft\ALYac\AYDrvSP.sys [2008-12-19 24312]
R3 CIF USB CAMERA Service;CIF USB CAMERA;c:\windows\system32\DRIVERS\pfc027.sys [2003-09-18 112380]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
S2 CAMTHWDM;WebcamMax, WDM Video Capture;c:\windows\system32\DRIVERS\CAMTHWDM.sys [2008-03-11 941784]

.
Contents of the 'Scheduled Tasks' folder

2009-03-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]

2009-04-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-854245398-1708537768-682003330-1004.job
- c:\documents and settings\com\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-13 07:42]
.
- - - - ORPHANS REMOVED - - - -

BHO-{3d753665-23d4-4348-9e61-9eea3171c1ba} - c:\windows\system32\bevozeti.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\com\Application Data\Mozilla\Firefox\Profiles\eo4s1in9.default\
FF - plugin: c:\documents and settings\com\Application Data\Mozilla\Firefox\Profiles\eo4s1in9.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\documents and settings\com\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-28 13:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(616)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\nexon\MapleStory\npkcmsvc.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-04-28 13:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-28 20:23

Pre-Run: 226,970,697,728 bytes free
Post-Run: 227,072,528,384 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

189 --- E O F --- 2009-02-25 22:00

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 29 April 2009 - 01:05 AM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

http://www.bleepingcomputer.com/forums/index.php?showtopic=222813&view=findpost&p=1242516

KillAll::

Collect::
c:\windows\system32\nepimari.exe
c:\windows\system32\yozuyosa.exe
c:\windows\system32\peyuvaba.exe
c:\windows\system32\mosowisi.exe
c:\windows\system32\yovalono.exe
c:\windows\system32\ebumefok.tmp
c:\windows\system32\palozora.dll.tmp
c:\windows\system32\ronufepa.dll.tmp
c:\windows\system32\wodezoga.dll.tmp

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-8087-36EE87E26986}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.


**Note**

When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
  • Simply follow the instructions to copy/paste/send the requested file.
Note::
If Combofix fails to upload the file, please find C:\Qoobox\Quarantined Files\Submit(Time and date here).zip and upload it at this site

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 darrickshin

darrickshin
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 29 April 2009 - 04:30 PM

Thanks again! here they are.

Attached Files



#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 29 April 2009 - 04:45 PM

Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic


Post these logs in your next reply..

1. Malwarebytes'
2. ESET Online
3. How's the computer now?

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 darrickshin

darrickshin
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 29 April 2009 - 11:33 PM

Malwarebytes' Anti-Malware 1.36
Database version: 2060
Windows 5.1.2600 Service Pack 2

4/29/2009 6:44:12 PM
mbam-log-2009-04-29 (18-44-12).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 166142
Time elapsed: 14 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



















# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=4044 (20090430)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=bd647d287f763c4aa388b660498dfc9f
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-04-30 04:12:07
# local_time=2009-04-29 09:12:07 (-0800, Pacific Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=341673
# found=10
# scan_time=2292
C:\Qoobox\Quarantine\[4]-Submit_2009-4-29_14.9.12.zip multiple infiltrations (deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\[4]-Submit_2009-4-29_14.9.12.zip »ZIP »ebumefok.tmp Win32/Adware.Virtumonde.NEO~datafile application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Qoobox\Quarantine\[4]-Submit_2009-4-29_14.9.12.zip »ZIP »mosowisi.exe Win32/Qhost.NJG trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Qoobox\Quarantine\[4]-Submit_2009-4-29_14.9.12.zip »ZIP »palozora.dll.tmp Win32/Adware.Virtumonde.NEK application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Qoobox\Quarantine\[4]-Submit_2009-4-29_14.9.12.zip »ZIP »peyuvaba.exe Win32/Qhost.NJG trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Qoobox\Quarantine\[4]-Submit_2009-4-29_14.9.12.zip »ZIP »ronufepa.dll.tmp Win32/Adware.Virtumonde.NEK application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Qoobox\Quarantine\[4]-Submit_2009-4-29_14.9.12.zip »ZIP »wodezoga.dll.tmp Win32/Adware.Virtumonde.NEK application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\avazayor.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\odizehab.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000
C:\Qoobox\Quarantine\C\WINDOWS\system32\uviludof.ini.vir Win32/Adware.Virtumonde.NEO~datafile application (unable to clean - deleted) 00000000000000000000000000000000



















Thank you very much. my computer is alot faster. no popups. no bleeping. internet browsing is faster. my google chrome is fixed (it wouldnt load pages)

i was also hoping you could help my fix my sisters computer. hers is alot more messed up than me (its slow, it has alot of viruses, etc)

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 30 April 2009 - 05:09 AM

Do you mean another different computer?.. Do this with your computer..

Please download OTCleanIt and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTCleanIt.exe
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes

And for another computer (your sister's) do below...


Please download The Comedian.exe to your desktop
  • Double click the program to run it. It will only take around several minutes to run.
  • It will do a series of tasks and tell you when each one is finished.
  • You will be prompted to press any key after each step
  • When it is done it will close and exit itself automatically.
  • You can delete The_Comedian.exe once it is finished



NEXT


Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




NEXT


Please download RSIT by random/random and save it to your Desktop.
  • Double click on RSIT.exe to run RSIT
  • Before you click "Continue", make sure you change the List files/folders created or modified in the last 3 months
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt and info.txt in your next reply.



NEXT


Please download GMER and unzip it to your Desktop. <<mirror>>
If you see "random" name, just leave it.. If you see "GMER", please rename GMER into GAMERS
  • Open the renamed program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.
IMPORTANT: Do NOT run any program while you are doing these scans as it may interfere with the output results



Post me these logs in your next reply.. Post each log in separate post..

1. Malwarebytes'
2. RSIT log.txt
3. RSIT info.txt
4. Attach GMER result..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 30 April 2009 - 05:10 AM

edited.. double posted

Edited by fenzodahl512, 30 April 2009 - 05:11 AM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#10 darrickshin

darrickshin
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 30 April 2009 - 10:53 PM

My computer is doing fine now! :D

my sisters computer on the other hand is doing horribly. (it restarts randomly and freezes (sometimes) randomly after a click and a bleep)

p.s. i dont have the XP CD and i havent used this computer in a while (because it wouldnt start)

well heres the stuff for my sisters computer :]


Malwarebytes' Anti-Malware 1.36
Database version: 2062
Windows 5.1.2600 Service Pack 2

4/30/2009 7:24:55 PM
mbam-log-2009-04-30 (19-24-55).txt

Scan type: Full Scan (A:\|C:\|F:\|G:\|)
Objects scanned: 139661
Time elapsed: 29 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\cp1041.nls (Trojan.Spambot) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\runtime (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_RUNTIME (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\cp1041.nls (Trojan.Spambot) -> Delete on reboot.
C:\WINDOWS\system32\5_exception.nls (Trojan.Tibs) -> Quarantined and deleted successfully.

Edited by darrickshin, 30 April 2009 - 10:57 PM.


#11 darrickshin

darrickshin
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 30 April 2009 - 10:54 PM

info.txt logfile of random's system information tool 1.06 2009-04-30 19:31:32

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal-->C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Acrobat 7.0 Professional - English, Francais, Deutsch-->msiexec /I {AC76BA86-1033-F400-7760-000000000002}
Adobe Illustrator CS-->RunDll32 "C:\Program Files\Common Files\InstallShield\Professional\RunTime\0701\Intel32\ctor.dll",LaunchSetup "C:\Program Files\InstallShield Installation Information\{91A4AD99-69CE-4745-97B7-0E0DFBECFDE5}\setup.exe"
Adobe Photoshop CS-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFB21DE7-8C19-4A88-BB28-A766E16493BC}\setup.exe" -l0x9
Adobe Reader 7.0.8-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70500000002}
Adobe SVG Viewer 3.0-->C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
Ahead Nero Burning ROM-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
AIM 6-->C:\Program Files\AIM6\uninst.exe
AIM Toolbar-->C:\Program Files\AIM Toolbar\uninstall.exe
ALZip-->"C:\Program Files\ALZip\unins000.exe"
AOL Instant Messenger-->C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
Apple Software Update-->MsiExec.exe /I{02DFF6B1-1654-411C-8D7B-FD6052EF016F}
Bonjour-->MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
DVD Region-Free 1.32 Release-->"C:\Program Files\DVD Region-Free\unins000.exe"
ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"
ESET Online Scanner-->C:\WINDOWS\system32\OnlineScannerUninstaller.exe
Hangul 2005-->MsiExec.exe /I{1858ACA2-BA20-4D38-8177-EDBEFF031DB0}
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
HP Mouse-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{235C3A50-559F-4CAA-BAC3-4CC9ABF51976}\setup.exe" -l0x9 -removeonly
InterActual Player-->C:\Program Files\InterActual\InterActual Player\inuninst.exe
iTunes-->MsiExec.exe /I{EF6C4600-306D-4F6A-A119-C2A877D25B4A}
Java 2 Runtime Environment, SE v1.4.1_01-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1666FA7C-CB5F-11D6-A78C-00B0D079AF64}\setup.exe" Anytext
Java Web Start-->"C:\Program Files\Java Web Start\uninst-javaws.exe"
Macromedia Flash Player 8-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\swflash.inf,DefaultUninstall,5
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft Bootvis-->MsiExec.exe /I{0F9196C6-58B4-445B-B56E-B1200FECC151}
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Works 7.0-->MsiExec.exe /I{764D06D8-D8DE-411E-A1C8-D9E9380F8A84}
Movie Maker Sound Effects-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\mmsounds.inf,DefaultUninstall
Mozilla Firefox (2.0.0.4)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Plus! MP3 Audio Converter LE-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\audcle.inf,DefaultUninstall
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
QuickTime-->MsiExec.exe /I{08CA9554-B5FE-4313-938F-D4A417B81175}
Realtek RTL8139/810x Fast Ethernet NIC Driver Setup-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{97AA0C55-AFAD-4126-B21C-F1318FB6DADA}\SETUP.exe" -l0x9 REMOVE
SBS 툴바 삭제-->C:\WINDOWS\SBSUnin.exe
Security Update for Windows Media Player (KB911564)-->"C:\WINDOWS\$NtUninstallKB911564$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows XP (KB883939)-->"C:\WINDOWS\$NtUninstallKB883939$\spuninst\spuninst.exe"
Security Update for Windows XP (KB890046)-->"C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Security Update for Windows XP (KB893756)-->"C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896358)-->"C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896422)-->"C:\WINDOWS\$NtUninstallKB896422$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896423)-->"C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896424)-->"C:\WINDOWS\$NtUninstallKB896424$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896428)-->"C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Security Update for Windows XP (KB896688)-->"C:\WINDOWS\$NtUninstallKB896688$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899587)-->"C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899588)-->"C:\WINDOWS\$NtUninstallKB899588$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899589)-->"C:\WINDOWS\$NtUninstallKB899589$\spuninst\spuninst.exe"
Security Update for Windows XP (KB899591)-->"C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Security Update for Windows XP (KB900725)-->"C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901017)-->"C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901190)-->"C:\WINDOWS\$NtUninstallKB901190$\spuninst\spuninst.exe"
Security Update for Windows XP (KB901214)-->"C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB902400)-->"C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Security Update for Windows XP (KB903235)-->"C:\WINDOWS\$NtUninstallKB903235$\spuninst\spuninst.exe"
Security Update for Windows XP (KB904706)-->"C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905414)-->"C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905749)-->"C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Security Update for Windows XP (KB905915)-->"C:\WINDOWS\$NtUninstallKB905915$\spuninst\spuninst.exe"
Security Update for Windows XP (KB908519)-->"C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Security Update for Windows XP (KB911927)-->"C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Security Update for Windows XP (KB912919)-->"C:\WINDOWS\$NtUninstallKB912919$\spuninst\spuninst.exe"
Security Update for Windows XP (KB913446)-->"C:\WINDOWS\$NtUninstallKB913446$\spuninst\spuninst.exe"
Smart Update Utility-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1424D162-C162-11D4-AE6E-00105A877C32}\Setup.exe" -l0x9
SoundMAX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
Spybot - Search & Destroy 1.3-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Steam-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
Update for Windows XP (KB894391)-->"C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Update for Windows XP (KB896727)-->"C:\WINDOWS\$NtUninstallKB896727$\spuninst\spuninst.exe"
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB910437)-->"C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
V3Pro 2004-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{733BC948-3BFA-48E3-B7FF-0A2ACDED0EBE} /l1042
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Winamp (remove only)-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803$\spuninst\spuninst.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Media Bonus Pack for Windows XP-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmbonus.inf,DefaultUninstall
Windows Media Format Runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Player 10-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player Playlist Import to Excel Wizard-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\mpxlswiz.inf,DefaultUninstall
Windows Media Player Skin Importer-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\wa2wmp.inf,DefaultUninstall
Windows Media Player Tray Control-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\mpxptray.inf,DefaultUninstall
Windows XP Hotfix - KB873333-->C:\WINDOWS\$NtUninstallKB873333$\spuninst\spuninst.exe
Windows XP Hotfix - KB873339-->C:\WINDOWS\$NtUninstallKB873339$\spuninst\spuninst.exe
Windows XP Hotfix - KB885250-->C:\WINDOWS\$NtUninstallKB885250$\spuninst\spuninst.exe
Windows XP Hotfix - KB885835-->C:\WINDOWS\$NtUninstallKB885835$\spuninst\spuninst.exe
Windows XP Hotfix - KB885836-->C:\WINDOWS\$NtUninstallKB885836$\spuninst\spuninst.exe
Windows XP Hotfix - KB886185-->C:\WINDOWS\$NtUninstallKB886185$\spuninst\spuninst.exe
Windows XP Hotfix - KB887472-->C:\WINDOWS\$NtUninstallKB887472$\spuninst\spuninst.exe
Windows XP Hotfix - KB887742-->C:\WINDOWS\$NtUninstallKB887742$\spuninst\spuninst.exe
Windows XP Hotfix - KB888113-->C:\WINDOWS\$NtUninstallKB888113$\spuninst\spuninst.exe
Windows XP Hotfix - KB888302-->C:\WINDOWS\$NtUninstallKB888302$\spuninst\spuninst.exe
Windows XP Hotfix - KB890175-->C:\WINDOWS\$NtUninstallKB890175$\spuninst\spuninst.exe
Windows XP Hotfix - KB890859-->"C:\WINDOWS\$NtUninstallKB890859$\spuninst\spuninst.exe"
Windows XP Hotfix - KB890923-->"C:\WINDOWS\$NtUninstallKB890923$\spuninst\spuninst.exe"
Windows XP Hotfix - KB891781-->C:\WINDOWS\$NtUninstallKB891781$\spuninst\spuninst.exe
Windows XP Hotfix - KB893066-->"C:\WINDOWS\$NtUninstallKB893066$\spuninst\spuninst.exe"
Windows XP Hotfix - KB893086-->"C:\WINDOWS\$NtUninstallKB893086$\spuninst\spuninst.exe"
Windows XP Service Pack 2-->C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe
다잡아 - AD Spider 제거-->"C:\WINDOWS\IFinst27.exe" -UC:\Program Files\ADSPider\IFU84.inf

======Security center information======

AV: V3Pro 2004 (outdated)

======System event log======

Computer Name: EUNICE
Event Code: 10005
Message: DCOM got error "%1058" attempting to start the service MDM with arguments ""
in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}

Record Number: 16047
Source Name: DCOM
Time Written: 20090429152815.000000-420
Event Type: error
User: EUNICE\XP

Computer Name: EUNICE
Event Code: 10005
Message: DCOM got error "%1058" attempting to start the service MDM with arguments ""
in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}

Record Number: 16023
Source Name: DCOM
Time Written: 20090429152523.000000-420
Event Type: error
User: EUNICE\XP

Computer Name: EUNICE
Event Code: 10005
Message: DCOM got error "%1058" attempting to start the service MDM with arguments ""
in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}

Record Number: 16022
Source Name: DCOM
Time Written: 20090429152522.000000-420
Event Type: error
User: EUNICE\XP

Computer Name: EUNICE
Event Code: 10005
Message: DCOM got error "%1058" attempting to start the service MDM with arguments ""
in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}

Record Number: 15998
Source Name: DCOM
Time Written: 20090429152104.000000-420
Event Type: error
User: EUNICE\XP

Computer Name: EUNICE
Event Code: 10005
Message: DCOM got error "%1058" attempting to start the service MDM with arguments ""
in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}

Record Number: 15997
Source Name: DCOM
Time Written: 20090429152102.000000-420
Event Type: error
User: EUNICE\XP

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\ALZip;C:\Program Files\QuickTime\QTSystem
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 1 Stepping 2, GenuineIntel
"PROCESSOR_REVISION"=0102
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"CLASSPATH"=.;C:\Program Files\Java\j2re1.4.1_01\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\j2re1.4.1_01\lib\ext\QTJava.zip

-----------------EOF-----------------

#12 darrickshin

darrickshin
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 30 April 2009 - 10:56 PM

Gmer

Attached Files

  • Attached File  GMER.txt   11.75KB   17 downloads


#13 darrickshin

darrickshin
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 30 April 2009 - 10:57 PM

Logfile of random's system information tool 1.06 (written by random/random)
Run by XP at 2009-04-30 19:29:52
Microsoft Windows XP Professional Service Pack 2
System drive C: has 20 GB (51%) free of 39 GB
Total RAM: 255 MB (13% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:31:27 PM, on 4/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahnlab\Smart Update Utility\Ahnsdsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\Ahnlab\V3\MonSvcNT.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\XP\Desktop\RSIT.exe
C:\Program Files\trend micro\XP.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O8 - Extra context menu item: 같은 서버의 모든 이미지 차단 - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: 광고 차단 목록에 추가 - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: 선택한 문장 강조 - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: 선택한 문장 검색 - C:\Program Files\Avant Browser\Search.htm
O8 - Extra context menu item: 이 페이지의 모든 링크 열기 - C:\Program Files\Avant Browser\OpenAllLinks.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/download...ne_Inst_Win.cab
O16 - DPF: {4E52C32F-C143-4963-A758-2DB07703CB49} (YahooCS Class) - http://kr.memo.yahoo.com/CAB/YahooWCS.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O20 - Winlogon Notify: asnt3 - C:\WINDOWS\SYSTEM32\AsntDll.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ahnlab Task Scheduler - AhnLab, Inc. - C:\Program Files\Ahnlab\Smart Update Utility\Ahnsdsv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MonSvcNT - AhnLab, Inc. - C:\PROGRA~1\Ahnlab\V3\MonSvcNT.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6428 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 63128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2004-05-12 744960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
AcroIEToolbarHelper Class - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004-12-14 225280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004-12-14 225280]
{40D41A8B-D79B-43d7-99A7-9EE0F344C385} - AIM Search - C:\Program Files\AIM Toolbar\AIMBar.dll [2005-05-14 172032]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"KernelFaultCheck"=C:\WINDOWS\system32\dumprep 0 -k []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Aim6"=C:\Program Files\AIM6\aim6.exe [2008-06-19 50528]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\-322102134.exe]
C:\WINDOWS\system32\-322102134.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe [2004-12-14 483328]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AHNSD]
C:\Program Files\Ahnlab\Smart Update Utility\AhnSD.exe [2007-02-27 190144]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe [2005-08-05 67160]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DropBoxUtility]
C:\Program Files\DropBox\DropBox\DropBox.exe /s []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HncUpdate]
C:\WINDOWS\system32\HncUpdate.exe [2004-11-01 241664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-03 208952]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2008-07-10 289064]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\metalistfragatom]
C:\Documents and Settings\All Users\Application Data\beep tray meta list\BikeTime.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\overtoolsupdate]
C:\PROGRA~1\SBSToolBar\patch.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE [2002-08-28 455168]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE [2002-08-28 455168]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\popdent]
C:\DOCUME~1\XP\APPLIC~1\BOWSPO~1\Fordmailreadme.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe [2008-05-27 413696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMonitor]
C:\WINDOWS\1903cr.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Smapp]
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe [2003-05-05 143360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spoolsvv]
C:\WINDOWS\system32\spoolsvv.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SurfAccuracy]
C:\Program Files\SurfAccuracy\SAcc.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsHive]
C:\WINDOWS\system32\rpcc.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-000000000002}\SC_Acrobat.exe [2005-04-23 25214]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE [2003-09-18 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE [2005-09-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NewShortcut1.lnk]
C:\PROGRA~1\HP\HPMOUS~1\panel.exe [2004-12-17 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^XP^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
C:\PROGRA~1\LimeWire\LimeWire.exe -startup []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MDM"=2
"SoundMAX Agent Service (default)"=2
"ATI Smart"=2
"Ati HotKey Poller"=2

C:\Documents and Settings\XP\Start Menu\Programs\Startup
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\asnt3]
C:\WINDOWS\system32\AsntDll.dll [2005-12-25 45056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"=C:\Program Files\DVD Region-Free\DVDShell.dll [2002-12-11 40960]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\AIM6\aim6.exe"="C:\Program Files\AIM6\aim6.exe:*:Enabled:aim6"
"C:\WINDOWS\Explorer.EXE"="C:\WINDOWS\Explorer.EXE:*:Enabled:Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b12a2d28-9308-11dc-b1ec-0050bf963842}]
shell\AutoRun\command - D:\LaunchU3.exe -a


======List of files/folders created in the last 3 months======

2009-04-30 19:29:54 ----D---- C:\Program Files\trend micro
2009-04-30 19:29:52 ----D---- C:\rsit
2009-04-30 18:50:53 ----D---- C:\Program Files\ERUNT
2009-04-29 21:01:12 ----A---- C:\WINDOWS\ntbtlog.txt
2009-04-29 20:50:49 ----D---- C:\Program Files\CCleaner
2009-04-29 19:14:01 ----D---- C:\Program Files\EsetOnlineScanner
2009-04-29 18:07:52 ----D---- C:\Documents and Settings\XP\Application Data\Malwarebytes
2009-04-29 18:07:37 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-04-29 18:07:36 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-04-29 16:32:29 ----SHD---- C:\Config.Msi
2009-04-29 15:45:57 ----SHD---- C:\RECYCLER
2009-04-29 15:45:10 ----A---- C:\ComboFix.txt
2009-04-29 15:31:53 ----A---- C:\WINDOWS\zip.exe
2009-04-29 15:31:53 ----A---- C:\WINDOWS\vFind.exe
2009-04-29 15:31:53 ----A---- C:\WINDOWS\SWXCACLS.exe
2009-04-29 15:31:53 ----A---- C:\WINDOWS\SWSC.exe
2009-04-29 15:31:53 ----A---- C:\WINDOWS\SWREG.exe
2009-04-29 15:31:53 ----A---- C:\WINDOWS\sed.exe
2009-04-29 15:31:53 ----A---- C:\WINDOWS\NIRCMD.exe
2009-04-29 15:31:53 ----A---- C:\WINDOWS\grep.exe
2009-04-29 15:31:20 ----D---- C:\WINDOWS\ERDNT
2009-04-29 15:29:17 ----D---- C:\Qoobox

======List of files/folders modified in the last 3 months======

2009-04-30 19:30:07 ----D---- C:\WINDOWS\Prefetch
2009-04-30 19:29:54 ----AD---- C:\Program Files
2009-04-30 19:29:03 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-04-30 19:28:58 ----D---- C:\WINDOWS\system32\drivers
2009-04-30 19:28:39 ----D---- C:\WINDOWS\system32\CatRoot2
2009-04-30 19:28:35 ----D---- C:\WINDOWS\Temp
2009-04-30 19:28:00 ----D---- C:\WINDOWS
2009-04-30 19:27:01 ----AD---- C:\WINDOWS\system32
2009-04-30 19:25:43 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-04-29 20:54:13 ----D---- C:\WINDOWS\Minidump
2009-04-29 20:54:13 ----D---- C:\WINDOWS\Debug
2009-04-29 19:13:57 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-04-29 17:53:50 ----HD---- C:\WINDOWS\inf
2009-04-29 17:10:17 ----D---- C:\Program Files\Windows Media Player
2009-04-29 17:09:47 ----SHD---- C:\WINDOWS\Installer
2009-04-29 16:32:36 ----D---- C:\Program Files\Microsoft AntiSpyware
2009-04-29 16:31:53 ----D---- C:\WINDOWS\system32\ReinstallBackups
2009-04-29 16:31:49 ----HD---- C:\Program Files\InstallShield Installation Information
2009-04-29 16:31:49 ----D---- C:\Program Files\Intel
2009-04-29 16:30:29 ----D---- C:\Program Files\DropBox
2009-04-29 15:49:09 ----D---- C:\WINDOWS\WinSxS
2009-04-29 15:48:53 ----DC---- C:\WINDOWS\system32\DRVSTORE
2009-04-29 15:48:50 ----D---- C:\Program Files\Common Files
2009-04-29 15:40:36 ----A---- C:\WINDOWS\system.ini
2009-04-29 15:38:38 ----D---- C:\WINDOWS\system32\config
2009-04-29 15:36:06 ----D---- C:\WINDOWS\AppPatch

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AnfdTDnt;AnfdTDnt; \??\C:\WINDOWS\System32\drivers\AnfdTDnt.sys []
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-23 12032]
R2 AnfdIont;AnfdIont; \??\C:\WINDOWS\System32\drivers\AnfdIont.sys []
R2 Aspi32;Aspi32; C:\WINDOWS\system32\drivers\Aspi32.sys [1999-09-10 25244]
R2 STEC3;STEC3; \??\C:\WINDOWS\system32\STEC3.sys []
R2 V3NfeNt;V3NfeNt; \??\C:\Program Files\Ahnlab\V3\V3NfeNt.sys []
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2002-03-31 4816]
R3 AhnFlt2K;AhnFlt2K; \??\C:\WINDOWS\System32\Drivers\AhnFlt2K.sys []
R3 AhnRec2K;AhnRec2K; \??\C:\WINDOWS\System32\Drivers\AhnRec2K.sys []
R3 GEARAspiWDM;GEAR CDRom Filter; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2008-01-29 16168]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-03 1897408]
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2003-08-29 578304]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-03 20480]
R3 v3engine;v3engine; \??\C:\WINDOWS\System32\drivers\v3engine.sys []
R3 V3Flt2K;V3Flt2K; \??\C:\PROGRA~1\Ahnlab\V3\V3Flt2K.sys []
R3 V3IFt2K;V3IFt2K; \??\C:\PROGRA~1\Ahnlab\V3\V3IFt2K.sys []
S1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2004-08-03 36096]
S3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter; C:\WINDOWS\system32\DRIVERS\AN983.sys [2005-01-13 39040]
S3 ApfIPXX;ApfIPXX; \??\C:\PROGRA~1\Ahnlab\V3\ApfIPXX.sys []
S3 Dot4;MS IEEE-1284.4 Driver; C:\WINDOWS\system32\DRIVERS\Dot4.sys [2004-08-03 207360]
S3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys [2001-08-17 12928]
S3 Dot4Scan;Scan Class Driver for IEEE-1284.4; C:\WINDOWS\system32\DRIVERS\Dot4Scan.sys [2001-08-17 8704]
S3 HidMouse;HidMouse; C:\WINDOWS\System32\Drivers\HidMouse.sys [2004-11-18 29184]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 Runtime;Runtime; \??\C:\WINDOWS\System32\drivers\runtime.sys []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 V3IPXX;V3IPXX; \??\C:\PROGRA~1\Ahnlab\V3\V3IPXX.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ahnlab Task Scheduler;Ahnlab Task Scheduler; C:\Program Files\Ahnlab\Smart Update Utility\Ahnsdsv.exe [2007-02-10 169664]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2007-07-24 229376]
R2 MonSvcNT;MonSvcNT; C:\PROGRA~1\Ahnlab\V3\MonSvcNT.exe [2006-06-08 131207]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2004-08-11 38912]
R2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2005-04-23 69632]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe [2003-02-20 32768]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-07-10 532264]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 usprserv;User Privilege Service; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
S4 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
S4 Psbvhtst_dad;Psbvhtst_dad; C:\WINDOWS\system32\drivers\hidclass.sys [2004-08-03 36224]
S4 SoundMAX Agent Service (default);SoundMAX Agent Service; C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe [2002-09-20 45056]

-----------------EOF-----------------

#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:59 AM

Posted 30 April 2009 - 11:38 PM

I see you run ComboFix with this computer.. Find its log at C:\combofix.txt and post its content here..

Then do below..

Download this tool to desktop:

http://www2.gmer.net/mbr/mbr.exe

Double click it & post the log it creates on desktop. (mbr.log)

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#15 darrickshin

darrickshin
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 01 May 2009 - 12:15 AM

oh i used it because i worked for this computer :]














ComboFix 09-04-29.01 - XP 9/2009 Wed 15:33.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.949.82.1033.18.255.52 [GMT -7:00]
Running from: c:\documents and settings\XP\Desktop\ComboFix.exe
AV: V3Pro 2004 *On-access scanning disabled* (Outdated)
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - system32: deleted 81410 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\255223525.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\IE4 Error Log.txt
c:\windows\system32\1_exception.nls
c:\windows\system32\config\system~1\applic~1\install.dat
c:\windows\system32\config\system~1\Applic~1\Microsoft\20509.dat
c:\windows\system32\RunOnce3.t__
c:\windows\system32\RunOnce3.tm_
c:\windows\system32\sfxzmtwbmail.dll
c:\windows\system32\wsys.dll
c:\windows\system32\zup.exe.exe
C:\wmplayer.dll

----- BITS: Possible infected sites -----

hxxp://208.66.194.241
hxxp://67.18.114.98
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EXAMPLE
-------\Legacy_MICROSOFT_IEUPDATER22
-------\Legacy_NDNET1
-------\Legacy_NETDDEDSMA
-------\Legacy_NTLDR.SYS
-------\Legacy_RUNTIME
-------\Legacy_RUNTIME2
-------\Service_Microsoft IEUpdater22
-------\Service_runtime


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-29 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-05-15 19:34 . 2007-11-15 00:47 66672 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2007-05-15 19:34 . 2007-11-15 00:47 54376 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2007-05-15 19:34 . 2007-11-15 00:47 34952 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2007-05-15 19:34 . 2007-11-15 00:47 46720 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2007-05-15 19:34 . 2007-11-15 00:47 172144 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

------- Sigcheck -------

[-] 2002-08-29 10:41 516608 2246D8D8F4714A2CEDB21AB9B1849ABB c:\windows\$NtServicePackUninstall$\winlogon.exe
[7] 2004-08-04 07:56 502272 01C3346C241652F43AED8E2149881BFE c:\windows\ServicePackFiles\i386\winlogon.exe
[-] 2007-04-17 03:14 502272 5FB172BF49CB698131CA4C502CB769DA c:\windows\system32\winlogon.exe

[-] 2002-08-29 09:09 167552 3B350E5A2A5E951453F3993275A4523A c:\windows\$NtServicePackUninstall$\ndis.sys
[7] 2004-08-04 06:14 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\ServicePackFiles\i386\ndis.sys
[-] 2007-04-12 06:05 281348 !MD5: COULD NOT OPEN FILE ! c:\windows\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26FAFD75-1005-41F6-978D-178C00165C0B}]
2007-04-18 23:34 26694 ------w c:\windows\system32\ljjjkih.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-06-19 50528]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\program files\DVD Region-Free\DVDShell.dll" [2002-12-11 40960]
"{26FAFD75-1005-41F6-978D-178C00165C0B}"= "c:\windows\system32\ljjjkih.dll" [2007-04-18 26694]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\asnt3]
2005-12-25 07:26 45056 ----a-w c:\windows\system32\AsntDll.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjjkih]
2007-04-18 23:34 26694 ------w c:\windows\system32\ljjjkih.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
"MIDI1"= SYNCOR11.DLL

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NewShortcut1.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NewShortcut1.lnk
backup=c:\windows\pss\NewShortcut1.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^XP^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\documents and settings\XP\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"MDM"=2 (0x2)
"SoundMAX Agent Service (default)"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\AhnlabAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\explorer.exe"=

R3 AhnFlt2K;AhnFlt2K;c:\windows\System32\Drivers\AhnFlt2K.sys [2006-09-28 45824]
R3 AhnRec2K;AhnRec2K;c:\windows\System32\Drivers\AhnRec2K.sys [2005-02-15 13696]
R3 ApfIPXX;ApfIPXX;c:\progra~1\Ahnlab\V3\ApfIPXX.sys [2004-07-12 13227]
R3 HidMouse;HidMouse;c:\windows\system32\Drivers\HidMouse.sys [2004-11-18 29184]
R3 MonSvcNT;MonSvcNT;c:\progra~1\Ahnlab\V3\MonSvcNT.exe [2006-06-08 131207]
S1 AnfdTDnt;AnfdTDnt;c:\windows\System32\drivers\AnfdTDnt.sys [2006-09-12 73828]
S2 Ahnlab Task Scheduler;Ahnlab Task Scheduler;c:\program files\Ahnlab\Smart Update Utility\Ahnsdsv.exe [2007-02-10 169664]
S2 AnfdIont;AnfdIont;c:\windows\System32\drivers\AnfdIont.sys [2006-08-08 8292]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - RUNTIME
*Deregistered* - Runtime

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b12a2d28-9308-11dc-b1ec-0050bf963842}]
\Shell\AutoRun\command - D:\LaunchU3.exe -a
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-startdrv - c:\windows\Temp\startdrv.exe
Notify-AtiExtEvent - (no file)


.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = *.local
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: Add to AD Black List - c:\program files\Avant Browser\AddToADBlackList.htm
IE: Block All Images from the Same Server - c:\program files\Avant Browser\AddAllToADBlackList.htm
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Highlight - c:\program files\Avant Browser\Highlight.htm
IE: Open All Links in This Page... - c:\program files\Avant Browser\OpenAllLinks.htm
IE: Search - c:\program files\Avant Browser\Search.htm
IE: 같은 서버의 모든 이미지 차단 - c:\program files\Avant Browser\AddAllToADBlackList.htm
IE: 광고 차단 목록에 추가 - c:\program files\Avant Browser\AddToADBlackList.htm
IE: 선택한 문장 강조 - c:\program files\Avant Browser\Highlight.htm
IE: 선택한 문장 검색 - c:\program files\Avant Browser\Search.htm
IE: 이 페이지의 모든 링크 열기 - c:\program files\Avant Browser\OpenAllLinks.htm
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\XP\Application Data\Mozilla\Firefox\Profiles\cequvxep.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/|http://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 15:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

c:\program files\Internet Explorer\iexplore.exe [1232] 0xFEB69BD8

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\ws2_32.dll:fork2 23552 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-583907252-1757981266-725345543-1003\Software\Microsoft\Internet Explorer\MenuExt\ 줍??*8빳?*촳?
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@="c:\\Program Files\\Avant Browser\\Highlight.htm"
"Contexts"=dword:00000010

[HKEY_USERS\S-1-5-21-583907252-1757981266-725345543-1003\Software\Microsoft\Internet Explorer\MenuExt\ 줍??*8빳?*€??
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
@="c:\\Program Files\\Avant Browser\\Search.htm"
"Contexts"=dword:00000010
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(380)
c:\windows\system32\ole2.dll
c:\windows\system32\AsntDll.dll
c:\windows\system32\ljjjkih.dll

- - - - - - - > 'explorer.exe'(3796)
c:\cp1467.nls
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\conime.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Viewpoint\Common\ViewpointService.exe
.
**************************************************************************
.
Completion time: 2009-04-29 15:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-29 22:45

Pre-Run: 19,945,082,880 bytes free
Post-Run: 20,220,739,584 bytes free

204

Edited by darrickshin, 01 May 2009 - 12:28 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users