Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A message popup that keeps popping up!


  • This topic is locked This topic is locked
24 replies to this topic

#1 bladekmaster

bladekmaster

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 06 August 2009 - 03:20 PM

Hello,
I keep getting a message on my computer says this:
The Application or DLL c:\windows\system32\gunanami.dll is not a valid Windows image. Please check this against your instillation diskette.

I did a virus scan, but it didn't detect anything. I did a Hijackthis. Here what I have.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:06:46 PM, on 8/6/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: (no name) - {ad6a11e7-2a5a-4c3b-a070-d97e72d85a35} - C:\WINDOWS\system32\fihimemo.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [ehTray] "C:\WINDOWS\ehome\ehtray.exe"
O4 - HKLM\..\Run: [igfxtray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [igfxhkcmd] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [igfxpers] "C:\WINDOWS\system32\igfxpers.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] "stsystra.exe"
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] "C:\WINDOWS\system32\dla\tfswctrl.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PC Security 2009] "C:\Program Files\PC_Security2009\PC_Security2009.exe" /hide
O4 - HKLM\..\Run: [huzimetera] Rundll32.exe "C:\WINDOWS\system32\voruzome.dll",s
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://download-games.pogo.com/online2/pog...mjolauncher.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game06.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E3883C2-AD2D-4503-B2E9-A1F23298F60B}: NameServer = 85.255.112.150,85.255.112.69
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.150,85.255.112.69
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.150,85.255.112.69
O20 - AppInit_DLLs: c:\windows\system32\gunanami.dll c:\windows\system32\rujiwoko.dll
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildTangent\Apps\Dell Game Console\GameConsoleService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe

--
End of file - 6719 bytes

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:06 PM

Posted 08 August 2009 - 11:24 PM

Hello bladekmaster,

What antivirus are you running on this computer?


Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.



Please download Malwarebytes' Anti-Malware from one of these places:
http://download.cnet.com/Malwarebytes-Anti...&tag=button
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 bladekmaster

bladekmaster
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 09 August 2009 - 03:47 PM

Okay:
- I use Webroot AntiVirus with AntiSpyware. I scanned my computer, and the only thing that it detected was a Virtumonde (sp?). So yeah.

- Here is the Security Checkup File.

Results of screen317's Security Check version 0.98.7
Windows XP Service Pack 2
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!

Webroot AntiVirus with AntiSpyware

Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:

Spy Sweeper Core
Webroot AntiVirus with AntiSpyware
Malwarebytes' Anti-Malware
HijackThis 2.0.2
TuneUp Utilities 2009
Java™ 6 Update 11
Java™ 6 Update 7
Java 2 Runtime Environment, SE v1.4.2_03
Out of date Java installed!
Adobe Flash Player 10
Adobe Reader 6.0.1
Out of date Adobe Reader installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent



``````````````````````````````
DNS Vulnerability Check:

GREAT! (Very random)

`````````End of Log```````````

-Here is the MBAM-log.

Malwarebytes' Anti-Malware 1.40
Database version: 2551
Windows 5.1.2600 Service Pack 2

8/9/2009 3:19:55 PM
mbam-log-2009-08-09 (15-19-55).txt

Scan type: Full Scan (C:\|)
Objects scanned: 169303
Time elapsed: 31 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 9
Registry Values Infected: 9
Registry Data Items Infected: 14
Folders Infected: 9
Files Infected: 36

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\fihimemo.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\wijumube.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\voruzome.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\kozafuli.dll (Trojan.BHO) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ad6a11e7-2a5a-4c3b-a070-d97e72d85a35} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ad6a11e7-2a5a-4c3b-a070-d97e72d85a35} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{ad6a11e7-2a5a-4c3b-a070-d97e72d85a35} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe (Adware.DoubleD) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\sfxdrv (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\PC_Security2009 (Rogue.PCSecurity2009) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\{5617ECA9-488D-4BA2-8562-9710B9AB78D2} (Adware.DoubleD) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\huzimetera (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm6f293aa5 (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Delete on reboot.
HKEY_CURRENT_USER\Control Panel\don't load\scui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\don't load\wscui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\sfx (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\wijumube.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\wijumube.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: c:\windows\system32\kozafuli.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: system32\kozafuli.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.150,85.255.112.69 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{3e3883c2-ad2d-4503-b2e9-a1f23298f60b}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.150,85.255.112.69 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.150,85.255.112.69 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3e3883c2-ad2d-4503-b2e9-a1f23298f60b}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.150,85.255.112.69 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.150,85.255.112.69 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{3e3883c2-ad2d-4503-b2e9-a1f23298f60b}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.150,85.255.112.69 -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\MyWaySA (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWaySA\SrchAsDe (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\PC_Security2009 (Rogue.PCSecurity2009) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pop\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2} (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pop\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\Data (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pop\Local Settings\Application Data\DoubleD (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pop\Local Settings\Application Data\DoubleD\GamingHarbor Toolbar (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pop\Local Settings\Application Data\DoubleD\GamingHarbor Toolbar\4.1.4.20920 (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pop\Local Settings\Application Data\DoubleD\GamingHarbor Toolbar\4.1.4.20920\bin (Adware.DoubleD) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\voruzome.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\wijumube.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\fihimemo.dll (Trojan.Vundo.H) -> Delete on reboot.
c:\WINDOWS\system32\kozafuli.dll (Trojan.BHO) -> Delete on reboot.
C:\kpepb.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\myacngu.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\rtdasr.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\PC_Security2009\Uninstall.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wisdstr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wefuteva.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\installb[1].exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\~TM37.tmp (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\~TM81EC3F.TMP (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pop\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\bg.jpg (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pop\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\CurrentVersion.xml (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pop\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\icon.ico (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pop\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\productinfo.dll (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pop\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\Setup.exe (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pop\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\stbup.exe (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pop\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\tdf.dat (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pop\Local Settings\Temporary Internet Files\{5617ECA9-488D-4BA2-8562-9710B9AB78D2}\Data\ProductInfo.mx (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pop\Local Settings\Application Data\DoubleD\GamingHarbor Toolbar\4.1.4.20920\bin\stbup.exe (Adware.DoubleD) -> Quarantined and deleted successfully.
C:\Documents and Settings\Pop\Local Settings\Temporary Internet Files\rimivewoz.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\delself.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\zikewapo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nenepoke.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rojayefi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tatetimo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\him2.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\bf23567.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\MSIVXcount (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\010112010146118114.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\0101120101464849.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\0101120101465049.dat (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\WINDOWS\934fdfg34fgjf23 (Worm.KoobFace) -> Quarantined and deleted successfully.
C:\gfub.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

- And here's the updated HiJackThis Log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:29:36 PM, on 8/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [ehTray] "C:\WINDOWS\ehome\ehtray.exe"
O4 - HKLM\..\Run: [igfxtray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [igfxhkcmd] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [igfxpers] "C:\WINDOWS\system32\igfxpers.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] "stsystra.exe"
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] "C:\WINDOWS\system32\dla\tfswctrl.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://download-games.pogo.com/online2/pog...mjolauncher.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game06.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O20 - AppInit_DLLs: c:\windows\system32\gunanami.dll c:\windows\system32\rujiwoko.dll
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildTangent\Apps\Dell Game Console\GameConsoleService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe

--
End of file - 5682 bytes

#4 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:06 PM

Posted 09 August 2009 - 04:35 PM

Hi bladekmaster,

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Please download Java Version 6 Update 15
  • Click the "Free Java Download" button.
  • Click "Free Java Download" again
  • Save the file jxpiinstall.exe to your desktop
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    Examples of older versions in Add or Remove Programs:
    Java 6 Update 11
    Java 6 Update 7
    Java 2 Runtime Environment, SE v1.4.2_03

  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jxpiinstall.exe to install the newest version.

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.


You need to disable your Webroot AntiVirus and SpySweeper] before running ComboFix, as they will prevent it from running.

To disable Anti-Virus components of Webroot Anti-Virus
From their Webroot support page:
http://webroot.custhelp.com/

"In order to disable the Anti-Virus components of Webroot Anti-Virus you must go to two separate sections:

Anti-Virus Shield Disabling

1. Click on the Options button on the left hand side of Webroot Anti-Virus

2. Go to the Shields tab of the Options Menu

3. Under the section labeled Anti-Virus Protection, take the checkmark out of the Protect against Viruses box.

Anti-Virus Shields have successfully been turned off.



Anti-Virus Sweep Disabling

1. Click on the Options button on the left hand side of Webroot Anti-Virus

2. On the Sweep tab, put the dot into Custom Sweep (please note you can only disable Anti-Virus Sweeps by using the Custom Sweep option)

3. Under the section labeled Sweep Settings Summary, click the Change Settings link which is next to Custom Sweep Settings

4. A Custom Sweep box will appear with various sections to click on. Click on the What To Sweep button on the left side of this Custom Sweep box.

5. On this screen, take the checkmark out of Sweep for Viruses under the Viruses section.

6. Click the OK button at the bottom of this screen and you will be returned to the Sweep tab. (Again please note that you can only disable Anti-Virus Sweeps by using the Custom Sweep Option which will now be selected)

Anti-Virus Sweeps have successfully been turned off."



To disable SpySweeper
Open Spysweeper and click on Options > Program Options and uncheck "load at windows startup".
On the left click "shields" and then uncheck everything there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".
Exit the program.

Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 bladekmaster

bladekmaster
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 09 August 2009 - 06:13 PM

Wow! The message is gone. Thanks alot! Heres the log.

ComboFix 09-08-09.03 - Pop 08/09/2009 17:51.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.240 [GMT -5:00]
Running from: c:\documents and settings\Pop\Desktop\ComboFix.exe
AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\AskSearch\bin\DefaultSearch.dll
c:\program files\sFX
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\kb913800.exe
c:\windows\system32\bszip.dll
c:\windows\system32\filokinu.dll
c:\windows\system32\gunanami.dll
c:\windows\system32\hoyupatu.dll
c:\windows\system32\migisibi.dll
c:\windows\system32\newopuvo.dll
c:\windows\system32\rutijeri.dll
c:\windows\system32\sonumiwo.dll
c:\windows\system32\telelepu.dll
c:\windows\system32\vuladihi.dll
c:\windows\system32\vuseyiju.exe
c:\windows\system32\yapuzoke.dll
c:\windows\system32\yikiduta.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MSIVXserv.sys
-------\Legacy_SFX
-------\Legacy_SFXDRV
-------\Service_MSIVXserv.sys
-------\Service_sfx


((((((((((((((((((((((((( Files Created from 2009-07-09 to 2009-08-09 )))))))))))))))))))))))))))))))
.

2009-08-09 21:46 . 2009-08-09 21:46 -------- d-----w- c:\program files\Carbonite
2009-08-09 21:41 . 2009-08-09 22:27 152576 ----a-w- c:\documents and settings\Pop\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-09 19:38 . 2009-08-09 19:38 -------- d-----w- c:\documents and settings\Pop\Application Data\Malwarebytes
2009-08-09 19:38 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-09 19:38 . 2009-08-09 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-09 19:38 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-09 19:38 . 2009-08-09 19:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-09 06:03 . 2009-08-09 06:03 -------- d--h--w- C:\$AVG8.VAULT$
2009-08-09 05:59 . 2009-08-09 05:59 -------- d-----w- c:\program files\AVG
2009-08-09 02:41 . 2009-08-09 02:41 -------- d-----w- c:\documents and settings\Pop\Local Settings\Application Data\Thinstall
2009-08-09 02:41 . 2009-08-09 02:41 -------- d-----w- c:\documents and settings\Pop\Application Data\Thinstall
2009-08-06 20:06 . 2009-08-06 20:06 -------- d-----w- c:\program files\Trend Micro
2009-08-05 23:08 . 2009-08-05 23:08 604488 ----a-w- c:\windows\system32\TUProgSt.exe
2009-08-05 23:08 . 2009-07-15 09:48 29000 ----a-w- c:\windows\system32\uxtuneup.dll
2009-08-05 23:08 . 2009-08-05 23:08 361288 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-08-05 02:42 . 2009-08-05 02:42 -------- d-----w- c:\documents and settings\Nessa\Application Data\acccore
2009-08-03 03:02 . 2009-08-03 03:03 1012560 ----a-w- c:\documents and settings\Pop\Application Data\Adobe\Acrobat\6.0\Updater\Acro-Reader_606_Update.exe
2009-08-03 03:02 . 2009-08-03 03:02 2937168 ----a-w- c:\documents and settings\Pop\Application Data\Adobe\Acrobat\6.0\Updater\Acro-Reader_605_Update.exe
2009-07-19 22:24 . 2009-07-19 22:24 -------- d-----w- c:\documents and settings\Nessa\Application Data\TuneUp Software
2009-07-19 22:20 . 2009-07-19 22:20 -------- d-----w- c:\documents and settings\Nessa\Local Settings\Application Data\AOL OCP
2009-07-19 22:20 . 2009-07-19 22:20 -------- d-----w- c:\documents and settings\Nessa\Local Settings\Application Data\AOL
2009-07-18 16:16 . 2009-08-09 18:21 -------- d-----w- c:\program files\Pcsx2
2009-07-14 20:28 . 2009-07-14 20:28 -------- d-----w- c:\program files\MagicISO
2009-07-12 06:31 . 2009-07-12 06:31 19045 ----a-w- c:\documents and settings\Pop\Application Data\tyvunoxox.sys
2009-07-12 06:31 . 2009-07-12 06:31 18717 ----a-w- c:\program files\Common Files\monace.scr
2009-07-12 06:31 . 2009-07-12 06:31 16677 ----a-w- c:\windows\kexo.bat
2009-07-12 06:31 . 2009-07-12 06:31 15010 ----a-w- c:\documents and settings\Pop\Local Settings\Application Data\opagybeku.dll
2009-07-12 06:31 . 2009-07-12 06:31 14216 ----a-w- c:\windows\system32\enyx.com
2009-07-12 06:31 . 2009-07-12 06:31 12716 ----a-w- c:\windows\system32\ugexazu.reg
2009-07-12 06:31 . 2009-07-12 06:31 10631 ----a-w- c:\windows\ucoku.dat
2009-07-12 06:31 . 2009-07-12 06:31 10585 ----a-w- c:\windows\dukuwopyte.dll
2009-07-12 06:31 . 2009-07-12 06:31 10252 ----a-w- c:\windows\ymin.vbs
2009-07-12 06:17 . 2009-07-12 14:37 -------- d-----w- c:\program files\AlfaVid

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-09 22:58 . 2009-03-10 23:21 -------- d-----w- c:\documents and settings\Pop\Application Data\LimeWire
2009-08-09 22:28 . 2009-03-11 22:02 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-09 21:43 . 2005-12-15 06:03 -------- d-----w- c:\program files\Java
2009-08-07 20:49 . 2009-04-06 22:14 -------- d-----w- c:\documents and settings\Nessa\Application Data\LimeWire
2009-08-07 20:24 . 2009-05-07 20:24 84992 --sha-w- c:\windows\system32\meseleru.dll
2009-08-06 04:58 . 2009-05-06 04:58 84992 --sha-w- c:\windows\system32\yaromido.dll
2009-08-05 23:07 . 2009-06-25 05:12 -------- d-----w- c:\program files\TuneUp Utilities 2009
2009-08-05 16:58 . 2009-05-05 16:58 83968 --sha-w- c:\windows\system32\goyobilo.dll
2009-08-04 16:57 . 2009-05-04 16:57 84480 --sha-w- c:\windows\system32\zeyeloja.dll
2009-08-04 04:57 . 2009-05-04 04:57 83968 --sha-w- c:\windows\system32\doluwuhi.dll
2009-08-03 03:02 . 2009-03-05 00:51 -------- d-----w- c:\documents and settings\Pop\Application Data\AdobeUM
2009-07-13 03:28 . 2009-03-03 21:49 2018 ----a-w- c:\documents and settings\Pop\Application Data\wklnhst.dat
2009-07-12 14:53 . 2005-12-15 06:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-07-12 06:31 . 2009-07-12 06:31 16395 ----a-w- c:\documents and settings\All Users\Application Data\zypehel.vbs
2009-07-12 06:31 . 2009-07-12 06:31 15742 ----a-w- c:\documents and settings\All Users\Application Data\vociganani.dat
2009-07-12 06:31 . 2009-07-12 06:31 15043 ----a-w- c:\documents and settings\All Users\Application Data\ujeca.dat
2009-07-01 00:42 . 2009-07-01 00:42 -------- d-----w- c:\documents and settings\Pop\Application Data\PSPdisp
2009-07-01 00:41 . 2009-07-01 00:36 -------- d-----w- c:\program files\PSPdisp
2009-06-30 21:33 . 2009-06-07 23:57 -------- d-----w- c:\documents and settings\Pop\Application Data\gtk-2.0
2009-06-27 19:56 . 2009-04-09 16:02 -------- d-----w- c:\program files\AIM6
2009-06-27 19:56 . 2009-06-27 19:56 -------- d-----w- c:\program files\AIM Toolbar
2009-06-27 19:56 . 2009-06-27 19:56 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM Toolbar
2009-06-27 19:55 . 2005-12-15 06:12 -------- d-----w- c:\program files\Common Files\Nullsoft
2009-06-27 03:09 . 2009-04-09 16:12 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-06-26 16:18 . 2005-08-16 10:18 659456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2005-08-16 10:18 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 05:13 . 2009-06-25 05:13 -------- d-----w- c:\documents and settings\Pop\Application Data\TuneUp Software
2009-06-25 05:12 . 2009-06-25 05:12 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software
2009-06-25 05:10 . 2009-06-25 05:10 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-06-25 04:55 . 2005-12-15 06:09 -------- d-----w- c:\program files\MUSICMATCH
2009-06-25 04:52 . 2009-04-09 16:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Tencent
2009-06-25 04:50 . 2005-12-15 06:15 -------- d-----w- c:\program files\Dell
2009-06-25 04:48 . 2009-05-20 23:19 -------- d-----w- c:\program files\Oberon Media
2009-06-25 04:46 . 2009-03-11 00:32 -------- d-----w- c:\program files\Common Files\Apple
2009-06-25 04:42 . 2005-12-15 06:11 -------- d-----w- c:\program files\Common Files\AOL
2009-06-25 04:42 . 2005-12-15 06:11 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-06-21 17:51 . 2009-06-18 21:56 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-06-19 13:08 . 2009-06-18 21:56 -------- d-----w- c:\program files\NOS
2009-06-18 21:59 . 2009-06-18 21:59 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-06-18 21:56 . 2009-06-18 21:56 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-06-16 14:55 . 2005-08-16 10:18 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2005-08-16 10:18 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 01:37 . 2005-12-15 06:10 -------- d-----w- c:\program files\Sonic
2009-06-15 10:08 . 2009-03-19 23:07 3218 ----a-w- c:\documents and settings\Nessa\Application Data\wklnhst.dat
2009-06-11 00:30 . 2009-03-03 01:31 -------- d-----w- c:\documents and settings\Pop\Application Data\Apple Computer
2009-06-03 19:24 . 2005-08-16 10:18 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-30 15:46 . 2009-03-05 01:32 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-05-30 15:46 . 2009-03-05 01:32 56 --sh--r- c:\windows\system32\8E5818C53D.sys
2009-05-19 06:36 . 2009-06-27 03:10 2884832 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\vwpt.exe
2009-05-19 06:36 . 2009-06-27 03:10 28 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\unregister.bat
2009-05-19 06:36 . 2009-06-27 03:09 1484856 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\toolbar.exe
2009-05-19 06:36 . 2009-06-27 03:09 25 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\register.bat
2009-05-19 06:36 . 2009-06-27 03:09 97072 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\bsetutil.exe
2009-05-19 06:36 . 2009-06-27 03:09 142040 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\alsetup.exe
2009-05-19 06:36 . 2009-06-27 03:10 30512 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\Uninstaller.exe
2009-05-19 06:36 . 2009-06-27 03:09 111920 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\AOLSearch.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2009-02-14 18:00 238968 ----a-w- c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-20 114688]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-12-15 26112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2009-07-31 283792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-09 149280]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]

c:\documents and settings\Nessa\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-3-10 139776]

c:\documents and settings\Pop\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-3-10 139776]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe"=
"c:\\Program Files\\AIM6\\aolsoftware.exe"=
"c:\\WINDOWS\\stsystra.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58146:TCP"= 58146:TCP:Pando Media Booster
"58146:UDP"= 58146:UDP:Pando Media Booster
"8085:TCP"= 8085:TCP:sfx

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2/13/2009 6:09 PM 29808]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [8/5/2009 6:08 PM 604488]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [2/27/2009 10:13 PM 1180976]
S3 libusb0;LibUsb-Win32 - Kernel Driver 03/20/2007, 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [12/21/2008 7:06 PM 28672]
S3 pspdisp;pspdisp;c:\windows\system32\drivers\pspdisp.sys [12/25/2008 9:24 AM 3072]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-08-09 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2009-07-16 08:54]

2009-08-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2009-08-04 c:\windows\Tasks\wrSpySweeper_L93AB4CC322624BCF9E3662FAEF1944B9.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2009-02-28 18:08]

2009-08-04 c:\windows\Tasks\wrSpySweeper_L93AB4CC322624BCF9E3662FAEF1944B9.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2009-02-28 18:08]

2009-07-19 c:\windows\Tasks\wrSpySweeper_LC7856BBDD7474B84B05D68881107C52C.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2009-02-28 18:08]

2009-07-19 c:\windows\Tasks\wrSpySweeper_LC7856BBDD7474B84B05D68881107C52C.job
- c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe [2009-02-28 18:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game06.zylom.com/activex/zylomgamesplayer.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-09 17:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3220)
c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\wscntfy.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-08-09 18:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-09 23:02

Pre-Run: 56,657,428,480 bytes free
Post-Run: 59,655,380,992 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

255 --- E O F --- 2009-08-09 22:15

#6 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:06 PM

Posted 09 August 2009 - 08:58 PM

Hi,

Please refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.

Tell me if you have done anything since previous post. Or you have run any other tools.


Post a fresh Hijackthis log.


Open HijackThis 2.0.2
Press the button 'View Misc Tools Section'
Press the button 'open uninstall manager'
Press the button 'save list'
Save it to your desktop.
Press Save. Save it your desktop.
A notepad file will open.
If no notepad opens then it will be on your desktop (where you saved it)
Post the content here in your reply.
Close HijackThis.

Edited by SifuMike, 09 August 2009 - 09:12 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 bladekmaster

bladekmaster
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 09 August 2009 - 09:25 PM

Here,
Internet Explorer Default Page
iTunes
Java™ 6 Update 15
Learn2 Player (Uninstall Only)
LimeWire 5.1.2
Macromedia Flash Player
Macromedia Shockwave Player
Magic ISO Maker v5.5 (build 0276)
Malwarebytes' Anti-Malware
MCU
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image Standard 2006
Microsoft Encarta Encyclopedia Standard 2006
Microsoft Money 2006
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Streets & Trips 2006
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 Redistributable
Microsoft Word 2002
Microsoft Works
Microsoft Works Suite 2006 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
Modem Helper
MSN
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
Musicmatch for Windows Media Player
MyWay Search Assistant
NetWaiting
Otto
Pando Media Booster
PowerDVD 5.5
PSPdisp 0.2
Qualxserve Service Agreement
QuickBooks Simple Start Special Edition
QuickTime
RealPlayer Basic
Safari
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Sonic DLA
Sonic Encoders
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Spy Sweeper Core
TuneUp Utilities 2009
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB898461)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Rollup 2 for Windows XP Media Center Edition 2005
WebCyberCoach 3.2 Dell
Webroot AntiVirus with AntiSpyware
WildTangent Games
WildTangent Web Driver
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB890927
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB925766
WinRAR archiver

#8 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:06 PM

Posted 09 August 2009 - 09:35 PM

Did you run AVG antivirus on your own?

Your forgot to post the Hijackthis log.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 bladekmaster

bladekmaster
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 09 August 2009 - 09:39 PM

I did, to see if I can get what was happening to my computer off. But I deleted it, before I started working with you.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:38:49 PM, on 8/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [ehTray] "C:\WINDOWS\ehome\ehtray.exe"
O4 - HKLM\..\Run: [igfxtray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [igfxhkcmd] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [igfxpers] "C:\WINDOWS\system32\igfxpers.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] "stsystra.exe"
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] "C:\WINDOWS\system32\dla\tfswctrl.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [CarboniteSetupLite] "C:\Program Files\Carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=1800
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://download-games.pogo.com/online2/pog...mjolauncher.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game06.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildTangent\Apps\Dell Game Console\GameConsoleService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe

--
End of file - 5412 bytes

#10 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:06 PM

Posted 09 August 2009 - 09:44 PM

I did, to see if I can get what was happening to my computer off. But I deleted it, before I started working with you.


I told you previously not to run any programs while we are fixing your computer. :thumbup2:

If you want to fix your computer yourself, the I will step aside and let you do it.
If you want me to fix it, then you have to follow my instructions.


Let me know your decison.

Edited by SifuMike, 09 August 2009 - 09:45 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 bladekmaster

bladekmaster
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 09 August 2009 - 10:12 PM

I'm sorry. I ran that program before you even posted to my problem. Then I deleted it once you replied.
Once again I'm sorry, and I really would appreciate your help.

#12 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:06 PM

Posted 09 August 2009 - 10:20 PM

From now on refrain from making any changes to your system (updating Windows, installing applications, removing files, etc.) from now on as it might prolong handling your log and make the job for both of us more difficult.


Please run HijackThis and click "Scan." Place checks next to the following entries, if present:

O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe

Close all browsers and other windows except for HijackThis, and click "Fix checked"

b]Reboot[/b] your computer, and post a fresh Hijackthis log.

Edited by SifuMike, 09 August 2009 - 10:21 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 bladekmaster

bladekmaster
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 09 August 2009 - 10:47 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:45:30 PM, on 8/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O4 - HKLM\..\Run: [ehTray] "C:\WINDOWS\ehome\ehtray.exe"
O4 - HKLM\..\Run: [igfxtray] "C:\WINDOWS\system32\igfxtray.exe"
O4 - HKLM\..\Run: [igfxhkcmd] "C:\WINDOWS\system32\hkcmd.exe"
O4 - HKLM\..\Run: [igfxpers] "C:\WINDOWS\system32\igfxpers.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] "stsystra.exe"
O4 - HKLM\..\Run: [RealTray] "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] "C:\WINDOWS\system32\dla\tfswctrl.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [CarboniteSetupLite] "C:\Program Files\Carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=1800
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://download-games.pogo.com/online2/pog...mjolauncher.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game06.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildTangent\Apps\Dell Game Console\GameConsoleService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Webroot Client Service (WRConsumerService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRConsumerService.exe

--
End of file - 5288 bytes

#14 SifuMike

SifuMike

    malware expert


  • Members
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:12:06 PM

Posted 09 August 2009 - 11:00 PM

Hi bladekmaster,


You need to disable your Webroot AntiVirus and SpySweeper before running ComboFix, as they will prevent it from running.

To disable Anti-Virus components of Webroot Anti-Virus
From their Webroot support page:
http://webroot.custhelp.com/

"In order to disable the Anti-Virus components of Webroot Anti-Virus you must go to two separate sections:

Anti-Virus Shield Disabling

1. Click on the Options button on the left hand side of Webroot Anti-Virus

2. Go to the Shields tab of the Options Menu

3. Under the section labeled Anti-Virus Protection, take the checkmark out of the Protect against Viruses box.

Anti-Virus Shields have successfully been turned off.



Anti-Virus Sweep Disabling

1. Click on the Options button on the left hand side of Webroot Anti-Virus

2. On the Sweep tab, put the dot into Custom Sweep (please note you can only disable Anti-Virus Sweeps by using the Custom Sweep option)

3. Under the section labeled Sweep Settings Summary, click the Change Settings link which is next to Custom Sweep Settings

4. A Custom Sweep box will appear with various sections to click on. Click on the What To Sweep button on the left side of this Custom Sweep box.

5. On this screen, take the checkmark out of Sweep for Viruses under the Viruses section.

6. Click the OK button at the bottom of this screen and you will be returned to the Sweep tab. (Again please note that you can only disable Anti-Virus Sweeps by using the Custom Sweep Option which will now be selected)

Anti-Virus Sweeps have successfully been turned off."



To disable SpySweeper
Open Spysweeper and click on Options > Program Options and uncheck "load at windows startup".
On the left click "shields" and then uncheck everything there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".
Exit the program.


Click Start, then Run and type Notepad and click OK.
Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the code box below into notepad:

File:: 
c:\documents and settings\Pop\Application Data\tyvunoxox.sys
c:\program files\Common Files\monace.scr
c:\windows\kexo.bat
c:\documents and settings\Pop\Local Settings\Application Data\opagybeku.dll
c:\windows\system32\enyx.com
c:\windows\system32\ugexazu.reg
c:\windows\ucoku.dat
c:\windows\dukuwopyte.dll
c:\windows\ymin.vbs
c:\windows\system32\meseleru.dll
c:\windows\system32\yaromido.dll
c:\windows\system32\goyobilo.dll
c:\windows\system32\zeyeloja.dll
c:\windows\system32\doluwuhi.dll

Registry:: 
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= dword:00000001


Name the Notepad file CFScript.txt and Save it to your desktop.

IMPORTANT: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

Edited by SifuMike, 09 August 2009 - 11:27 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 bladekmaster

bladekmaster
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:06 PM

Posted 09 August 2009 - 11:30 PM

ComboFix 09-08-09.04 - Pop 08/09/2009 23:21.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.217 [GMT -5:00]
Running from: c:\documents and settings\Pop\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Pop\Desktop\CFScript.txt
AV: Webroot AntiVirus with AntiSpyware *On-access scanning disabled* (Updated) {77E10C7F-2CCA-4187-9394-BDBC267AD597}

FILE ::
"c:\documents and settings\Pop\Application Data\tyvunoxox.sys"
"c:\documents and settings\Pop\Local Settings\Application Data\opagybeku.dll"
"c:\program files\Common Files\monace.scr"
"c:\windows\dukuwopyte.dll"
"c:\windows\kexo.bat"
"c:\windows\system32\doluwuhi.dll"
"c:\windows\system32\enyx.com"
"c:\windows\system32\goyobilo.dll"
"c:\windows\system32\meseleru.dll"
"c:\windows\system32\ugexazu.reg"
"c:\windows\system32\yaromido.dll"
"c:\windows\system32\zeyeloja.dll"
"c:\windows\ucoku.dat"
"c:\windows\ymin.vbs"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Pop\Application Data\tyvunoxox.sys
c:\documents and settings\Pop\Local Settings\Application Data\opagybeku.dll
c:\program files\Common Files\monace.scr
c:\windows\dukuwopyte.dll
c:\windows\kexo.bat
c:\windows\system32\doluwuhi.dll
c:\windows\system32\enyx.com
c:\windows\system32\goyobilo.dll
c:\windows\system32\meseleru.dll
c:\windows\system32\ugexazu.reg
c:\windows\system32\yaromido.dll
c:\windows\system32\zeyeloja.dll
c:\windows\ucoku.dat
c:\windows\ymin.vbs

.
((((((((((((((((((((((((( Files Created from 2009-07-10 to 2009-08-10 )))))))))))))))))))))))))))))))
.

2009-08-09 21:46 . 2009-08-09 21:46 -------- d-----w- c:\program files\Carbonite
2009-08-09 21:41 . 2009-08-09 22:27 152576 ----a-w- c:\documents and settings\Pop\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-08-09 19:38 . 2009-08-09 19:38 -------- d-----w- c:\documents and settings\Pop\Application Data\Malwarebytes
2009-08-09 19:38 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-09 19:38 . 2009-08-09 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-09 19:38 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-09 19:38 . 2009-08-09 19:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-09 06:03 . 2009-08-09 06:03 -------- d--h--w- C:\$AVG8.VAULT$
2009-08-09 05:59 . 2009-08-09 05:59 -------- d-----w- c:\program files\AVG
2009-08-09 02:41 . 2009-08-09 02:41 -------- d-----w- c:\documents and settings\Pop\Local Settings\Application Data\Thinstall
2009-08-09 02:41 . 2009-08-09 02:41 -------- d-----w- c:\documents and settings\Pop\Application Data\Thinstall
2009-08-06 20:06 . 2009-08-06 20:06 -------- d-----w- c:\program files\Trend Micro
2009-08-05 23:08 . 2009-08-05 23:08 604488 ----a-w- c:\windows\system32\TUProgSt.exe
2009-08-05 23:08 . 2009-07-15 09:48 29000 ----a-w- c:\windows\system32\uxtuneup.dll
2009-08-05 23:08 . 2009-08-05 23:08 361288 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-08-05 02:42 . 2009-08-05 02:42 -------- d-----w- c:\documents and settings\Nessa\Application Data\acccore
2009-08-03 03:02 . 2009-08-03 03:03 1012560 ----a-w- c:\documents and settings\Pop\Application Data\Adobe\Acrobat\6.0\Updater\Acro-Reader_606_Update.exe
2009-08-03 03:02 . 2009-08-03 03:02 2937168 ----a-w- c:\documents and settings\Pop\Application Data\Adobe\Acrobat\6.0\Updater\Acro-Reader_605_Update.exe
2009-07-19 22:24 . 2009-07-19 22:24 -------- d-----w- c:\documents and settings\Nessa\Application Data\TuneUp Software
2009-07-19 22:20 . 2009-07-19 22:20 -------- d-----w- c:\documents and settings\Nessa\Local Settings\Application Data\AOL OCP
2009-07-19 22:20 . 2009-07-19 22:20 -------- d-----w- c:\documents and settings\Nessa\Local Settings\Application Data\AOL
2009-07-18 16:16 . 2009-08-09 18:21 -------- d-----w- c:\program files\Pcsx2
2009-07-14 20:28 . 2009-07-14 20:28 -------- d-----w- c:\program files\MagicISO
2009-07-12 06:17 . 2009-07-12 14:37 -------- d-----w- c:\program files\AlfaVid

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-09 22:58 . 2009-03-10 23:21 -------- d-----w- c:\documents and settings\Pop\Application Data\LimeWire
2009-08-09 22:28 . 2009-03-11 22:02 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-09 21:43 . 2005-12-15 06:03 -------- d-----w- c:\program files\Java
2009-08-07 20:49 . 2009-04-06 22:14 -------- d-----w- c:\documents and settings\Nessa\Application Data\LimeWire
2009-08-05 23:07 . 2009-06-25 05:12 -------- d-----w- c:\program files\TuneUp Utilities 2009
2009-08-03 03:02 . 2009-03-05 00:51 -------- d-----w- c:\documents and settings\Pop\Application Data\AdobeUM
2009-07-13 03:28 . 2009-03-03 21:49 2018 ----a-w- c:\documents and settings\Pop\Application Data\wklnhst.dat
2009-07-12 14:53 . 2005-12-15 06:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-07-12 06:31 . 2009-07-12 06:31 16395 ----a-w- c:\documents and settings\All Users\Application Data\zypehel.vbs
2009-07-12 06:31 . 2009-07-12 06:31 15742 ----a-w- c:\documents and settings\All Users\Application Data\vociganani.dat
2009-07-12 06:31 . 2009-07-12 06:31 15043 ----a-w- c:\documents and settings\All Users\Application Data\ujeca.dat
2009-07-01 00:42 . 2009-07-01 00:42 -------- d-----w- c:\documents and settings\Pop\Application Data\PSPdisp
2009-07-01 00:41 . 2009-07-01 00:36 -------- d-----w- c:\program files\PSPdisp
2009-06-30 21:33 . 2009-06-07 23:57 -------- d-----w- c:\documents and settings\Pop\Application Data\gtk-2.0
2009-06-27 19:56 . 2009-04-09 16:02 -------- d-----w- c:\program files\AIM6
2009-06-27 19:56 . 2009-06-27 19:56 -------- d-----w- c:\program files\AIM Toolbar
2009-06-27 19:56 . 2009-06-27 19:56 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM Toolbar
2009-06-27 19:55 . 2005-12-15 06:12 -------- d-----w- c:\program files\Common Files\Nullsoft
2009-06-27 03:09 . 2009-04-09 16:12 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-06-26 16:18 . 2005-08-16 10:18 659456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2005-08-16 10:18 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 05:13 . 2009-06-25 05:13 -------- d-----w- c:\documents and settings\Pop\Application Data\TuneUp Software
2009-06-25 05:12 . 2009-06-25 05:12 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software
2009-06-25 05:10 . 2009-06-25 05:10 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-06-25 04:55 . 2005-12-15 06:09 -------- d-----w- c:\program files\MUSICMATCH
2009-06-25 04:52 . 2009-04-09 16:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Tencent
2009-06-25 04:50 . 2005-12-15 06:15 -------- d-----w- c:\program files\Dell
2009-06-25 04:48 . 2009-05-20 23:19 -------- d-----w- c:\program files\Oberon Media
2009-06-25 04:46 . 2009-03-11 00:32 -------- d-----w- c:\program files\Common Files\Apple
2009-06-25 04:42 . 2005-12-15 06:11 -------- d-----w- c:\program files\Common Files\AOL
2009-06-25 04:42 . 2005-12-15 06:11 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-06-21 17:51 . 2009-06-18 21:56 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-06-19 13:08 . 2009-06-18 21:56 -------- d-----w- c:\program files\NOS
2009-06-18 21:59 . 2009-06-18 21:59 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-06-18 21:56 . 2009-06-18 21:56 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-06-16 14:55 . 2005-08-16 10:18 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:55 . 2005-08-16 10:18 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 01:37 . 2005-12-15 06:10 -------- d-----w- c:\program files\Sonic
2009-06-15 10:08 . 2009-03-19 23:07 3218 ----a-w- c:\documents and settings\Nessa\Application Data\wklnhst.dat
2009-06-03 19:24 . 2005-08-16 10:18 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-30 15:46 . 2009-03-05 01:32 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-05-30 15:46 . 2009-03-05 01:32 56 --sh--r- c:\windows\system32\8E5818C53D.sys
2009-05-19 06:36 . 2009-06-27 03:10 2884832 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\vwpt.exe
2009-05-19 06:36 . 2009-06-27 03:10 28 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\unregister.bat
2009-05-19 06:36 . 2009-06-27 03:09 1484856 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\toolbar.exe
2009-05-19 06:36 . 2009-06-27 03:09 25 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\register.bat
2009-05-19 06:36 . 2009-06-27 03:09 97072 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\bsetutil.exe
2009-05-19 06:36 . 2009-06-27 03:09 142040 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\alsetup.exe
2009-05-19 06:36 . 2009-06-27 03:10 30512 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\Uninstaller.exe
2009-05-19 06:36 . 2009-06-27 03:09 111920 ----a-w- c:\documents and settings\All Users\Application Data\AOL Downloads\SUD4426\AOLSearch.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-08-09_22.57.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-10 03:43 . 2009-08-10 03:43 16384 c:\windows\Temp\Perflib_Perfdata_508.dat
+ 2009-02-27 02:08 . 2009-08-10 03:43 65536 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-27 02:08 . 2009-08-09 22:20 65536 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-27 02:08 . 2009-08-10 03:43 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-02-27 02:08 . 2009-08-09 22:20 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-02-27 02:08 . 2009-08-10 03:43 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2009-02-27 02:08 . 2009-08-09 22:20 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\BackupIconOverlayId]
@="{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}"
[HKEY_CLASSES_ROOT\CLSID\{2EE61E5C-8F94-4AAB-8A80-D2A8CD1FEDAD}]
2009-02-14 18:00 238968 ----a-w- c:\program files\Webroot\Spy Sweeper\Backup\CtxMenu_1_0_0_10.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-07-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-07-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-07-20 114688]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2005-12-15 26112]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2009-07-31 283792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-09 149280]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]

c:\documents and settings\Nessa\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-3-10 139776]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ \0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe\0SsiEfr.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WRConsumerService]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe"=
"c:\\Program Files\\AIM6\\aolsoftware.exe"=
"c:\\WINDOWS\\stsystra.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58146:TCP"= 58146:TCP:Pando Media Booster
"58146:UDP"= 58146:UDP:Pando Media Booster
"8085:TCP"= 8085:TCP:sfx

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2/13/2009 6:09 PM 29808]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [8/5/2009 6:08 PM 604488]
R2 WRConsumerService;Webroot Client Service;c:\program files\Webroot\Spy Sweeper\WRConsumerService.exe [2/27/2009 10:13 PM 1180976]
S3 libusb0;LibUsb-Win32 - Kernel Driver 03/20/2007, 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [12/21/2008 7:06 PM 28672]
S3 pspdisp;pspdisp;c:\windows\system32\drivers\pspdisp.sys [12/25/2008 9:24 AM 3072]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-08-10 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2009-07-16 08:54]

2009-08-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} - hxxp://game06.zylom.com/activex/zylomgamesplayer.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-09 23:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-08-10 23:28
ComboFix-quarantined-files.txt 2009-08-10 04:28
ComboFix2.txt 2009-08-09 23:03

Pre-Run: 59,594,903,552 bytes free
Post-Run: 59,561,267,200 bytes free

215 --- E O F --- 2009-08-09 22:15




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users