Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware infection


  • This topic is locked This topic is locked
14 replies to this topic

#1 Brian Clive

Brian Clive

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:26 AM

Posted 22 July 2009 - 02:54 PM

Hi there
Infection prevents me from getting windows updates. Cannot download malware removal software. Also, links from Google searches get redirected.

DDS file below.

Your help is very much appreciated

Brylin



DDS (Ver_09-06-26.01) - NTFSx86
Run by Owner at 15:48:57.92 on Wed 07/22/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.122 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Cheetah Burner\Cheetah DVD Burner\NMSAccess.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Octoshape Streaming Services\Owner\OctoshapeClient.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.cnn.com/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {DC59A0D4-0ED6-4A73-B356-1B977F2A7725} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [NBJ] "c:\progra~1\ahead\neroba~1\NBJ.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Octoshape Streaming Services] "c:\program files\octoshape streaming services\owner\OctoshapeClient.exe" -inv:bootrun
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [VTTrayp] VTtrayp.exe
mRun: [VTTimer] VTTimer.exe
mRun: [AudioDeck] c:\program files\viaudioi\sbadeck\ADeck.exe 1
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~1\mimboot.exe
mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
mRun: [RecoverFromReboot] c:\windows\temp\RecoverFromReboot.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc2~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpobnz08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ymetray.lnk - c:\program files\yahoo!\yahoo! music jukebox\ymetray.exe
uPolicies-system: DisableTaskMgr = 1 (0x1)
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: torrent-finder.com\www
Trusted Zone: musicmatch.com\online
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?LinkID=39204
DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - hxxps://setup.bellsouth.net/wizlet/PWReset/static/controls/WebflowActiveXInstaller_6-1-2.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169394648520
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.136,85.255.112.145
TCP: {6CBDF549-6F62-40D1-9333-5020DC1C1496} = 85.255.112.136,85.255.112.145
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-6-16 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-7-1 327688]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-7-1 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-7-1 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-7-1 298776]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 951632]

=============== Created Last 30 ================

2009-07-22 15:05 <DIR> --d----- c:\program files\Trend Micro
2009-07-21 15:31 5,919 a------- c:\windows\system32\1z861vir9s785.cpl
2009-07-21 12:10 9,021,376 a------- c:\temp\windows-kb890830-v2.12.exe
2009-07-21 07:23 8,236 a------- c:\windows\system32\18692wozm9145.ocx
2009-07-20 06:37 15,398 a------- c:\windows\system32\4z539hreat25370.dll
2009-07-19 23:19 14,721 a------- c:\windows\system32\z9489rojf5.cpl
2009-07-19 14:31 13,234 a------- c:\windows\system32\zdf59pyware2976.exe
2009-07-17 21:54 6,959 a------- c:\windows\2295459t-a-virus3bbz.exe
2009-07-17 15:01 6,402 a------- c:\windows\5526addware2z90.bin
2009-07-14 18:28 12,395 a------- c:\windows\system32\z2984vi5us7e6.bin
2009-07-11 07:29 13,437 a------- c:\windows\system32\19706trzj85.dll
2009-07-11 03:32 13,502 a------- c:\windows\system32\5a5b9ddwzre1625.bin
2009-07-10 14:11 4,022 a------- c:\windows\system32\13995vzrus515.ocx
2009-07-09 08:53 16,888 a------- c:\windows\9e44spywzr52754.exe
2009-07-08 14:49 <DIR> --d----- c:\program files\Easy DVD CD Burner
2009-07-08 12:32 10,003 a------- c:\windows\75zathr9at11551.cpl
2009-07-06 22:54 7,572 a------- c:\windows\4d45thre9tz4774.ocx
2009-07-06 22:11 5,686 a------- c:\windows\4975sp5mzot4cb.dll
2009-07-06 03:42 4,533 a------- c:\windows\system32\5286thiefz974.bin
2009-07-04 23:28 10,878 a------- c:\windows\system32\39fespa5se115z.bin
2009-07-04 21:55 16,801 a------- c:\windows\254bviz25449.dll
2009-07-04 03:00 6,953 a------- c:\windows\2c96sparsz1654.ocx
2009-07-01 11:07 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-07-01 11:07 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-07-01 11:07 327,688 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-01 11:07 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-07-01 11:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-07-01 10:31 <DIR> --d----- c:\program files\Microsoft ActiveSync
2009-07-01 10:30 <DIR> --d----- c:\windows\ShellNew
2009-06-28 10:25 4,768 a------- c:\windows\1632ztroj95.cpl
2009-06-27 15:49 16,108 a------- c:\windows\system32\63c5bzckdoo9234.cpl
2009-06-27 14:32 15,796 a------- c:\windows\z5839teal1385.bin
2009-06-25 19:03 14,804 a------- c:\windows\system32\15016s5ambo93cz.exe
2009-06-24 15:13 13,643 a------- c:\windows\system32\478asp5w9ze2471.bin
2009-06-23 23:09 17,119 a------- c:\windows\system32\9957t9zj798.bin
2009-06-22 20:14 5,801 a------- c:\windows\system32\58539hrezt28109.bin

==================== Find3M ====================

2009-07-13 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-06-22 12:39 16,151 a------- c:\windows\6dd5backd5o96z9.exe
2009-06-19 12:41 4,725 a------- c:\windows\5d90ba5kdooz1956.exe
2009-06-16 02:39 14,907 a------- c:\windows\system32\3z05ad9ware1450.exe
2009-06-15 05:06 15,848 a------- c:\windows\39186sz546b.dll
2009-06-14 03:20 8,075 a------- c:\windows\98185hacztool4b1.bin
2009-06-13 10:42 7,592 a------- c:\windows\system32\4571not-a5vi9uz3c6.dll
2009-06-12 04:18 14,223 a------- c:\windows\system32\5f52sp9zse2519.dll
2009-06-11 14:59 410,984 a------- c:\windows\system32\deploytk.dll
2009-06-11 02:08 7,985 a------- c:\windows\system32\44065pzmb9t635.exe
2009-06-05 21:47 3,180 a------- c:\windows\system32\z8542hacktool9da.dll
2009-06-04 17:52 5,930 a------- c:\windows\1z2bspyware519.dll
2009-06-03 19:04 3,509 a------- c:\windows\286z1sp5mb9t531.bin
2009-06-03 18:35 8,103 a------- c:\windows\system32\z0bf5teal9334.bin
2009-06-03 05:28 10,272 a------- c:\windows\385159ambztf.dll
2009-06-03 02:46 5,496 a------- c:\windows\system32\8675spambzt5859.bin
2009-05-30 17:03 19,558 a------- c:\windows\hpoins01.dat
2009-05-28 00:57 10,399 a------- c:\windows\system32\z2397virus562.exe
2009-05-27 01:00 10,550 a------- c:\windows\349ethreat9z195.exe
2009-05-25 20:23 13,321 a------- c:\windows\system32\5138th59az16125.dll
2009-05-23 03:45 8,053 a------- c:\windows\system32\39004spambotzf5.dll
2009-05-22 18:00 17,495 a------- c:\windows\53350zpy4a9.exe
2009-05-22 17:06 2,881 a------- c:\windows\30416not-z-vi5u95bd.bin
2009-05-20 21:55 3,248 a------- c:\windows\system32\943backd5oz1419.bin
2009-05-20 14:41 5,633 a------- c:\windows\15f9steal7z3.exe
2009-05-19 20:24 8,683 a------- c:\windows\11916z5cktool679.bin
2009-05-16 16:47 15,372 a------- c:\windows\system32\5039bz9kdoor634.exe
2009-05-15 13:58 155,995 a------- c:\windows\java\packages\IMC2D7BZ.ZIP
2009-05-15 13:58 2,232 a------- c:\windows\java\packages\data\B1NR3HFN.DAT
2009-05-15 13:58 2,678 a------- c:\windows\java\packages\data\YPNRTB1B.DAT
2009-05-15 13:58 2,678 a------- c:\windows\java\packages\data\U8NFPV5R.DAT
2009-05-15 13:58 2,678 a------- c:\windows\java\packages\data\PNNBBNN5.DAT
2009-05-15 13:58 2,678 a------- c:\windows\java\packages\data\0CB7JZBV.DAT
2009-05-15 13:58 2,678 a------- c:\windows\java\packages\data\VNDFB1ZR.DAT
2009-05-15 13:57 184,320 a------- c:\windows\system32\OESICore.dll
2009-05-15 13:57 45,056 a------- c:\windows\system32\HSSICore.dll
2009-05-15 13:57 98,136 a------- c:\windows\gzip.exe
2009-05-13 15:50 11,172 a------- c:\windows\z956st5al2653.dll
2009-05-11 08:21 6,651 a------- c:\windows\system32\450zspywa9e205.exe
2009-05-10 17:42 13,027 a------- c:\windows\z7934tro5448.dll
2009-05-09 22:46 13,646 a------- c:\windows\system32\15013wzrm569.bin
2009-05-08 20:31 15,895 a------- c:\windows\system32\29660wo5m67z.bin
2009-05-07 18:10 13,860 a------- c:\windows\3ff2thrzat25997.bin
2009-05-06 13:11 8,579 a------- c:\windows\11380no9-azvirus529.bin
2009-05-05 02:48 5,280 a------- c:\windows\675zspyware18349.exe
2009-05-04 06:57 7,429 a------- c:\windows\9150zo5m443.dll
2009-05-02 20:57 9,933 a------- c:\windows\system32\65369ir127z.exe
2009-05-02 04:59 3,410 a------- c:\windows\13435vi9usz7.dll
2009-05-01 13:29 3,394 a------- c:\windows\7a0d9zwnloader1595.exe
2009-04-27 22:14 15,014 a------- c:\windows\system32\434fbackdoor51z09.bin
2009-04-26 04:01 14,890 a------- c:\windows\9466ste5l8z2.exe
2005-05-13 18:12 217,073 a--shr-- c:\windows\meta4.exe
2005-10-24 12:13 66,560 a--shr-- c:\windows\MOTA113.exe
2005-10-13 22:27 422,400 a--shr-- c:\windows\x2.64.exe
2005-07-14 13:31 27,648 a--shr-- c:\windows\system32\AVSredirect.dll
2005-06-26 16:32 616,448 a--shr-- c:\windows\system32\cygwin1.dll
2005-06-21 23:37 45,568 a--shr-- c:\windows\system32\cygz.dll
2004-01-25 01:00 70,656 a--shr-- c:\windows\system32\i420vfw.dll
2006-04-27 11:24 2,945,024 a--shr-- c:\windows\system32\Smab.dll
2005-02-28 14:16 240,128 a--shr-- c:\windows\system32\x.264.exe
2004-01-25 01:00 70,656 a--shr-- c:\windows\system32\yv12vfw.dll
2008-11-20 13:20 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008112020081121\index.dat

============= FINISH: 15:49:15.35 ===============

BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:08:26 AM

Posted 01 August 2009 - 06:47 AM

Hello, Brian Clive.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Please note that I am in the process of my training so it may take a while for me to get back to you, as each of my fixes need to be checked by a coach first.

We need to run RSIT
  • Download random's system information tool (RSIT) by random/random and save it to your desktop.
  • Double click on RSIT.exe.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
In your next reply, please include the following:
  • Log.txt
  • info.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 Brian Clive

Brian Clive
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:26 AM

Posted 01 August 2009 - 11:43 AM

Hi aommaster,
Many thanks for your reply, I appreciate your help with this.
Requested files attached

Attached Files

  • Attached File  info.txt   23.89KB   9 downloads
  • Attached File  log.txt   31.88KB   11 downloads


#4 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:08:26 AM

Posted 02 August 2009 - 09:10 AM

Hello, Brian Clive.
Just a quick note before we begin, please copy and paste your logs into your reply rather than attaching them unless otherwise stated in the instructions, as they make it easier for me to read. Thanks :thumbup2:

Let's start!
Registry Cleaner Program Warning!

Registry Mechanic

Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.
This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.
If you feel you have the need for a registry cleaner, then you are just as welcome to keep it. This is what we refer to an "optional fix" and is up to the user, so just take this as a recommendation from my side.




P2P Program Warning!

uTorrent and Azureus

P2P programs form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P programme is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured programme.

This article from InfoWorld illustrates perfectly the dangers of a poorly configured P2P program.
Here

Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.
When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.

Note: It is pretty much certain that if you continue to use P2P programs, then you will get infected again.
I would recommend that you uninstall uTorrent and Azureus, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.




Viewpoint Warning!

The logs also show Viewpoint Manager installed, Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

Viewpoint to Plunge Into Adware

I suggest you remove the program now. Go to Start > Control Panel > Add or Remove Programs. From within Add or Remove Programs uninstall the following if they exist:
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player



We need to download and run ComboFix (by sUBs)
  • Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
    They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". For more details, please check this thread
  • Please download ComboFix from one of these locations:
    Link 1
    Link 2
    ** IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    The Recovery Console was successfully installed. Click 'Yes' to continue scanning for malware. Click 'No' to exit
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a new HijackThis log.
**A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
**This tool is not a toy and not for everyday use.
**ComboFix SHOULD NOT be used unless requested by a forum helper


In your next reply, please include the following:
  • ComboFix.txt
  • Fresh HijackThis Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#5 Brian Clive

Brian Clive
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:26 AM

Posted 02 August 2009 - 12:06 PM

Hi Aommaster,
Many thanks for your warnings and advice. Here are the requested logs..



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:03:06 PM, on 8/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Octoshape Streaming Services\Owner\OctoshapeClient.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Cheetah Burner\Cheetah DVD Burner\NMSAccess.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Program Files\Octoshape Streaming Services\Owner\OctoshapeClient.exe" -inv:bootrun
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellsouth.net/wizlet/PWReset/...aller_6-1-2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1169394648520
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\Cheetah Burner\Cheetah DVD Burner\NMSAccess.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 9079 bytes




ComboFix 09-08-01.09 - Owner 08/02/2009 12:48.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.219 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\22491w9r5670z.cpl
c:\windows\system32\22515hac5tozl7ac9.exe
c:\windows\system32\22590zorm194.exe
c:\windows\system32\228529ozm245.dll
c:\windows\system32\2296sp5zse1541.cpl
c:\windows\system32\22z0thr9at52911.cpl
c:\windows\system32\237z59iru5500.ocx
c:\windows\system32\23921hacktooz6a5.dll
c:\windows\system32\243z7worm9c5.dll
c:\windows\system32\249279ackto5l7f1z.cpl
c:\windows\system32\249z9tea5526.exe
c:\windows\system32\249zspywa59225.cpl
c:\windows\system32\24z56sp5m9ot35.cpl
c:\windows\system32\25721viru9z39.dll
c:\windows\system32\2584zvi9us159.cpl
c:\windows\system32\25952tr9j36z5.dll
c:\windows\system32\25955vz9us521.exe
c:\windows\system32\25978zr5j164.cpl
c:\windows\system32\25ccvirz899.dll
c:\windows\system32\2632zs9y54d.exe
c:\windows\system32\26520no5-a9zirus249.cpl
c:\windows\system32\27293wo5z1759.dll
c:\windows\system32\27806spazbo5119.bin
c:\windows\system32\27929troj5dz.cpl
c:\windows\system32\27z2195oj13d.bin
c:\windows\system32\2805noz-a-virus359.cpl
c:\windows\system32\2825szywa9e1131.dll
c:\windows\system32\2830no5z9-virus4fd.bin
c:\windows\system32\2898st5al196z.dll
c:\windows\system32\29190vzr5s3c0.bin
c:\windows\system32\29287woz51239.dll
c:\windows\system32\292f5pzrse15729.ocx
c:\windows\system32\29400wormz75.dll
c:\windows\system32\294z0n5t-a-virus468.exe
c:\windows\system32\2958sza5se799.exe
c:\windows\system32\29594spambot65z.ocx
c:\windows\system32\29660wo5m67z.bin
c:\windows\system32\29876w9rm135z.cpl
c:\windows\system32\29b0sp5rsz777.cpl
c:\windows\system32\29c8dowzloader7165.dll
c:\windows\system32\29z03tro9454.dll
c:\windows\system32\2bz7vir9255.ocx
c:\windows\system32\2c47zackdoo912245.ocx
c:\windows\system32\2c89szyware14475.exe
c:\windows\system32\2d47spa5se2693z.bin
c:\windows\system32\2da3s5arse398z.bin
c:\windows\system32\2deb9t5al31z1.dll
c:\windows\system32\2dz55teal994.dll
c:\windows\system32\2eb5spar9ez40.exe
c:\windows\system32\2z006not-a-viru55e9.exe
c:\windows\system32\2z179virus559.ocx
c:\windows\system32\2z8bthreat24955.cpl
c:\windows\system32\30247zackto5l194.ocx
c:\windows\system32\304z2ha5ktool7979.dll
c:\windows\system32\30z2sparse759.dll
c:\windows\system32\313z1vir5s76a9.ocx
c:\windows\system32\3141sp5zse1939.exe
c:\windows\system32\31495not-z5vi9us423.exe
c:\windows\system32\31515sp52z9.dll
c:\windows\system32\3152znot-a-virus49b.exe
c:\windows\system32\31569wormz85.bin
c:\windows\system32\3187thiz59069.ocx
c:\windows\system32\320569zoj334.cpl
c:\windows\system32\3215download9rz801.bin
c:\windows\system32\325zaddwar93250.cpl
c:\windows\system32\32910s5z292.ocx
c:\windows\system32\33d2d9wnloadzr759.ocx
c:\windows\system32\33d5thi5z16899.exe
c:\windows\system32\34a4zddware29215.exe
c:\windows\system32\3527zot-a5virus69.cpl
c:\windows\system32\3554spywz9e2803.dll
c:\windows\system32\3592virz720.ocx
c:\windows\system32\359cstza5555.exe
c:\windows\system32\35z95spambot9f9.bin
c:\windows\system32\3605thz9at4146.exe
c:\windows\system32\3794st9alz258.bin
c:\windows\system32\379a9hr5zt28738.exe
c:\windows\system32\39004spambotzf5.dll
c:\windows\system32\39014zpy5a7.dll
c:\windows\system32\3909spzrse2535.cpl
c:\windows\system32\3955spars913z6.cpl
c:\windows\system32\39951nzt5a-virus414.cpl
c:\windows\system32\399z9spy6f5.bin
c:\windows\system32\39fespa5se115z.bin
c:\windows\system32\3c86addware597z.dll
c:\windows\system32\3dfeza59door342.exe
c:\windows\system32\3z05ad9ware1450.exe
c:\windows\system32\3z569v9rus60e5.bin
c:\windows\system32\3zd1downl5ader1795.cpl
c:\windows\system32\3ze3thi5f11679.cpl
c:\windows\system32\41ba5pywaze994.exe
c:\windows\system32\425addw9re25z2.cpl
c:\windows\system32\42949ownloadzr2539.ocx
c:\windows\system32\434fbackdoor51z09.bin
c:\windows\system32\44065pzmb9t635.exe
c:\windows\system32\4462baczdoo517869.bin
c:\windows\system32\450zspywa9e205.exe
c:\windows\system32\4526steaz9969.exe
c:\windows\system32\4571not-a5vi9uz3c6.dll
c:\windows\system32\4591steaz484.bin
c:\windows\system32\4683nz5-a-virus509.cpl
c:\windows\system32\478asp5w9ze2471.bin
c:\windows\system32\47e0thr9at2515z.ocx
c:\windows\system32\491zt59j13d.ocx
c:\windows\system32\4945thief5z4.exe
c:\windows\system32\4969downzoade53276.exe
c:\windows\system32\49z9vi5us437.exe
c:\windows\system32\4ae9d9znloa5er101.dll
c:\windows\system32\4bfd59ezl994.dll
c:\windows\system32\4c6espyw5ze9942.ocx
c:\windows\system32\4f99ste5lz788.bin
c:\windows\system32\4z52v9r2330.dll
c:\windows\system32\4z539hreat25370.dll
c:\windows\system32\4z61sp9war53173.ocx
c:\windows\system32\4z6ddownloade5992.ocx
c:\windows\system32\5039bz9kdoor634.exe
c:\windows\system32\5090backdooz2428.ocx
c:\windows\system32\5138th59az16125.dll
c:\windows\system32\524ado9nzoader5825.ocx
c:\windows\system32\5252sp95se1144z.ocx
c:\windows\system32\5259zir541.bin
c:\windows\system32\5286thiefz974.bin
c:\windows\system32\5299n9t-a-5irus59z.cpl
c:\windows\system32\53126wz9m7d.cpl
c:\windows\system32\539zbackdoor2411.bin
c:\windows\system32\5429hac9toole4z.ocx
c:\windows\system32\5494troj39az.bin
c:\windows\system32\54z1b9c5door1323.bin
c:\windows\system32\550fzte951083.exe
c:\windows\system32\5513threat1159z.dll
c:\windows\system32\5519spamzot15d.cpl
c:\windows\system32\5556spzmbot6b9.bin
c:\windows\system32\555az5ywa9e3066.cpl
c:\windows\system32\557athrz5t29009.dll
c:\windows\system32\55easpy9zre2769.ocx
c:\windows\system32\56029spambot6cz.exe
c:\windows\system32\5618z9y3ea.exe
c:\windows\system32\57295ot-a-viruz5ee.bin
c:\windows\system32\57457zirusa9.exe
c:\windows\system32\57z4spy9are1984.exe
c:\windows\system32\5807v5ruz953.cpl
c:\windows\system32\5826thr5zt29292.bin
c:\windows\system32\5839sz97805.dll
c:\windows\system32\58539hrezt28109.bin
c:\windows\system32\5898wz5m4a9.exe
c:\windows\system32\5908spam59t2z.dll
c:\windows\system32\59235teal1250z.dll
c:\windows\system32\5923vi9zs4bb.dll
c:\windows\system32\5950spyware9z3.exe
c:\windows\system32\59879zrm3a5.cpl
c:\windows\system32\59ddvi927z9.ocx
c:\windows\system32\5a5b9ddwzre1625.bin
c:\windows\system32\5azsparse3930.exe
c:\windows\system32\5bcebackdz9r24015.cpl
c:\windows\system32\5bzeth9ef1599.ocx
c:\windows\system32\5cc5v9z375.dll
c:\windows\system32\5d2aa5zware1598.bin
c:\windows\system32\5d8b9ckdoor156z.bin
c:\windows\system32\5dd7stz5l2972.cpl
c:\windows\system32\5e5bbackdoorz0889.bin
c:\windows\system32\5e99spyzare68.ocx
c:\windows\system32\5eb4ba5kdoor2399z.ocx
c:\windows\system32\5ebz5parse14979.ocx
c:\windows\system32\5edspyz9re5257.bin
c:\windows\system32\5f52sp9zse2519.dll
c:\windows\system32\5f91z9ckdoor1031.bin
c:\windows\system32\5z35steal295.cpl
c:\windows\system32\5z3threat6519.dll
c:\windows\system32\5z50threa910758.exe
c:\windows\system32\5z92thie55609.ocx
c:\windows\system32\5z95virus599.exe
c:\windows\system32\6134zor5390.bin
c:\windows\system32\6195vir1z965.dll
c:\windows\system32\63c5bzckdoo9234.cpl
c:\windows\system32\63dc5zdw9re2211.exe
c:\windows\system32\6437tzrea914415.bin
c:\windows\system32\6491vz52853.ocx
c:\windows\system32\65369ir127z.exe
c:\windows\system32\65659py629z.cpl
c:\windows\system32\66e7do5n9oadez2006.dll
c:\windows\system32\6703za9kdo5r2637.exe
c:\windows\system32\6785z59ware1113.bin
c:\windows\system32\67z9wor567.bin
c:\windows\system32\6893sp54z9.ocx
c:\windows\system32\6950thief2509z.cpl
c:\windows\system32\69955hie91458z.cpl
c:\windows\system32\6a9d59arsez27.bin
c:\windows\system32\6b94th5zat27700.cpl
c:\windows\system32\6bfzspyware54829.ocx
c:\windows\system32\6ca9do5nloadzr3206.cpl

.
((((((((((((((((((((((((( Files Created from 2009-07-02 to 2009-08-02 )))))))))))))))))))))))))))))))
.

2009-12-25 11:26 . 2009-12-25 11:26 12841 ----a-w- c:\windows\system32\97116vzrus577.bin
2009-12-21 03:27 . 2009-12-21 03:27 14658 ----a-w- c:\windows\system32\73zea9dwar5841.dll
2009-11-20 14:51 . 2009-11-20 14:51 5603 ----a-w- c:\windows\system32\7600bz9kdoor2505.exe
2009-11-09 20:44 . 2009-11-09 20:44 13101 ----a-w- c:\windows\system32\95595troze5.exe
2009-10-26 14:13 . 2009-10-26 14:13 5400 ----a-w- c:\windows\system32\z770threa517419.exe
2009-10-03 06:59 . 2009-10-03 06:59 6969 ----a-w- c:\windows\system32\9z292hacktoo576.bin
2009-09-10 08:11 . 2009-09-10 08:11 10964 ----a-w- c:\windows\system32\c99downloadez566.bin
2009-09-01 13:07 . 2009-09-01 13:07 13431 ----a-w- c:\windows\system32\f19b5czdoor1939.dll
2009-08-28 17:00 . 2009-08-28 17:00 4248 ----a-w- c:\windows\system32\8834wo592z8.bin
2009-08-03 13:01 . 2009-08-03 13:01 2775 ----a-w- c:\windows\system32\z055sp9mb5t4a4.exe
2009-08-02 16:46 . 2009-08-02 16:46 -------- d-----w- c:\windows\LastGood
2009-08-01 14:11 . 2009-08-01 14:11 -------- d-----w- C:\rsit
2009-07-22 19:05 . 2009-07-22 19:05 -------- d-----w- c:\program files\Trend Micro
2009-07-21 17:03 . 2009-07-21 17:04 -------- d-----w- c:\program files\ERUNT
2009-07-21 16:10 . 2009-07-21 16:04 9021376 ----a-w- c:\temp\windows-kb890830-v2.12.exe
2009-07-20 14:05 . 2009-07-20 14:05 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2009-07-19 18:31 . 2009-07-19 18:31 13234 ----a-w- c:\windows\system32\zdf59pyware2976.exe
2009-07-14 22:28 . 2009-07-14 22:28 12395 ----a-w- c:\windows\system32\z2984vi5us7e6.bin
2009-07-08 18:49 . 2009-07-08 18:49 -------- d-----w- c:\program files\Easy DVD CD Burner
2009-07-08 18:40 . 2009-07-08 18:47 -------- d-----w- c:\documents and settings\Brian C\Application Data\Azureus
2009-07-08 18:27 . 2009-07-08 18:27 -------- d-----w- c:\documents and settings\Brian C\Local Settings\Application Data\Identities
2009-07-08 18:14 . 2009-07-08 18:27 -------- d-----w- c:\documents and settings\Brian C\Local Settings\Application Data\Musicmatch

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-02 15:19 . 2008-03-21 22:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-02 15:06 . 2008-06-14 14:39 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-02 14:22 . 2007-02-21 03:13 -------- d-----w- c:\documents and settings\Owner\Application Data\Azureus
2009-08-02 14:20 . 2009-06-08 16:52 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-21 17:11 . 2009-06-05 14:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-20 14:05 . 2007-03-25 18:30 41560 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-13 17:36 . 2009-06-05 14:56 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 17:36 . 2009-06-05 14:56 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-01 14:31 . 2009-07-01 14:31 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-07-01 13:24 . 2009-03-26 20:24 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG8
2009-06-24 03:09 . 2009-06-24 03:09 17119 ----a-w- c:\windows\system32\9957t9zj798.bin
2009-06-16 17:52 . 2009-06-16 17:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-16 17:50 . 2009-06-16 17:50 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-16 17:49 . 2009-06-16 17:49 -------- d-----w- c:\program files\Lavasoft
2009-06-11 18:59 . 2009-06-11 19:00 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-11 18:59 . 2005-09-10 21:27 -------- d-----w- c:\program files\Java
2009-06-11 18:44 . 2009-06-11 18:44 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-06 01:47 . 2009-06-06 01:47 3180 ----a-w- c:\windows\system32\z8542hacktool9da.dll
2009-06-05 15:25 . 2009-06-05 15:25 -------- d-----w- c:\program files\Enigma Software Group
2009-06-05 14:56 . 2009-06-05 14:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-05 14:38 . 2006-11-27 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-06-05 14:38 . 2006-11-27 19:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-03 22:35 . 2009-06-03 22:35 8103 ----a-w- c:\windows\system32\z0bf5teal9334.bin
2009-06-03 09:28 . 2009-06-03 09:28 10272 ----a-w- c:\windows\385159ambztf.dll
2009-06-03 06:46 . 2009-06-03 06:46 5496 ----a-w- c:\windows\system32\8675spambzt5859.bin
2009-05-30 21:03 . 2009-05-30 20:58 19558 ----a-w- c:\windows\hpoins01.dat
2009-05-30 13:46 . 2008-05-20 12:26 120088 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Plugins\npoctoshape.dll
2009-05-28 04:57 . 2009-05-28 04:57 10399 ----a-w- c:\windows\system32\z2397virus562.exe
2009-05-21 01:55 . 2009-05-21 01:55 3248 ----a-w- c:\windows\system32\943backd5oz1419.bin
2009-05-15 17:58 . 2009-05-15 17:58 2232 ----a-w- c:\windows\java\Packages\Data\B1NR3HFN.DAT
2009-05-15 17:58 . 2009-05-15 17:58 155995 ----a-w- c:\windows\java\Packages\IMC2D7BZ.ZIP
2009-05-15 17:58 . 2009-05-15 17:58 2678 ----a-w- c:\windows\java\Packages\Data\YPNRTB1B.DAT
2009-05-15 17:58 . 2009-05-15 17:58 2678 ----a-w- c:\windows\java\Packages\Data\U8NFPV5R.DAT
2009-05-15 17:58 . 2009-05-15 17:58 2678 ----a-w- c:\windows\java\Packages\Data\PNNBBNN5.DAT
2009-05-15 17:58 . 2009-05-15 17:58 2678 ----a-w- c:\windows\java\Packages\Data\0CB7JZBV.DAT
2009-05-15 17:58 . 2009-05-15 17:58 2678 ----a-w- c:\windows\java\Packages\Data\VNDFB1ZR.DAT
2009-05-15 17:57 . 2009-05-17 17:07 45056 ----a-w- c:\windows\system32\HSSICore.dll
2009-05-15 17:57 . 2009-05-17 17:07 184320 ----a-w- c:\windows\system32\OESICore.dll
2009-05-15 17:57 . 2009-05-15 17:57 98136 ----a-w- c:\windows\gzip.exe
2005-05-13 22:12 . 2005-05-13 22:12 217073 --sha-r- c:\windows\meta4.exe
2005-10-24 16:13 . 2005-10-24 16:13 66560 --sha-r- c:\windows\MOTA113.exe
2005-10-14 02:27 . 2005-10-14 02:27 422400 --sha-r- c:\windows\x2.64.exe
2005-07-14 17:31 . 2005-07-14 17:31 27648 --sha-r- c:\windows\system32\AVSredirect.dll
2005-06-26 20:32 . 2005-06-26 20:32 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 03:37 . 2005-06-22 03:37 45568 --sha-r- c:\windows\system32\cygz.dll
2004-01-25 05:00 . 2004-01-25 05:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
2006-04-27 15:24 . 2006-04-27 15:24 2945024 --sha-r- c:\windows\system32\Smab.dll
2005-02-28 18:16 . 2005-02-28 18:16 240128 --sha-r- c:\windows\system32\x.264.exe
2004-01-25 05:00 . 2004-01-25 05:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-08-02_15.28.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-02 16:44 . 2009-08-02 16:44 16384 c:\windows\Temp\Perflib_Perfdata_558.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"NBJ"="c:\progra~1\Ahead\NEROBA~1\NBJ.exe" [2005-06-02 1957888]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-02 68856]
"Octoshape Streaming Services"="c:\program files\Octoshape Streaming Services\Owner\OctoshapeClient.exe" [2006-02-13 214648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"AudioDeck"="c:\program files\VIAudioi\SBADeck\ADeck.exe" [2004-09-30 7957504]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-03-15 966656]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2001-12-17 483394]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-11 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe" [2006-01-19 11776]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-01-19 110592]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-10-27 344064]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"VTTrayp"="VTtrayp.exe" - c:\windows\system32\VTTrayp.exe [2004-06-22 143360]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2004-10-01 53248]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-02 68856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-4-9 323646]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-9 28672]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-6-28 54512]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4000:TCP"= 4000:TCP:Bittorrent
"4001:TCP"= 4001:TCP:Bittorrent
"4002:TCP"= 4002:TCP:Bittorrent
"4003:TCP"= 4003:TCP:Bittorrent
"4004:TCP"= 4004:TCP:Bittorrent
"4005:TCP"= 4005:TCP:Bittorrent
"50021:TCP"= 50021:TCP:Bittorrent

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/16/2009 1:51 PM 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 3:06 PM 951632]
.
Contents of the 'Scheduled Tasks' folder

2009-07-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]

2009-08-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-08-01 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 2100 series272A572217594EBCF1CEE215E352B92AD073FDE4243717409.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 21:56]

2009-08-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-01 20:56]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: torrent-finder.com\www
Trusted Zone: musicmatch.com\online
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-02 12:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-08-02 12:59
ComboFix-quarantined-files.txt 2009-08-02 16:58
ComboFix2.txt 2009-08-02 15:32

Pre-Run: 30,259,474,432 bytes free
Post-Run: 30,216,839,168 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
379 --- E O F --- 2009-05-07 13:44

#6 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:08:26 AM

Posted 03 August 2009 - 09:37 AM

Hello, Brian Clive.
We need to run a Combofix script
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the codebox below into it. Do not copy the word "code".
    file::
    c:\windows\system32\97116vzrus577.bin
    c:\windows\system32\73zea9dwar5841.dll
    c:\windows\system32\7600bz9kdoor2505.exe
    c:\windows\system32\95595troze5.exe
    c:\windows\system32\z770threa517419.exe
    c:\windows\system32\9z292hacktoo576.bin
    c:\windows\system32\c99downloadez566.bin
    c:\windows\system32\f19b5czdoor1939.dll
    c:\windows\system32\8834wo592z8.bin
    c:\windows\system32\z055sp9mb5t4a4.exe
    c:\windows\system32\zdf59pyware2976.exe
    c:\windows\system32\z2984vi5us7e6.bin
    c:\temp\windows-kb890830-v2.12.exe
    c:\windows\system32\z8542hacktool9da.dll
    c:\windows\system32\z0bf5teal9334.bin
    c:\windows\385159ambztf.dll
    c:\windows\system32\z2397virus562.exe
    c:\windows\system32\943backd5oz1419.bin
    c:\windows\system32\8675spambzt5859.bin
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Now, drag and drop CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
In your next reply, please include the following:
  • ComboFix.txt
  • Fresh HijackThis Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#7 Brian Clive

Brian Clive
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:26 AM

Posted 04 August 2009 - 09:20 AM

Hi Aommaster

Got the following message when I tried to uninstal AVG

Local machine: installation failed
Installation:
Error: Action failed for registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows: creating registry key....
Error 0x80070005

Should I run Combofix anyway? There seems to be no way of stopping AVG except by uninstalling, it still runs even after exiting the program...

Many thanks for your continued help

Brian Clive

#8 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:08:26 AM

Posted 04 August 2009 - 09:52 AM

Hello, Brian Clive.
Glad to help :thumbup2:
There doesn't seem to be any indication in the logs that AVG is running. However, just to be on the safe side, please use these modified instructions:

We need to run a Combofix script
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text in the codebox below into it. Do not copy the word "code".
    Killall::
    
    file::
    c:\windows\system32\97116vzrus577.bin
    c:\windows\system32\73zea9dwar5841.dll
    c:\windows\system32\7600bz9kdoor2505.exe
    c:\windows\system32\95595troze5.exe
    c:\windows\system32\z770threa517419.exe
    c:\windows\system32\9z292hacktoo576.bin
    c:\windows\system32\c99downloadez566.bin
    c:\windows\system32\f19b5czdoor1939.dll
    c:\windows\system32\8834wo592z8.bin
    c:\windows\system32\z055sp9mb5t4a4.exe
    c:\windows\system32\zdf59pyware2976.exe
    c:\windows\system32\z2984vi5us7e6.bin
    c:\temp\windows-kb890830-v2.12.exe
    c:\windows\system32\z8542hacktool9da.dll
    c:\windows\system32\z0bf5teal9334.bin
    c:\windows\385159ambztf.dll
    c:\windows\system32\z2397virus562.exe
    c:\windows\system32\943backd5oz1419.bin
    c:\windows\system32\8675spambzt5859.bin
  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Now, drag and drop CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
In your next reply, please include the following:
  • ComboFix.txt
  • Fresh HijackThis Log

Edited by aommaster, 04 August 2009 - 09:52 AM.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#9 Brian Clive

Brian Clive
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:26 AM

Posted 04 August 2009 - 12:46 PM

Hi again,

Your new text gave an error - "script format is incorrect - rich text formates are unacceptable".

However, after another attempt I was able to uninstal AVG so I used your previous text which worked fine this time...


ComboFix 09-08-04.01 - Owner 08/04/2009 13:05.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.256 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

FILE ::
"c:\temp\windows-kb890830-v2.12.exe"
"c:\windows\385159ambztf.dll"
"c:\windows\system32\73zea9dwar5841.dll"
"c:\windows\system32\7600bz9kdoor2505.exe"
"c:\windows\system32\8675spambzt5859.bin"
"c:\windows\system32\8834wo592z8.bin"
"c:\windows\system32\943backd5oz1419.bin"
"c:\windows\system32\95595troze5.exe"
"c:\windows\system32\97116vzrus577.bin"
"c:\windows\system32\9z292hacktoo576.bin"
"c:\windows\system32\c99downloadez566.bin"
"c:\windows\system32\f19b5czdoor1939.dll"
"c:\windows\system32\z055sp9mb5t4a4.exe"
"c:\windows\system32\z0bf5teal9334.bin"
"c:\windows\system32\z2397virus562.exe"
"c:\windows\system32\z2984vi5us7e6.bin"
"c:\windows\system32\z770threa517419.exe"
"c:\windows\system32\z8542hacktool9da.dll"
"c:\windows\system32\zdf59pyware2976.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Favorites\AutoTrader.com .url
c:\temp\windows-kb890830-v2.12.exe
c:\windows\385159ambztf.dll
c:\windows\system32\6d89sparse5z5.ocx
c:\windows\system32\6eb9stzal10775.bin
c:\windows\system32\6z8fd5wnloader1696.exe
c:\windows\system32\6zefth9ef325.ocx
c:\windows\system32\6zfdadd9are28115.cpl
c:\windows\system32\704ztroj6519.cpl
c:\windows\system32\7092spz5are994.bin
c:\windows\system32\72419t5az1856.bin
c:\windows\system32\72439pz559.ocx
c:\windows\system32\73225hief5z19.dll
c:\windows\system32\73db9t5az938.cpl
c:\windows\system32\73zea9dwar5841.dll
c:\windows\system32\74c295azse1874.ocx
c:\windows\system32\7549ro54f4z.exe
c:\windows\system32\755hackzool955.bin
c:\windows\system32\75a4s9zrse1969.dll
c:\windows\system32\7600bz9kdoor2505.exe
c:\windows\system32\7950zo9m4ed.cpl
c:\windows\system32\79abth5eatz1117.ocx
c:\windows\system32\79f75iz599.cpl
c:\windows\system32\7aafzte9l5818.cpl
c:\windows\system32\7bz9addwar52252.bin
c:\windows\system32\7c9a9ir2853z.cpl
c:\windows\system32\7f95zddware93.ocx
c:\windows\system32\7z1f9parse2150.bin
c:\windows\system32\7z4tr9j5c9.ocx
c:\windows\system32\843359ojz98.bin
c:\windows\system32\862zspamb9t65.exe
c:\windows\system32\8675spambzt5859.bin
c:\windows\system32\8834wo592z8.bin
c:\windows\system32\8935spz9a8.dll
c:\windows\system32\8964spamzot150.ocx
c:\windows\system32\90683trz52a5.exe
c:\windows\system32\91735hac5tozl41d.bin
c:\windows\system32\91e5steaz54.cpl
c:\windows\system32\91hac9toolz59.cpl
c:\windows\system32\921f5parse8z3.cpl
c:\windows\system32\922atzie53107.exe
c:\windows\system32\9241thzeat5682.cpl
c:\windows\system32\92z75worm134.dll
c:\windows\system32\9300thrz5t13446.ocx
c:\windows\system32\931bazkd9or1544.cpl
c:\windows\system32\93245troj31z.bin
c:\windows\system32\943backd5oz1419.bin
c:\windows\system32\94c7zi52393.exe
c:\windows\system32\9529t5izf285.exe
c:\windows\system32\95417szy54b.exe
c:\windows\system32\95595troze5.exe
c:\windows\system32\95979orm53z.dll
c:\windows\system32\95z77spy9f.ocx
c:\windows\system32\95z89spy735.bin
c:\windows\system32\96233zpambo5529.exe
c:\windows\system32\96525acktooz126.dll
c:\windows\system32\97116vzrus577.bin
c:\windows\system32\9790spam5ot5z19.cpl
c:\windows\system32\97z47not-5-virus29e.ocx
c:\windows\system32\989stezl24925.cpl
c:\windows\system32\9926zot-a-vir5s325.ocx
c:\windows\system32\9957t9zj798.bin
c:\windows\system32\9969t5ief2590z.bin
c:\windows\system32\99752hacktozl23.bin
c:\windows\system32\99z5ac9door168.ocx
c:\windows\system32\9c8bthzeat270275.dll
c:\windows\system32\9e46thiez1955.ocx
c:\windows\system32\9z292hacktoo576.bin
c:\windows\system32\9z54sp53f.bin
c:\windows\system32\c99downloadez566.bin
c:\windows\system32\dz0do5nloader26029.cpl
c:\windows\system32\e67st9al5z54.dll
c:\windows\system32\f19b5czdoor1939.dll
c:\windows\system32\z0502spy5679.ocx
c:\windows\system32\z055sp9mb5t4a4.exe
c:\windows\system32\z069steal845.cpl
c:\windows\system32\z0bf5teal9334.bin
c:\windows\system32\z21addwa9e856.exe
c:\windows\system32\z2397virus562.exe
c:\windows\system32\z2447wo5m9d7.cpl
c:\windows\system32\z2785not-a-9irus2a0.bin
c:\windows\system32\z2959worm7c.exe
c:\windows\system32\z2984vi5us7e6.bin
c:\windows\system32\z3093troj55e9.ocx
c:\windows\system32\z3611sp95445.dll
c:\windows\system32\z443tr5j3c9.cpl
c:\windows\system32\z512not-a-vi5u91c5.cpl
c:\windows\system32\z530down5o9der817.cpl
c:\windows\system32\z5494not-a-virus1f5.dll
c:\windows\system32\z55a9dware1655.bin
c:\windows\system32\z582spa9se139.cpl
c:\windows\system32\z593vir298.bin
c:\windows\system32\z5c2backdoor9469.exe
c:\windows\system32\z5e19teal139.bin
c:\windows\system32\z675hack5ool95.dll
c:\windows\system32\z770threa517419.exe
c:\windows\system32\z8542hacktool9da.dll
c:\windows\system32\z8997worm5a7.ocx
c:\windows\system32\z89fthief455.exe
c:\windows\system32\z9489rojf5.cpl
c:\windows\system32\z95vir2821.cpl
c:\windows\system32\z9ccthreat4859.exe
c:\windows\system32\za5s9arse613.dll
c:\windows\system32\zbb2thie5219.dll
c:\windows\system32\zcc59ir314.ocx
c:\windows\system32\zdf59pyware2976.exe
c:\windows\system32\zf00s9arse5045.dll
c:\windows\system32\zf659hreat18663.exe

.
((((((((((((((((((((((((( Files Created from 2009-07-04 to 2009-08-04 )))))))))))))))))))))))))))))))
.

2009-08-04 13:56 . 2009-08-04 13:56 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-08-01 14:11 . 2009-08-01 14:11 -------- d-----w- C:\rsit
2009-07-22 19:05 . 2009-07-22 19:05 -------- d-----w- c:\program files\Trend Micro
2009-07-21 17:03 . 2009-07-21 17:04 -------- d-----w- c:\program files\ERUNT
2009-07-20 14:05 . 2009-07-20 14:05 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2009-07-08 18:49 . 2009-07-08 18:49 -------- d-----w- c:\program files\Easy DVD CD Burner
2009-07-08 18:40 . 2009-07-08 18:47 -------- d-----w- c:\documents and settings\Brian C\Application Data\Azureus
2009-07-08 18:27 . 2009-07-08 18:27 -------- d-----w- c:\documents and settings\Brian C\Local Settings\Application Data\Identities
2009-07-08 18:14 . 2009-07-08 18:27 -------- d-----w- c:\documents and settings\Brian C\Local Settings\Application Data\Musicmatch

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-04 13:57 . 2009-06-16 17:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-04 13:56 . 2009-06-05 14:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-03 17:51 . 2008-03-21 22:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-08-02 14:22 . 2007-02-21 03:13 -------- d-----w- c:\documents and settings\Owner\Application Data\Azureus
2009-08-02 14:20 . 2009-06-08 16:52 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-07-20 14:05 . 2007-03-25 18:30 41560 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-01 14:31 . 2009-07-01 14:31 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-06-29 16:12 . 2004-08-26 16:12 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-26 16:11 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-26 16:11 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-16 14:36 . 2004-08-26 16:12 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-26 16:11 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-11 18:59 . 2009-06-11 19:00 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-11 18:59 . 2005-09-10 21:27 -------- d-----w- c:\program files\Java
2009-06-11 18:44 . 2009-06-11 18:44 152576 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-06-03 19:09 . 2004-08-26 16:12 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-30 21:03 . 2009-05-30 20:58 19558 ----a-w- c:\windows\hpoins01.dat
2009-05-30 13:46 . 2008-05-20 12:26 120088 ----a-w- c:\documents and settings\Owner\Application Data\Mozilla\Plugins\npoctoshape.dll
2009-05-15 17:58 . 2009-05-15 17:58 2232 ----a-w- c:\windows\java\Packages\Data\B1NR3HFN.DAT
2009-05-15 17:58 . 2009-05-15 17:58 155995 ----a-w- c:\windows\java\Packages\IMC2D7BZ.ZIP
2009-05-15 17:58 . 2009-05-15 17:58 2678 ----a-w- c:\windows\java\Packages\Data\YPNRTB1B.DAT
2009-05-15 17:58 . 2009-05-15 17:58 2678 ----a-w- c:\windows\java\Packages\Data\U8NFPV5R.DAT
2009-05-15 17:58 . 2009-05-15 17:58 2678 ----a-w- c:\windows\java\Packages\Data\PNNBBNN5.DAT
2009-05-15 17:58 . 2009-05-15 17:58 2678 ----a-w- c:\windows\java\Packages\Data\0CB7JZBV.DAT
2009-05-15 17:58 . 2009-05-15 17:58 2678 ----a-w- c:\windows\java\Packages\Data\VNDFB1ZR.DAT
2009-05-15 17:57 . 2009-05-17 17:07 45056 ----a-w- c:\windows\system32\HSSICore.dll
2009-05-15 17:57 . 2009-05-17 17:07 184320 ----a-w- c:\windows\system32\OESICore.dll
2009-05-15 17:57 . 2009-05-15 17:57 98136 ----a-w- c:\windows\gzip.exe
2009-05-07 15:32 . 2004-08-26 16:11 345600 ----a-w- c:\windows\system32\localspl.dll
2005-05-13 22:12 . 2005-05-13 22:12 217073 --sha-r- c:\windows\meta4.exe
2005-10-24 16:13 . 2005-10-24 16:13 66560 --sha-r- c:\windows\MOTA113.exe
2005-10-14 02:27 . 2005-10-14 02:27 422400 --sha-r- c:\windows\x2.64.exe
2005-07-14 17:31 . 2005-07-14 17:31 27648 --sha-r- c:\windows\system32\AVSredirect.dll
2005-06-26 20:32 . 2005-06-26 20:32 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 03:37 . 2005-06-22 03:37 45568 --sha-r- c:\windows\system32\cygz.dll
2004-01-25 05:00 . 2004-01-25 05:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
2006-04-27 15:24 . 2006-04-27 15:24 2945024 --sha-r- c:\windows\system32\Smab.dll
2005-02-28 18:16 . 2005-02-28 18:16 240128 --sha-r- c:\windows\system32\x.264.exe
2004-01-25 05:00 . 2004-01-25 05:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-08-02_15.28.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-11 23:41 . 2009-07-11 23:41 97280 c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_473666fd\ATL80.dll
+ 2009-08-04 16:59 . 2009-08-04 16:59 16384 c:\windows\Temp\Perflib_Perfdata_4c8.dat
+ 2007-01-05 18:43 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
- 2007-01-05 18:43 . 2008-07-09 07:38 17272 c:\windows\system32\spmsg.dll
+ 2004-08-26 16:12 . 2009-06-29 16:12 44544 c:\windows\system32\pngfilt.dll
- 2004-08-26 16:12 . 2009-02-20 18:09 44544 c:\windows\system32\pngfilt.dll
- 2006-11-08 02:03 . 2009-02-20 18:09 52224 c:\windows\system32\msfeedsbs.dll
+ 2006-11-08 02:03 . 2009-06-29 16:12 52224 c:\windows\system32\msfeedsbs.dll
- 2004-08-26 16:11 . 2009-02-20 18:09 27648 c:\windows\system32\jsproxy.dll
+ 2004-08-26 16:11 . 2009-06-29 16:12 27648 c:\windows\system32\jsproxy.dll
+ 2006-11-07 08:26 . 2009-06-29 11:07 13824 c:\windows\system32\ieudinit.exe
- 2006-11-07 08:26 . 2009-02-20 10:20 13824 c:\windows\system32\ieudinit.exe
+ 2004-08-26 16:11 . 2009-06-29 16:12 44544 c:\windows\system32\iernonce.dll
- 2004-08-26 16:11 . 2009-02-20 18:09 44544 c:\windows\system32\iernonce.dll
+ 2004-08-26 16:11 . 2009-06-29 11:07 70656 c:\windows\system32\ie4uinit.exe
- 2004-08-26 16:11 . 2009-02-20 10:20 70656 c:\windows\system32\ie4uinit.exe
+ 2006-10-17 16:58 . 2009-06-29 16:12 63488 c:\windows\system32\icardie.dll
- 2006-10-17 16:58 . 2009-02-20 18:09 63488 c:\windows\system32\icardie.dll
- 2004-08-26 16:12 . 2009-02-20 18:09 44544 c:\windows\system32\dllcache\pngfilt.dll
+ 2004-08-26 16:12 . 2009-06-29 16:12 44544 c:\windows\system32\dllcache\pngfilt.dll
- 2007-05-09 17:42 . 2009-02-20 18:09 52224 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2007-05-09 17:42 . 2009-06-29 16:12 52224 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2004-08-26 16:11 . 2009-06-29 16:12 27648 c:\windows\system32\dllcache\jsproxy.dll
- 2004-08-26 16:11 . 2009-02-20 18:09 27648 c:\windows\system32\dllcache\jsproxy.dll
- 2007-05-09 17:42 . 2009-02-20 10:20 13824 c:\windows\system32\dllcache\ieudinit.exe
+ 2007-05-09 17:42 . 2009-06-29 11:07 13824 c:\windows\system32\dllcache\ieudinit.exe
- 2004-08-26 16:11 . 2009-02-20 18:09 44544 c:\windows\system32\dllcache\iernonce.dll
+ 2004-08-26 16:11 . 2009-06-29 16:12 44544 c:\windows\system32\dllcache\iernonce.dll
- 2009-02-20 18:09 . 2009-02-20 18:09 78336 c:\windows\system32\dllcache\ieencode.dll
+ 2009-02-20 18:09 . 2009-06-29 16:12 78336 c:\windows\system32\dllcache\ieencode.dll
+ 2004-08-26 16:11 . 2009-06-29 11:07 70656 c:\windows\system32\dllcache\ie4uinit.exe
- 2004-08-26 16:11 . 2009-02-20 10:20 70656 c:\windows\system32\dllcache\ie4uinit.exe
- 2007-08-20 10:04 . 2009-02-20 18:09 63488 c:\windows\system32\dllcache\icardie.dll
+ 2007-08-20 10:04 . 2009-06-29 16:12 63488 c:\windows\system32\dllcache\icardie.dll
+ 2009-06-16 14:36 . 2009-06-16 14:36 81920 c:\windows\system32\dllcache\fontsub.dll
+ 2009-06-29 16:12 . 2009-06-29 16:12 17408 c:\windows\system32\dllcache\corpol.dll
+ 2009-08-02 21:51 . 2009-02-20 18:09 44544 c:\windows\ie7updates\KB972260-IE7\pngfilt.dll
+ 2009-08-02 21:51 . 2009-02-20 18:09 52224 c:\windows\ie7updates\KB972260-IE7\msfeedsbs.dll
+ 2009-08-02 21:51 . 2009-02-20 18:09 27648 c:\windows\ie7updates\KB972260-IE7\jsproxy.dll
+ 2009-08-02 21:51 . 2009-02-20 10:20 13824 c:\windows\ie7updates\KB972260-IE7\ieudinit.exe
+ 2009-08-02 21:51 . 2009-02-20 18:09 44544 c:\windows\ie7updates\KB972260-IE7\iernonce.dll
+ 2009-08-02 21:51 . 2009-02-20 18:09 78336 c:\windows\ie7updates\KB972260-IE7\ieencode.dll
+ 2009-08-02 21:51 . 2009-02-20 10:20 70656 c:\windows\ie7updates\KB972260-IE7\ie4uinit.exe
+ 2009-08-02 21:51 . 2009-02-20 18:09 63488 c:\windows\ie7updates\KB972260-IE7\icardie.dll
+ 2009-08-02 21:51 . 2008-04-14 00:11 35328 c:\windows\ie7updates\KB972260-IE7\corpol.dll
- 2004-08-26 16:12 . 2009-02-20 18:09 233472 c:\windows\system32\webcheck.dll
+ 2004-08-26 16:12 . 2009-06-29 16:12 233472 c:\windows\system32\webcheck.dll
- 2004-08-26 16:12 . 2009-02-20 18:09 105984 c:\windows\system32\url.dll
+ 2004-08-26 16:12 . 2009-06-29 16:12 105984 c:\windows\system32\url.dll
+ 2004-08-26 16:12 . 2009-04-15 14:51 585216 c:\windows\system32\rpcrt4.dll
- 2004-08-26 16:12 . 2009-02-20 18:09 102912 c:\windows\system32\occache.dll
+ 2004-08-26 16:12 . 2009-06-29 16:12 102912 c:\windows\system32\occache.dll
- 2004-08-26 16:12 . 2009-02-20 18:09 671232 c:\windows\system32\mstime.dll
+ 2004-08-26 16:12 . 2009-06-29 16:12 671232 c:\windows\system32\mstime.dll
+ 2004-08-26 16:12 . 2009-06-29 16:12 193024 c:\windows\system32\msrating.dll
- 2004-08-26 16:12 . 2009-02-20 18:09 193024 c:\windows\system32\msrating.dll
+ 2004-08-26 16:12 . 2009-06-29 16:12 477696 c:\windows\system32\mshtmled.dll
- 2004-08-26 16:12 . 2009-02-20 18:09 477696 c:\windows\system32\mshtmled.dll
+ 2006-11-08 02:03 . 2009-06-29 16:12 459264 c:\windows\system32\msfeeds.dll
- 2006-11-08 02:03 . 2009-02-20 18:09 459264 c:\windows\system32\msfeeds.dll
+ 2006-10-17 16:57 . 2009-06-29 16:12 268288 c:\windows\system32\iertutil.dll
- 2006-10-17 16:57 . 2009-02-20 18:09 268288 c:\windows\system32\iertutil.dll
- 2004-08-26 16:11 . 2009-02-20 18:09 385024 c:\windows\system32\iedkcs32.dll
+ 2004-08-26 16:11 . 2009-06-29 16:12 385024 c:\windows\system32\iedkcs32.dll
+ 2006-10-17 16:27 . 2009-06-29 16:12 380928 c:\windows\system32\ieapfltr.dll
+ 2004-08-26 16:11 . 2009-06-29 08:33 161792 c:\windows\system32\ieakui.dll
- 2004-08-26 16:11 . 2009-02-20 05:14 161792 c:\windows\system32\ieakui.dll
- 2004-08-26 16:11 . 2009-02-20 18:09 230400 c:\windows\system32\ieaksie.dll
+ 2004-08-26 16:11 . 2009-06-29 16:12 230400 c:\windows\system32\ieaksie.dll
- 2004-08-26 16:11 . 2009-02-20 18:09 153088 c:\windows\system32\ieakeng.dll
+ 2004-08-26 16:11 . 2009-06-29 16:12 153088 c:\windows\system32\ieakeng.dll
- 2004-08-26 10:54 . 2009-07-01 14:52 164320 c:\windows\system32\FNTCACHE.DAT
+ 2004-08-26 10:54 . 2009-08-03 17:50 164320 c:\windows\system32\FNTCACHE.DAT
- 2004-08-26 16:11 . 2009-02-20 18:09 133120 c:\windows\system32\extmgr.dll
+ 2004-08-26 16:11 . 2009-06-29 16:12 133120 c:\windows\system32\extmgr.dll
- 2004-08-26 16:11 . 2009-02-20 18:09 214528 c:\windows\system32\dxtrans.dll
+ 2004-08-26 16:11 . 2009-06-29 16:12 214528 c:\windows\system32\dxtrans.dll
+ 2004-08-26 16:11 . 2009-06-29 16:12 347136 c:\windows\system32\dxtmsft.dll
- 2004-08-26 16:11 . 2009-02-20 18:09 347136 c:\windows\system32\dxtmsft.dll
+ 2004-08-26 16:12 . 2009-06-29 16:12 827392 c:\windows\system32\dllcache\wininet.dll
+ 2004-08-26 16:12 . 2009-06-29 16:12 233472 c:\windows\system32\dllcache\webcheck.dll
- 2004-08-26 16:12 . 2009-02-20 18:09 233472 c:\windows\system32\dllcache\webcheck.dll
- 2004-08-26 16:12 . 2009-02-20 18:09 105984 c:\windows\system32\dllcache\url.dll
+ 2004-08-26 16:12 . 2009-06-29 16:12 105984 c:\windows\system32\dllcache\url.dll
+ 2009-06-16 14:36 . 2009-06-16 14:36 119808 c:\windows\system32\dllcache\t2embed.dll
+ 2009-04-15 14:51 . 2009-04-15 14:51 585216 c:\windows\system32\dllcache\rpcrt4.dll
- 2004-08-26 16:12 . 2009-02-20 18:09 102912 c:\windows\system32\dllcache\occache.dll
+ 2004-08-26 16:12 . 2009-06-29 16:12 102912 c:\windows\system32\dllcache\occache.dll
+ 2004-08-26 16:12 . 2009-06-29 16:12 671232 c:\windows\system32\dllcache\mstime.dll
- 2004-08-26 16:12 . 2009-02-20 18:09 671232 c:\windows\system32\dllcache\mstime.dll
+ 2004-08-26 16:12 . 2009-06-29 16:12 193024 c:\windows\system32\dllcache\msrating.dll
- 2004-08-26 16:12 . 2009-02-20 18:09 193024 c:\windows\system32\dllcache\msrating.dll
+ 2004-08-26 16:12 . 2009-06-29 16:12 477696 c:\windows\system32\dllcache\mshtmled.dll
- 2004-08-26 16:12 . 2009-02-20 18:09 477696 c:\windows\system32\dllcache\mshtmled.dll
+ 2007-05-09 17:42 . 2009-06-29 16:12 459264 c:\windows\system32\dllcache\msfeeds.dll
- 2007-05-09 17:42 . 2009-02-20 18:09 459264 c:\windows\system32\dllcache\msfeeds.dll
+ 2009-05-07 15:32 . 2009-05-07 15:32 345600 c:\windows\system32\dllcache\localspl.dll
+ 2004-08-26 18:01 . 2009-06-29 08:35 634632 c:\windows\system32\dllcache\iexplore.exe
- 2007-05-09 17:42 . 2009-02-20 18:09 268288 c:\windows\system32\dllcache\iertutil.dll
+ 2007-05-09 17:42 . 2009-06-29 16:12 268288 c:\windows\system32\dllcache\iertutil.dll
- 2004-08-26 16:11 . 2009-02-20 18:09 385024 c:\windows\system32\dllcache\iedkcs32.dll
+ 2004-08-26 16:11 . 2009-06-29 16:12 385024 c:\windows\system32\dllcache\iedkcs32.dll
+ 2007-05-09 17:42 . 2009-06-29 16:12 380928 c:\windows\system32\dllcache\ieapfltr.dll
+ 2004-08-26 16:11 . 2009-06-29 08:33 161792 c:\windows\system32\dllcache\ieakui.dll
- 2004-08-26 16:11 . 2009-02-20 05:14 161792 c:\windows\system32\dllcache\ieakui.dll
- 2004-08-26 16:11 . 2009-02-20 18:09 230400 c:\windows\system32\dllcache\ieaksie.dll
+ 2004-08-26 16:11 . 2009-06-29 16:12 230400 c:\windows\system32\dllcache\ieaksie.dll
- 2004-08-26 16:11 . 2009-02-20 18:09 153088 c:\windows\system32\dllcache\ieakeng.dll
+ 2004-08-26 16:11 . 2009-06-29 16:12 153088 c:\windows\system32\dllcache\ieakeng.dll
- 2004-08-26 16:11 . 2009-02-20 18:09 133120 c:\windows\system32\dllcache\extmgr.dll
+ 2004-08-26 16:11 . 2009-06-29 16:12 133120 c:\windows\system32\dllcache\extmgr.dll
+ 2004-08-26 16:11 . 2009-06-29 16:12 214528 c:\windows\system32\dllcache\dxtrans.dll
- 2004-08-26 16:11 . 2009-02-20 18:09 214528 c:\windows\system32\dllcache\dxtrans.dll
- 2004-08-26 16:11 . 2009-02-20 18:09 347136 c:\windows\system32\dllcache\dxtmsft.dll
+ 2004-08-26 16:11 . 2009-06-29 16:12 347136 c:\windows\system32\dllcache\dxtmsft.dll
- 2004-08-26 16:11 . 2009-02-20 18:09 124928 c:\windows\system32\dllcache\advpack.dll
+ 2004-08-26 16:11 . 2009-06-29 16:12 124928 c:\windows\system32\dllcache\advpack.dll
+ 2004-08-26 16:11 . 2009-06-29 16:12 124928 c:\windows\system32\advpack.dll
- 2004-08-26 16:11 . 2009-02-20 18:09 124928 c:\windows\system32\advpack.dll
+ 2009-08-02 21:49 . 2009-08-02 21:49 248832 c:\windows\Installer\118b2e8.msi
+ 2009-08-02 21:51 . 2009-03-03 00:18 826368 c:\windows\ie7updates\KB972260-IE7\wininet.dll
+ 2009-08-02 21:51 . 2009-02-20 18:09 233472 c:\windows\ie7updates\KB972260-IE7\webcheck.dll
+ 2009-08-02 21:51 . 2009-02-20 18:09 105984 c:\windows\ie7updates\KB972260-IE7\url.dll
+ 2009-08-02 21:51 . 2009-05-26 11:40 382840 c:\windows\ie7updates\KB972260-IE7\spuninst\updspapi.dll
+ 2009-08-02 21:51 . 2008-07-08 13:02 231288 c:\windows\ie7updates\KB972260-IE7\spuninst\spuninst.exe
+ 2009-08-02 21:51 . 2009-02-20 18:09 102912 c:\windows\ie7updates\KB972260-IE7\occache.dll
+ 2009-08-02 21:51 . 2009-02-20 18:09 671232 c:\windows\ie7updates\KB972260-IE7\mstime.dll
+ 2009-08-02 21:51 . 2009-02-20 18:09 193024 c:\windows\ie7updates\KB972260-IE7\msrating.dll
+ 2009-08-02 21:51 . 2009-02-20 18:09 477696 c:\windows\ie7updates\KB972260-IE7\mshtmled.dll
+ 2009-08-02 21:51 . 2009-02-20 18:09 459264 c:\windows\ie7updates\KB972260-IE7\msfeeds.dll
+ 2009-08-02 21:51 . 2009-02-28 04:54 636072 c:\windows\ie7updates\KB972260-IE7\iexplore.exe
+ 2009-08-02 21:51 . 2009-02-20 18:09 268288 c:\windows\ie7updates\KB972260-IE7\iertutil.dll
+ 2009-08-02 21:51 . 2009-02-20 18:09 385024 c:\windows\ie7updates\KB972260-IE7\iedkcs32.dll
+ 2009-08-02 21:51 . 2009-02-20 18:09 383488 c:\windows\ie7updates\KB972260-IE7\ieapfltr.dll
+ 2009-08-02 21:51 . 2009-02-20 05:14 161792 c:\windows\ie7updates\KB972260-IE7\ieakui.dll
+ 2009-08-02 21:51 . 2009-02-20 18:09 230400 c:\windows\ie7updates\KB972260-IE7\ieaksie.dll
+ 2009-08-02 21:51 . 2009-02-20 18:09 153088 c:\windows\ie7updates\KB972260-IE7\ieakeng.dll
+ 2009-08-02 21:51 . 2009-02-20 18:09 133120 c:\windows\ie7updates\KB972260-IE7\extmgr.dll
+ 2009-08-02 21:51 . 2009-02-20 18:09 214528 c:\windows\ie7updates\KB972260-IE7\dxtrans.dll
+ 2009-08-02 21:51 . 2009-02-20 18:09 347136 c:\windows\ie7updates\KB972260-IE7\dxtmsft.dll
+ 2009-08-02 21:51 . 2009-02-20 18:09 124928 c:\windows\ie7updates\KB972260-IE7\advpack.dll
+ 2004-08-26 16:12 . 2009-04-17 12:26 1847168 c:\windows\system32\win32k.sys
+ 2004-08-26 16:12 . 2009-06-29 16:12 1159680 c:\windows\system32\urlmon.dll
+ 2004-08-26 16:12 . 2009-07-19 13:33 3597824 c:\windows\system32\mshtml.dll
+ 2006-11-08 02:03 . 2009-07-19 13:32 6067200 c:\windows\system32\ieframe.dll
+ 2006-09-06 04:01 . 2009-06-29 08:33 2452872 c:\windows\system32\ieapfltr.dat
+ 2008-10-15 16:10 . 2009-04-17 12:26 1847168 c:\windows\system32\dllcache\win32k.sys
+ 2004-08-26 16:12 . 2009-06-29 16:12 1159680 c:\windows\system32\dllcache\urlmon.dll
+ 2008-05-07 05:12 . 2009-06-03 19:09 1291264 c:\windows\system32\dllcache\quartz.dll
+ 2004-08-26 16:12 . 2009-07-19 13:33 3597824 c:\windows\system32\dllcache\mshtml.dll
+ 2007-05-09 17:42 . 2009-07-19 13:32 6067200 c:\windows\system32\dllcache\ieframe.dll
+ 2007-05-09 17:42 . 2009-06-29 08:33 2452872 c:\windows\system32\dllcache\ieapfltr.dat
+ 2009-08-02 21:51 . 2009-02-20 18:09 1160192 c:\windows\ie7updates\KB972260-IE7\urlmon.dll
+ 2009-08-02 21:51 . 2009-02-20 18:09 3595264 c:\windows\ie7updates\KB972260-IE7\mshtml.dll
+ 2009-08-02 21:51 . 2009-02-20 18:09 6066176 c:\windows\ie7updates\KB972260-IE7\ieframe.dll
+ 2009-08-02 21:51 . 2008-07-09 14:25 2455488 c:\windows\ie7updates\KB972260-IE7\ieapfltr.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"NBJ"="c:\progra~1\Ahead\NEROBA~1\NBJ.exe" [2005-06-02 1957888]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-02 68856]
"Octoshape Streaming Services"="c:\program files\Octoshape Streaming Services\Owner\OctoshapeClient.exe" [2006-02-13 214648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"AudioDeck"="c:\program files\VIAudioi\SBADeck\ADeck.exe" [2004-09-30 7957504]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-03 32768]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-03-15 966656]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2001-12-17 483394]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-11 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~1\mimboot.exe" [2006-01-19 11776]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-01-19 110592]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-10-27 344064]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 63712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"VTTrayp"="VTtrayp.exe" - c:\windows\system32\VTTrayp.exe [2004-06-22 143360]
"VTTimer"="VTTimer.exe" - c:\windows\system32\VTTimer.exe [2004-10-01 53248]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-02 68856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-4-9 323646]
hpoddt01.exe.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-4-9 28672]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-6-28 54512]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\Azureus\\Azureus.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4000:TCP"= 4000:TCP:Bittorrent
"4001:TCP"= 4001:TCP:Bittorrent
"4002:TCP"= 4002:TCP:Bittorrent
"4003:TCP"= 4003:TCP:Bittorrent
"4004:TCP"= 4004:TCP:Bittorrent
"4005:TCP"= 4005:TCP:Bittorrent
"50021:TCP"= 50021:TCP:Bittorrent

.
Contents of the 'Scheduled Tasks' folder

2009-08-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-08-03 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 2100 series272A572217594EBCF1CEE215E352B92AD073FDE4243717409.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 21:56]

2009-08-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-02-01 20:56]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Trusted Zone: torrent-finder.com\www
Trusted Zone: musicmatch.com\online
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-04 13:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(684)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-08-04 13:14
ComboFix-quarantined-files.txt 2009-08-04 17:13
ComboFix2.txt 2009-08-02 16:59
ComboFix3.txt 2009-08-02 15:32

Pre-Run: 31,821,594,624 bytes free
Post-Run: 31,945,891,840 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
446 --- E O F --- 2009-08-02 21:51



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:45:45 PM, on 8/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Octoshape Streaming Services\Owner\OctoshapeClient.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Cheetah Burner\Cheetah DVD Burner\NMSAccess.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Octoshape Streaming Services] "C:\Program Files\Octoshape Streaming Services\Owner\OctoshapeClient.exe" -inv:bootrun
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://setup.bellsouth.net/wizlet/PWReset/...aller_6-1-2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1169394648520
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: NMSAccess - Unknown owner - C:\Program Files\Cheetah Burner\Cheetah DVD Burner\NMSAccess.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 8630 bytes

#10 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:08:26 AM

Posted 04 August 2009 - 01:35 PM

Hello, Brian Clive.
We need to run JavaRa to remove older versions of Java
  • Please download JavaRa and unzip it to your Desktop.
    ***Please close any instances of Internet Explorer or Firefox before continuing!***
  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted.
  • When JavaRa is finished, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please post it here in your next reply.
NEXT:

We need to update your version of Java

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "Java Runtime Environment (JRE)" JRE 6 Update 14.
  • Click the Download button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u14-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

NEXT:

We need to run a Kaspersky Scan
  • Go to Kaspersky WebScanner
  • Click on Kaspersky Online Scanner
  • You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database --> Extended (if available otherwise Standard)
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
  • Click OK
  • Now under select a target to scan, Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
In your next reply, please include the following:
  • JavaRA Log File
  • Kaspersky Log
  • Description of any remaining problems

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#11 Brian Clive

Brian Clive
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:26 AM

Posted 05 August 2009 - 09:05 AM

Good Morning Aommaster,

Here are the 2 reports. I was able to do a Windows update, and computer seems to be running well. Would you suggest I run any defensive software in addition to AVG?

You have been very helpful

Tuesday, August 4, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, August 04, 2009 21:07:29
Records in database: 2580417


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\
E:\

Scan statistics
Files scanned 73273
Threat name 1
Infected objects 1
Suspicious objects 0
Duration of the scan 01:57:06

File name Threat name Threats count
D:\i386\Apps\App03130\comps\toolbar\toolbr.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1

The selected area was scanned.


JavaRa 1.15 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Tue Aug 04 15:15:52 2009

Found and removed: C:\Program Files\Java\jre1.5.0_02

Found and removed: C:\Program Files\Java\jre1.5.0_06

Found and removed: C:\Program Files\Java\jre1.5.0_09

Found and removed: C:\Program Files\Java\jre1.5.0_10

Found and removed: C:\Program Files\Java\jre1.6.0_07

Found and removed: C:\Documents and Settings\Owner\Application Data\Sun\Java\jre1.6.0_13

Found and removed: Software\JavaSoft\Java2D\1.5.0_02

Found and removed: Software\JavaSoft\Java2D\1.5.0_06

Found and removed: Software\JavaSoft\Java2D\1.5.0_09

Found and removed: Software\JavaSoft\Java2D\1.5.0_10

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D510002

Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D510006

Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D510009

Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D511000

Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D510002

Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D510006

Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D510009

Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D511000

Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D510002

Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D510006

Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D510009

Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D511000

Found and removed: SOFTWARE\Classes\JavaPlugin.150_02

Found and removed: SOFTWARE\Classes\JavaPlugin.150_06

Found and removed: SOFTWARE\Classes\JavaPlugin.150_09

Found and removed: SOFTWARE\Classes\JavaPlugin.150_10

Found and removed: SOFTWARE\Classes\JavaWebStart.isInstalled.1.5.0.0

Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.5.0_02

Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.5.0_06

Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.5.0_09

Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.5.0_10

Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.5

Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.5.0_02

Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.5.0_06

Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.5.0_09

Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.5.0_10

Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D510002

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D510006

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D510009

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D511000

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D510002

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D510006

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D510009

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D511000

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0150020}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0150060}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0150090}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0150100}

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.5.0_02

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.5.0_06

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.5.0_09

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.5.0_10

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.6.0_07

Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_07

Found and removed: SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D610007

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610007

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160070}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.5.0_02\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.5.0_06\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.5.0_09\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.5.0_10\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_07\bin\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\core1.zip

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\core2.zip

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls\C:\Program Files\Common Files\Java\Update\Base Images\jre1.5.0.b64\core3.zip

JavaRa 1.15 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Tue Aug 04 15:16:52 2009

------------------------------------

Finished reporting.



JavaRa 1.15 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Wed Aug 05 09:58:59 2009

Found and removed: C:\Documents and Settings\Owner\Application Data\Sun\Java\jre1.6.0_14

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}

------------------------------------

Finished reporting.

#12 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:08:26 AM

Posted 05 August 2009 - 10:05 AM

Hello, Brian Clive.
It's been a pleasure to help you :thumbup2:

Would you suggest I run any defensive software in addition to AVG?

I've listed possible programs you could use towards the end of this post :)

Also, feel free to delete JavaRa and the zip package it came in. It has done its job and we don't need it anymore




We need to uninstall Combofix
  • Click on your Start Menu, then Run....
  • Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".



Your Log looks Clean please take the time to read below to secure your machine and take the necessary steps to keep it Clean :)



One of the most common questions found when cleaning Spyware or other Malware is "how did my machine get infected?". There are a variety of reasons, but the most common ones are that you are going to sites that you are not practicing Safe Internet, you are not running the proper security software, and that your computer's security settings are set too low.

Below I have outlined a series of categories that outline how you can increase the security of your computer so that you will not be infected again in the future.


Practice Safe Internet

One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will. Below are a list of simple precautions to take to keep your computer clean and running securely:
  • If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
  • If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.
  • If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.
  • If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article: Foistware, And how to avoid it.
    There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. For a list of these types of programs we recommend you visit this link: Rogue/Suspect Anti-Spyware Products & Web Sites
  • Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you. We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake.
  • Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.
  • When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.
  • Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.
  • Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site.
  • DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.
Visit Microsoft's Windows Update Site Frequently
It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Make Internet Explorer 6 and below more secure
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt

      When all these settings have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
Update your AntiVirus Software

It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.


Make sure your applications have all of their updates

It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Use a Firewall

Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls
Install an AntiSpyware Program

A highly recommended AntiSpyware program is SuperAntiSpyware. You can download the free Home Version. or the Pro version for a 15 day trial period.

Other recommended, and free, AntiSpyware programs are Spybot - Search and Destroy and Ad-Aware Personal.

Installing these programs will provide spyware & hijacker protection on your computer alongside your virus protection. You should scan your computer with an AntiSpyware program on a regular basis just as you would an antivirus software.

Tutorials on using these programs can be found below:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
Install SpywareBlaster

SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware
Update all these programs regularly
Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#13 Brian Clive

Brian Clive
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:26 AM

Posted 05 August 2009 - 01:09 PM

Great work aommaster! Everything's running fine now :thumbup2:
I appreciate your recommendations which I will use.
I've learned a lot from this expericence and once again many thanks for your help.

Brian Clive

#14 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:08:26 AM

Posted 05 August 2009 - 01:22 PM

More than happy to help! Happy Computing :thumbup2:

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#15 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:26 AM

Posted 05 August 2009 - 04:11 PM

Hello.

Since this issue appears to be resolved, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users