Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Malware, but I'm not sure which


  • Please log in to reply
7 replies to this topic

#1 swordaddict

swordaddict

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 14 July 2009 - 12:03 AM

I get redirected when searching with google on Chrome but, IE8 and Firefox. I also get pop ups from the malware and other redirections when im using IE8. Another problem is my IE8 is messed up, the title at the top doesn't show and i can't access the toolbar or favorites. My chrome and firefox crashes many times also. Other than these problems I get various Errors while using my computer, however I can't name them as it happens randomly and I can't reproduce it. Thank you for your time.

DDS (Ver_09-06-26.01) - NTFSx86
Run by HUY NGUYEN at 20:36:40.15 on Mon 07/13/2009
Internet Explorer: 8.0.6001.18372 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.848 [GMT -7:00]

AV: avast! antivirus 4.8.1335 [VPS 090705-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
svchost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\AIM\AIM Pro\aimpro.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Documents and Settings\HUY NGUYEN\Local Settings\Temp\SIT41201.tmp\setup.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\HUY NGUYEN\My Documents\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ask.com/?o=101760&l=dis
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\progra~1\spybot~1\SDHelper.dll
BHO: Click-to-Call BHO: {5c255c8a-e604-49b4-9d64-90988571cecb} - c:\program files\windows live\messenger\wlchtc.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {b3bbec83-8dcd-4ea0-bbd0-db8d6e06903d} - c:\windows\system32\sejutedi.dll
BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - d:\program files\megaupload\mega manager\MegaIEMn.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
uRun: [Google Update] "c:\documents and settings\huy nguyen\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [Cognac] c:\docume~1\huyngu~1\locals~1\temp\b.exe
uRun: [SpybotSD TeaTimer] d:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [C-Media Mixer] Mixer.exe /startup
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [7492661a] rundll32.exe "c:\windows\system32\wazuloro.dll",b
mRun: [CPM77a15586] Rundll32.exe "c:\windows\system32\fehamito.dll",a
mRun: [jasunaribe] Rundll32.exe "c:\windows\system32\wemipipo.dll",s
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Visit in &3D using ExitReality - http://3d.exitreality.com/TransmogrifyPage.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: ucsd.edu\vpn
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxp://www.spgame.com.tw/xml_web_setup/msxml4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} -
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} -
AppInit_DLLs: c:\windows\system32\fubatuzo.dll c:\windows\system32\guvuvara.dll c:\windows\system32\fehamito.dll,c:\windows\system32\wafiguvu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fehamito.dll
STS: STS: {ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} - c:\windows\system32\fehamito.dll
SEH: {38101905-d80f-4788-96f6-986a8186178a} - c:\windows\system32\flashd32.dll
LSA: Authentication Packages = msv1_0 relog_ap
LSA: Notification Packages = scecli c:\windows\system32\guvuvara.dll c:\windows\system32\wafiguvu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\huyngu~1\applic~1\mozilla\firefox\profiles\3rvhwrib.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - prefs.js: browser.startup.homepage - hxxp://www.daemon-search.com/startpage|http://www.yahoo.com/
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - component: c:\program files\free download manager\firefox\extension\components\vmsfdmff.dll
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\huy nguyen\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbyond.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiCHPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: d:\program files\byond\bin\npbyond.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-5-8 114768]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-2-15 201320]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-5-8 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-5-8 138680]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-2-15 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-2-15 144704]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-6-18 24652]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-5-8 254040]
R3 KuirKbdFltr;KuirKbdFltr overlay support subsystem;c:\windows\system32\drivers\KuirKbdFltr.sys [2009-1-23 26144]
R3 KuirMouFltr;KuirMouFltr overlay support subsystem;c:\windows\system32\drivers\KuirMouFltr.sys [2009-1-23 23200]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2008-12-21 28672]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-2-15 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-2-15 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-2-15 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-2-15 40488]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-5-8 352920]
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;\??\c:\documents and settings\huy nguyen\desktop\radical engine + me kernel\ilvmoney1236.sys --> c:\documents and settings\huy nguyen\desktop\radical engine + me kernel\IlvMoney1236.sys [?]
S3 IOIDDEV;IOIDDEV;c:\program files\survivalproject\config\ioid.sys [2009-4-14 13568]
S3 LwAdiHid;Logitech WingMan Digital Devices(Auto-Detect);c:\windows\system32\drivers\LwAdiHid.sys [2009-5-16 20864]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-2-15 33832]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 pcmstub;pcmstub;c:\windows\system32\pcmstub.sys [2004-8-4 2304]
S3 pspdisp;pspdisp;c:\windows\system32\drivers\pspdisp.sys [2008-12-25 3072]
S3 XPADFL02;XPAD Filter Service 02;c:\windows\system32\drivers\xPADFL02.sys [2009-6-12 27904]

=============== Created Last 30 ================

2009-07-13 18:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2009-07-13 18:41 <DIR> --d----- c:\program files\DAEMON Tools Toolbar
2009-07-13 18:41 <DIR> --d----- c:\program files\DAEMON Tools Lite
2009-07-13 18:37 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-07-13 18:37 <DIR> --d----- c:\docume~1\huyngu~1\applic~1\DAEMON Tools Lite
2009-07-12 15:38 7,002 a------- c:\windows\wininit.ini
2009-07-12 14:24 0 a--sh--- c:\windows\system32\papewohu.dll
2009-07-12 14:24 0 a--sh--- c:\windows\system32\kewuvihe.dll
2009-07-12 14:24 0 a--sh--- c:\windows\jowudosu.dll
2009-07-12 14:24 0 a--sh--- c:\program files\vunazimu.dll
2009-07-12 14:24 0 a--sh--- c:\docume~1\alluse~1\applic~1\kusisepa.dll
2009-07-11 21:52 0 a------- c:\windows\system32\uactmp.db
2009-07-11 21:39 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-07-11 21:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-07-11 21:30 36,864 a------- c:\windows\system32\wiawow32.sys
2009-07-11 21:30 8 a------- c:\windows\system32\comsa32.sys
2009-07-11 21:30 40,960 ---shr-- c:\windows\system32\flashd32.dll
2009-07-11 21:19 1,110,399 a------- c:\windows\system32\UACapynsctpoyunnfkna.db
2009-07-11 21:19 310 a------- c:\windows\system32\UACtdlvvelkylpdmkldd.dat
2009-07-11 21:19 6,628 a------- c:\windows\system32\uacinit.dll
2009-06-29 12:26 <DIR> --d----- C:\spoolerlogs
2009-06-26 10:08 <DIR> --dsh--- C:\found.002
2009-06-25 00:03 <DIR> --d----- c:\program files\Wavefunction
2009-06-22 19:07 131 a------- c:\windows\EurekaLog.ini
2009-06-22 19:04 <DIR> --d----- c:\docume~1\huyngu~1\applic~1\Samsung
2009-06-22 18:49 174,592 a------- c:\windows\system32\framedyn.dll
2009-06-22 18:47 <DIR> --d----- c:\windows\system32\Samsung_USB_Drivers
2009-06-22 18:46 766 a------- c:\windows\system32\Uninstall.ico
2009-06-22 18:46 5,632 a------- c:\windows\system32\drivers\StarOpen.sys
2009-06-22 18:14 106,792 a------- c:\windows\system32\drivers\sscdmdm.sys
2009-06-22 18:14 80,552 a------- c:\windows\system32\drivers\sscdbus.sys
2009-06-22 18:14 11,944 a------- c:\windows\system32\drivers\sscdmdfl.sys
2009-06-22 18:14 9,256 a------- c:\windows\system32\drivers\sscdwhnt.sys
2009-06-22 18:14 9,256 a------- c:\windows\system32\drivers\sscdwh.sys
2009-06-22 18:14 9,256 a------- c:\windows\system32\drivers\sscdcmnt.sys
2009-06-22 18:14 9,256 a------- c:\windows\system32\drivers\sscdcm.sys
2009-06-22 16:37 <DIR> --d----- c:\program files\SAMSUNG
2009-06-20 22:03 2,454 a------- c:\windows\system32\SKYNETvdktitgl.dat
2009-06-18 19:39 <DIR> --d----- c:\program files\Viewpoint

==================== Find3M ====================

2009-07-13 19:52 0 a------- c:\windows\system32\drivers\lvuvc.hs
2009-07-13 19:52 0 a------- c:\windows\system32\drivers\logiflt.iad
2009-07-11 08:10 50,176 a--sh--- c:\windows\system32\rewikupe.dll
2009-07-11 08:10 84,992 a--sh--- c:\windows\system32\fehamito.dll
2009-04-11 08:11 50,176 a--sh--- c:\windows\system32\sejutedi.dll
2009-04-11 08:11 50,176 a--sh--- c:\windows\system32\wafiguvu.dll
2009-04-11 08:11 50,176 a--sh--- c:\windows\system32\wemipipo.dll

============= FINISH: 20:39:21.54 ===============

Attached Files



BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:25 AM

Posted 14 July 2009 - 10:20 AM

Hi,

I notice from your log that there's more than 1 Antivirus installed. McAfee and Avast.
Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously!
The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time.
Also because more than one Antivirus and Firewall installed are not compatible with eachother, it can cause system performance problems and a serious system slowdown.

So you have to make a decision here and keep the Antivirus you prefer and uninstall the other one.
Then reboot after uninstalling.


* Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 swordaddict

swordaddict
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 14 July 2009 - 07:58 PM

Hello miekiemoes,

Thank you for the quick response and also for your time and assisting me to remove the malware.

Here is the

MBAM log:

Malwarebytes' Anti-Malware 1.39
Database version: 2432
Windows 5.1.2600 Service Pack 2

7/14/2009 5:41:07 PM
mbam-log-2009-07-14 (17-41-07).txt

Scan type: Quick Scan
Objects scanned: 105042
Time elapsed: 10 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 19
Registry Values Infected: 8
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\flashd32.dll (Spyware.Agent) -> Delete on reboot.
c:\WINDOWS\system32\fehamito.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\wafiguvu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\wemipipo.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\6to4v32.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b3bbec83-8dcd-4ea0-bbd0-db8d6e06903d} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b3bbec83-8dcd-4ea0-bbd0-db8d6e06903d} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{38101905-d80f-4788-96f6-986a8186178a} (Spyware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\6to4 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\6to4 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{40196867-19f8-7157-c097-ecaff653c9ad} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{500bca15-57a7-4eaf-8143-8c619470b13d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b3bbec83-8dcd-4ea0-bbd0-db8d6e06903d} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dailybucks_install.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\pcmstub (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7492661a (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm77a15586 (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jasunaribe (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{38101905-d80f-4788-96f6-986a8186178a} (Spyware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cognac (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\fehamito.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\fehamito.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\wafiguvu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\wafiguvu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\wafiguvu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\fehamito.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\wemipipo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\sejutedi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\flashd32.dll (Spyware.Agent) -> Delete on reboot.
C:\WINDOWS\system32\wafiguvu.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\6to4v32.dll (Trojan.Agent) -> Delete on reboot.
c:\WINDOWS\system32\pcmstub.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\rewikupe.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\wiawow32.sys (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\kusisepa.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\vunazimu.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\SKYNETvdktitgl.dat (Trojan.Agent) -> Quarantined and deleted successfully.


Here is the HJT log:


DDS (Ver_09-06-26.01) - NTFSx86
Run by HUY NGUYEN at 17:53:17.14 on Tue 07/14/2009
Internet Explorer: 8.0.6001.18372 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.1023 [GMT -7:00]

AV: avast! antivirus 4.8.1335 [VPS 090705-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\WINDOWS\system32\RUNDLL32.EXE
svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Documents and Settings\HUY NGUYEN\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HUY NGUYEN\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\HUY NGUYEN\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\HUY NGUYEN\My Documents\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ask.com/?o=101760&l=dis
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - d:\progra~1\spybot~1\SDHelper.dll
BHO: Click-to-Call BHO: {5c255c8a-e604-49b4-9d64-90988571cecb} - c:\program files\windows live\messenger\wlchtc.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - d:\program files\megaupload\mega manager\MegaIEMn.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
uRun: [Google Update] "c:\documents and settings\huy nguyen\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp /HIDEBL
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [SpybotSD TeaTimer] d:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [C-Media Mixer] Mixer.exe /startup
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
IE: Download all with Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\free download manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Visit in &3D using ExitReality - http://3d.exitreality.com/TransmogrifyPage.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - d:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: ucsd.edu\vpn
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {88D969C0-F192-11D4-A65F-0040963251E5} - hxxp://www.spgame.com.tw/xml_web_setup/msxml4.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} -
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} -
AppInit_DLLs: c:\windows\system32\fubatuzo.dll c:\windows\system32\guvuvara.dll ,
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
LSA: Authentication Packages = msv1_0 relog_ap
LSA: Notification Packages = scecli c:\windows\system32\guvuvara.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\huyngu~1\applic~1\mozilla\firefox\profiles\3rvhwrib.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.daemon-search.com/startpage|http://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\documents and settings\huy nguyen\application data\mozilla\firefox\profiles\3rvhwrib.default\extensions\dttoolbar@toolbarnet.com\components\DTToolbarFF.dll
FF - component: c:\program files\free download manager\firefox\extension\components\vmsfdmff.dll
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\documents and settings\huy nguyen\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbyond.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiCHPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: d:\program files\byond\bin\npbyond.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-5-8 114768]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-2-15 201320]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-5-8 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-5-8 138680]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-2-15 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2009-2-15 144704]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-6-18 24652]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-5-8 254040]
R3 KuirKbdFltr;KuirKbdFltr overlay support subsystem;c:\windows\system32\drivers\KuirKbdFltr.sys [2009-1-23 26144]
R3 KuirMouFltr;KuirMouFltr overlay support subsystem;c:\windows\system32\drivers\KuirMouFltr.sys [2009-1-23 23200]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [2008-12-21 28672]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2009-2-15 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-2-15 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-2-15 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-2-15 40488]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-5-8 352920]
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;\??\c:\documents and settings\huy nguyen\desktop\radical engine + me kernel\ilvmoney1236.sys --> c:\documents and settings\huy nguyen\desktop\radical engine + me kernel\IlvMoney1236.sys [?]
S3 IOIDDEV;IOIDDEV;c:\program files\survivalproject\config\ioid.sys [2009-4-14 13568]
S3 LwAdiHid;Logitech WingMan Digital Devices(Auto-Detect);c:\windows\system32\drivers\LwAdiHid.sys [2009-5-16 20864]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-2-15 33832]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 pspdisp;pspdisp;c:\windows\system32\drivers\pspdisp.sys [2008-12-25 3072]
S3 XPADFL02;XPAD Filter Service 02;c:\windows\system32\drivers\xPADFL02.sys [2009-6-12 27904]

=============== Created Last 30 ================

2009-07-14 17:14 <DIR> --d----- c:\docume~1\huyngu~1\applic~1\Malwarebytes
2009-07-14 17:14 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-14 17:14 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-07-14 17:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-14 17:14 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-07-13 20:57 <DIR> --d----- C:\VundoFix Backups
2009-07-13 18:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\DAEMON Tools Lite
2009-07-13 18:41 <DIR> --d----- c:\program files\DAEMON Tools Toolbar
2009-07-13 18:41 <DIR> --d----- c:\program files\DAEMON Tools Lite
2009-07-13 18:37 721,904 a------- c:\windows\system32\drivers\sptd.sys
2009-07-13 18:37 <DIR> --d----- c:\docume~1\huyngu~1\applic~1\DAEMON Tools Lite
2009-07-12 15:38 7,002 a------- c:\windows\wininit.ini
2009-07-12 14:24 0 a--sh--- c:\windows\system32\papewohu.dll
2009-07-12 14:24 0 a--sh--- c:\windows\system32\kewuvihe.dll
2009-07-12 14:24 0 a--sh--- c:\windows\jowudosu.dll
2009-07-11 21:52 0 a------- c:\windows\system32\uactmp.db
2009-07-11 21:39 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-07-11 21:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-07-11 21:19 1,110,399 a------- c:\windows\system32\UACapynsctpoyunnfkna.db
2009-07-11 21:19 310 a------- c:\windows\system32\UACtdlvvelkylpdmkldd.dat
2009-06-29 12:26 <DIR> --d----- C:\spoolerlogs
2009-06-26 10:08 <DIR> --dsh--- C:\found.002
2009-06-25 00:03 <DIR> --d----- c:\program files\Wavefunction
2009-06-22 19:07 131 a------- c:\windows\EurekaLog.ini
2009-06-22 19:04 <DIR> --d----- c:\docume~1\huyngu~1\applic~1\Samsung
2009-06-22 18:49 174,592 a------- c:\windows\system32\framedyn.dll
2009-06-22 18:47 <DIR> --d----- c:\windows\system32\Samsung_USB_Drivers
2009-06-22 18:46 766 a------- c:\windows\system32\Uninstall.ico
2009-06-22 18:46 5,632 a------- c:\windows\system32\drivers\StarOpen.sys
2009-06-22 18:14 106,792 a------- c:\windows\system32\drivers\sscdmdm.sys
2009-06-22 18:14 80,552 a------- c:\windows\system32\drivers\sscdbus.sys
2009-06-22 18:14 11,944 a------- c:\windows\system32\drivers\sscdmdfl.sys
2009-06-22 18:14 9,256 a------- c:\windows\system32\drivers\sscdwhnt.sys
2009-06-22 18:14 9,256 a------- c:\windows\system32\drivers\sscdwh.sys
2009-06-22 18:14 9,256 a------- c:\windows\system32\drivers\sscdcmnt.sys
2009-06-22 18:14 9,256 a------- c:\windows\system32\drivers\sscdcm.sys
2009-06-22 16:37 <DIR> --d----- c:\program files\SAMSUNG
2009-06-18 19:39 <DIR> --d----- c:\program files\Viewpoint

==================== Find3M ====================

2009-07-14 17:42 0 a------- c:\windows\system32\drivers\lvuvc.hs
2009-07-14 17:42 0 a------- c:\windows\system32\drivers\logiflt.iad

============= FINISH: 17:54:34.31 ===============

Once again thank you for your time.

Attached Files



#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:25 AM

Posted 15 July 2009 - 01:58 AM

Hi,

I see you have Viewpoint installed...
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
Then,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.


Extra note: The combofix tutorial recommends to disable your Antivirus, in your case McAfee. For McAfee, I rather recommend to temporary uninstall it, because Mcafee causes a lot of problems with Combofix after reboot, this because McAfee enables again after reboot. So please temporary uninstall McAfee first, then reboot and then scan with Combofix.

Edited by miekiemoes, 15 July 2009 - 01:58 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 swordaddict

swordaddict
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 15 July 2009 - 06:56 PM

Here is the combofix log. By the way, I also tried install .Net Framework 1.1 yesterday, but it gave me an error, I'm not sure if its due to a virus or not. I uninstalled my antivirus as requested, but I may have forgotten to reboot when i uninstalled it, so it might show up on the log.

ComboFix 09-07-14.08 - HUY NGUYEN 07/15/2009 16:36.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.1094 [GMT -7:00]
Running from: c:\documents and settings\HUY NGUYEN\My Documents\Downloads\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090705-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\jowudosu.dll
c:\windows\system32\gibijayu.dll.tmp
c:\windows\system32\gijotoda.dll.tmp
c:\windows\system32\jobagiyu.dll.tmp
c:\windows\system32\kewuvihe.dll
c:\windows\system32\papewohu.dll
c:\windows\system32\UACapynsctpoyunnfkna.db
c:\windows\system32\UACtdlvvelkylpdmkldd.dat
c:\windows\system32\uactmp.db

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_ILVMONEYDRIVER53
-------\Legacy_PCMSTUB
-------\Legacy_UACD.SYS
-------\Service_IlvMoneyDRIVER53
-------\Service_SKYNETwupoaimo
-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-06-15 to 2009-07-15 )))))))))))))))))))))))))))))))
.

2009-07-15 04:22 . 2009-07-15 04:22 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-15 02:58 . 2009-07-15 03:00 -------- dc-h--w- c:\windows\ie8
2009-07-15 02:52 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-07-15 02:52 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-15 02:52 . 2009-04-30 21:22 1985024 -c----w- c:\windows\system32\dllcache\iertutil.dll
2009-07-15 02:52 . 2009-04-30 21:22 11064832 -c----w- c:\windows\system32\dllcache\ieframe.dll
2009-07-15 00:14 . 2009-07-15 00:14 -------- d-----w- c:\documents and settings\HUY NGUYEN\Application Data\Malwarebytes
2009-07-15 00:14 . 2009-07-13 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-15 00:14 . 2009-07-15 00:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-15 00:14 . 2009-07-13 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-15 00:14 . 2009-07-15 00:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-14 03:57 . 2009-07-14 03:57 -------- d-----w- C:\VundoFix Backups
2009-07-14 01:43 . 2009-07-14 01:43 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-07-14 01:41 . 2009-07-15 02:42 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-07-14 01:41 . 2009-07-14 01:42 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-07-14 01:37 . 2009-07-14 01:37 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-07-14 01:37 . 2009-07-14 01:45 -------- d-----w- c:\documents and settings\HUY NGUYEN\Application Data\DAEMON Tools Lite
2009-07-12 05:12 . 2009-07-12 05:12 -------- d-sh--w- c:\documents and settings\Administrator.FAVPR\IETldCache
2009-07-12 04:39 . 2009-07-15 23:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-12 04:39 . 2009-07-12 04:39 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-29 19:26 . 2009-06-29 19:26 -------- d-----w- C:\spoolerlogs
2009-06-26 17:08 . 2009-06-26 17:08 -------- d-sh--w- C:\found.002
2009-06-25 07:03 . 2009-06-25 07:10 -------- d-----w- c:\program files\Wavefunction
2009-06-23 03:25 . 2009-06-30 02:09 18186048 ----a-w- c:\documents and settings\All Users\Application Data\Yahoo!\YUpdater\msgup900_2162_us_v2.exe
2009-06-23 02:04 . 2009-06-23 02:04 -------- d-----w- c:\documents and settings\HUY NGUYEN\Application Data\Samsung
2009-06-23 01:49 . 2006-05-04 05:53 174592 ----a-w- c:\windows\system32\framedyn.dll
2009-06-23 01:48 . 2009-06-23 01:48 -------- d-----w- c:\program files\DIFX
2009-06-23 01:47 . 2009-06-23 01:48 -------- d-----w- c:\windows\system32\Samsung_USB_Drivers
2009-06-23 01:46 . 2009-06-23 02:01 5632 ----a-w- c:\windows\system32\drivers\StarOpen.sys
2009-06-23 01:14 . 2007-07-04 00:58 106792 ----a-w- c:\windows\system32\drivers\sscdmdm.sys
2009-06-23 01:14 . 2007-07-04 01:00 9256 ----a-w- c:\windows\system32\drivers\sscdwhnt.sys
2009-06-23 01:14 . 2007-07-04 01:00 9256 ----a-w- c:\windows\system32\drivers\sscdwh.sys
2009-06-23 01:14 . 2007-07-04 00:57 11944 ----a-w- c:\windows\system32\drivers\sscdmdfl.sys
2009-06-23 01:14 . 2007-07-04 00:56 9256 ----a-w- c:\windows\system32\drivers\sscdcmnt.sys
2009-06-23 01:14 . 2007-07-04 00:56 9256 ----a-w- c:\windows\system32\drivers\sscdcm.sys
2009-06-23 01:14 . 2007-07-04 00:54 80552 ----a-w- c:\windows\system32\drivers\sscdbus.sys
2009-06-22 23:37 . 2009-06-23 01:14 -------- d-----w- c:\program files\SAMSUNG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-15 23:42 . 2008-09-25 04:58 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2009-07-15 23:42 . 2008-10-04 18:58 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2009-07-15 23:29 . 2009-03-19 17:07 -------- d-----w- c:\documents and settings\HUY NGUYEN\Application Data\Move Networks
2009-07-15 23:28 . 2008-09-25 03:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-07-15 06:50 . 2009-06-04 05:49 -------- d-----w- c:\documents and settings\HUY NGUYEN\Application Data\uTorrent
2009-07-13 05:56 . 2009-04-09 02:03 -------- d-----w- c:\documents and settings\HUY NGUYEN\Application Data\Free Download Manager
2009-07-12 23:49 . 2008-10-02 01:48 -------- d-----w- c:\program files\MegauploadToolbar
2009-07-12 23:49 . 2008-10-02 01:48 -------- d-----w- c:\documents and settings\HUY NGUYEN\Application Data\MegauploadToolbar
2009-07-11 04:08 . 2009-02-15 20:13 -------- d-----w- c:\program files\McAfee
2009-07-01 06:35 . 2009-02-17 07:29 -------- d-----w- c:\program files\pspvc
2009-07-01 06:35 . 2009-02-17 07:30 -------- d-----w- c:\program files\AviSynth 2.5
2009-06-23 02:22 . 2007-10-21 21:00 44304 ----a-w- c:\documents and settings\HUY NGUYEN\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-23 01:46 . 2008-09-25 04:54 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-19 04:32 . 2008-10-23 22:19 -------- d-----w- c:\program files\AIM6
2009-06-18 18:25 . 2009-06-18 18:25 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-06-16 14:55 . 2004-08-04 11:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2004-08-04 11:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 23:42 . 2009-06-12 23:42 -------- d-----w- c:\program files\SixaxisDriver
2009-06-12 23:05 . 2009-06-12 23:05 -------- d-----w- c:\program files\LibUSB-Win32-0.1.10.1
2009-06-07 16:53 . 2009-06-04 04:34 -------- d-----w- c:\program files\DNA
2009-06-07 16:52 . 2009-06-04 04:34 -------- d-----w- c:\documents and settings\HUY NGUYEN\Application Data\DNA
2009-06-04 02:51 . 2009-06-04 02:30 -------- d-----w- c:\documents and settings\HUY NGUYEN\Application Data\dvdcss
2009-06-03 19:27 . 2004-08-04 11:00 1290752 ----a-w- c:\windows\system32\quartz.dll
2009-06-02 16:47 . 2009-06-02 16:47 -------- d-----w- c:\documents and settings\HUY NGUYEN\Application Data\Nero
2009-05-29 23:14 . 2009-04-14 23:20 -------- d---a-w- c:\program files\SurvivalProject
2009-05-24 19:42 . 2009-03-27 02:29 -------- d-----w- c:\documents and settings\HUY NGUYEN\Application Data\Ventrilo
2009-05-24 03:57 . 2008-09-26 04:09 -------- d--h--w- c:\documents and settings\HUY NGUYEN\Application Data\ijjigame
2009-05-19 08:36 . 2009-06-18 18:25 2884832 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\vwpt.exe
2009-05-19 08:36 . 2009-06-18 18:25 28 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\unregister.bat
2009-05-19 08:36 . 2009-06-18 18:25 1484856 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\toolbar.exe
2009-05-19 08:36 . 2009-06-18 18:25 25 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\register.bat
2009-05-19 08:36 . 2009-06-18 18:25 97072 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\bsetutil.exe
2009-05-19 08:36 . 2009-06-18 18:25 142040 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\alsetup.exe
2009-05-19 08:36 . 2009-06-18 18:25 30512 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\Uninstaller.exe
2009-05-19 08:36 . 2009-06-18 18:25 111920 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\AOLSearch.dll
2009-05-13 05:15 . 2004-08-04 11:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-07 15:44 . 2004-08-04 11:00 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 09:58 . 2004-08-04 11:00 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-07-02 23:16 . 2008-09-25 04:18 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2009-01-29 00:49 . 2009-01-29 00:49 62976 ----a-w- c:\program files\mozilla firefox\plugins\uc_sfighters_launching.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\HUY NGUYEN\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-25 133104]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-02-17 1169776]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-02-17 1945960]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-02-17 149024]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-07 136600]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-12-10 185872]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-09-18 7630848]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-09-18 86016]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"C-Media Mixer"="Mixer.exe" - c:\windows\mixer.exe [2002-01-28 1228800]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-09-18 1519616]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2008-9-24 196608]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"d:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Sony\\Media Manager for PSP\\MediaManager.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\SurvivalProject\\ioprotect.exe"=
"c:\\Program Files\\SurvivalProject\\sp.exe"=
"c:\\WINDOWS\\system32\\verclsid.exe"=
"d:\\Documents and Settings\\HUY NGUYEN\\Shared\\BitTorrent.exe"=
"d:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\AIM\\AIM Pro\\aimpro.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [5/8/2009 12:59 AM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/8/2009 12:59 AM 20560]
R3 KuirKbdFltr;KuirKbdFltr overlay support subsystem;c:\windows\system32\drivers\KuirKbdFltr.sys [1/23/2009 7:05 PM 26144]
R3 KuirMouFltr;KuirMouFltr overlay support subsystem;c:\windows\system32\drivers\KuirMouFltr.sys [1/23/2009 7:05 PM 23200]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [12/21/2008 5:06 PM 28672]
S0 gexam;gexam;c:\windows\system32\drivers\wfvtl.sys --> c:\windows\system32\drivers\wfvtl.sys [?]
S2 0196611247698494mcinstcleanup;McAfee Application Installer Cleanup (0196611247698494);c:\docume~1\HUYNGU~1\LOCALS~1\Temp\019661~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\HUYNGU~1\LOCALS~1\Temp\019661~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 IOIDDEV;IOIDDEV;c:\program files\SurvivalProject\config\ioid.sys [4/14/2009 4:20 PM 13568]
S3 LwAdiHid;Logitech WingMan Digital Devices(Auto-Detect);c:\windows\system32\drivers\LwAdiHid.sys [5/16/2009 8:04 PM 20864]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 pspdisp;pspdisp;c:\windows\system32\drivers\pspdisp.sys [12/25/2008 7:24 AM 3072]
S3 XPADFL02;XPAD Filter Service 02;c:\windows\system32\drivers\xPADFL02.sys [6/12/2009 4:42 PM 27904]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - 0196611247698494MCINSTCLEANUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-842925246-682003330-1003Core.job
- c:\documents and settings\HUY NGUYEN\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-25 03:49]

2009-07-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1644491937-842925246-682003330-1003UA.job
- c:\documents and settings\HUY NGUYEN\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-25 03:49]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-BitTorrent DNA - c:\program files\DNA\btdna.exe
HKLM-Run-nmctxth - c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
HKLM-Run-nmapp - c:\program files\Pure Networks\Network Magic\nmapp.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?o=101760&l=dis
IE: Download all with Free Download Manager - file://c:\program files\Free Download Manager\dlall.htm
IE: Download selected with Free Download Manager - file://c:\program files\Free Download Manager\dlselected.htm
IE: Download video with Free Download Manager - file://c:\program files\Free Download Manager\dlfvideo.htm
IE: Download with Free Download Manager - file://c:\program files\Free Download Manager\dllink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Visit in &3D using ExitReality - http://3d.exitreality.com/TransmogrifyPage.htm
Trusted Zone: ucsd.edu\vpn
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} -
FF - ProfilePath - c:\documents and settings\HUY NGUYEN\Application Data\Mozilla\Firefox\Profiles\3rvhwrib.default\
FF - prefs.js: browser.search.selectedEngine - DAEMON Search
FF - prefs.js: browser.startup.homepage - hxxp://www.daemon-search.com/startpage|http://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\program files\Free Download Manager\Firefox\Extension\components\vmsfdmff.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\HUY NGUYEN\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbyond.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiCHPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: d:\program files\BYOND\bin\npbyond.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-15 16:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fd,80,a2,5d,3c,fc,2f,4e,9e,96,b0,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fd,80,a2,5d,3c,fc,2f,4e,9e,96,b0,\

[HKEY_USERS\S-1-5-21-1644491937-842925246-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\mXjjU\k a%Yj
_ nNq]
"Order"=hex:08,00,00,00,02,00,00,00,16,01,00,00,01,00,00,00,02,00,00,00,80,00,
00,00,00,00,00,00,72,00,00,00,41,75,67,4d,02,00,00,00,01,00,00,00,60,00,36,\

[HKEY_USERS\S-1-5-21-1644491937-842925246-682003330-1003\Software\Sony Creative Software\M*e*d*i*a* *M*a*n*a*g*e*r* *f*o*r* *P*S*P*"!\2.5]
"FRT"="tvr0Td5DUqfRULjBQ+vzqtq0ePsrRMcQ2t0Gw100TOf2VX8eUqSq0g=="
"PLCK"="olsD9HGP8+6tfuNU+L9QijgUPx6e3Bon"
"Percents"="0.0015 0.1435 0.4085 0.6157 0.8375 0.9327 0.9378 "
"Increment"=".003333"
"PHSH"=""

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{30993f51-003d-4d30-9510-62fd9358fd56}]
@Denied: (Full) (Everyone)
"Model"=dword:0000005f
"Therad"=dword:00000021
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
38,95,44,85,b1,12,f9,90,dd,23,a1,49,8c,bf,1a,9d,fe,41,71,cb,3f,46,a4,7c,ab,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):f6,e8,a9,5a,30,11,b8,f0,d3,4b,45,c3,1e,04,d5,3e,e1,40,fd,ae,5b,
5d,6f,a2,84,08,0a,4b,96,69,16,93,8a,82,7d,5b,4d,ec,b9,55,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(844)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(7780)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
c:\program files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
c:\program files\AIM6\aolsoftware.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-15 16:47 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-15 23:47

Pre-Run: 10,743,328,768 bytes free
Post-Run: 11,254,980,608 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

355 --- E O F --- 2009-07-15 06:54

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:25 AM

Posted 16 July 2009 - 01:39 AM

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 swordaddict

swordaddict
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 16 July 2009 - 12:09 PM

Hmm.. Everything appears to be fine now beside the occasion windows error. Thanks alot for your time :thumbup2:

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:25 AM

Posted 16 July 2009 - 12:14 PM

Glad I could help. :thumbup2:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users