Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Mozilla Firefox 64.0 Released - Here's What's New

Featured Deal: Get 99% off The The 2019 Ethical Hacker Master Class Bundle

Reoccuring Trojan horses "SpamBot. W" and more

Started by Karalex , Aug 09 2009 06:18 PM

This topic is locked

10 replies to this topic

#1 Karalex

Members
5 posts
OFFLINE

Local time:02:40 PM

Posted 09 August 2009 - 06:18 PM

Hello,
I am having a problem with Trojan horses, I have identified one of them as "Trojan horse SpamBot. W", I am not sure how to find the names of the others (I am not too good with computers :thumbup2:

)
I have downloaded "Malwarebytes' ANti-Malware" and AVG Free 8.5 and run them regularly. Although they continue finding these infections I heal/move them to the vault, hoping this will fix my problem. My computer runs fine after I do this until I restart and AVG picks them up again, which means they weren't deleted in the first place

I am not very good with computers so I can't tell you the exact effect of these trojans but I can tell you what I noticed: A fake anti-spyware program named "Anti-spyware 2010", seemingly random noises playing through my computer when I have no programs open (Sounds from internet ad's, things from different languages, and random music) and lastly my firewall being turned off. I'll post my HJT logs and DDS logs below

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:50:25 PM, on 8/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\program files\steam\steam.exe
C:\Program Files\Curse\CurseClient.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Search Protection\spHost.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R3 - URLSearchHook: Search Protection Class - {DEE1F01A-E6A8-4740-B420-3C521F234F74} - C:\Program Files\Common Files\Search Protection\sp.dll
R3 - URLSearchHook: AOL Search Toolbar Search Class - {17712359-13c1-4fc3-bcd9-1201af814ef0} - C:\Program Files\AOL Search Toolbar\aolsearchtb.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: AOL Search Toolbar - {d6050929-7dfc-44c9-a2f3-f12f57d779d6} - C:\Program Files\AOL Search Toolbar\aolsearchtb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [CurseClient] C:\Program Files\Curse\CurseClient.exe -silent
O4 - HKCU\..\Run: [CTSyncU.exe] "C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe"
O4 - HKUS\S-1-5-19\..\Run: [hagirohevi] Rundll32.exe "C:\WINDOWS\system32\pemuwiru.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [hagirohevi] Rundll32.exe "C:\WINDOWS\system32\pemuwiru.dll",s (User 'NETWORK SERVICE')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: PinMcLnk.lnk = C:\hp\bin\cloaker.exe (User 'Default user')
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {B1C5B118-8240-47a6-AE84-103B05FB5AEF} - C:\Program Files\Common Files\Search Protection\spControl.exe
O9 - Extra 'Tools' menuitem: Manage Search Protection... - {B1C5B118-8240-47a6-AE84-103B05FB5AEF} - C:\Program Files\Common Files\Search Protection\spControl.exe
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs:
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SPHost - Unknown owner - C:\Program Files\Common Files\Search Protection\spHost.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe

--
End of file - 8875 bytes

DDS (Ver_09-07-30.01) - NTFSx86
Run by HP_Administrator at 18:57:49.12 on Sun 08/09/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1352 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\program files\steam\steam.exe
svchost.exe
C:\Program Files\Curse\CurseClient.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Search Protection\spHost.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\HP\KBD\KBD.EXE
c:\windows\system\hpsysdrv.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\QOS17JUB\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: Search Protection Class: {dee1f01a-e6a8-4740-b420-3c521f234f74} - c:\program files\common files\search protection\sp.dll
uURLSearchHooks: AOL Search Toolbar Search Class: {17712359-13c1-4fc3-bcd9-1201af814ef0} - c:\program files\aol search toolbar\aolsearchtb.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: AOL Search Toolbar Search Class: {17712359-13c1-4fc3-bcd9-1201af814ef0} - c:\program files\aol search toolbar\aolsearchtb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: AOL Search Toolbar: {d6050929-7dfc-44c9-a2f3-f12f57d779d6} - c:\program files\aol search toolbar\aolsearchtb.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [CurseClient] c:\program files\curse\CurseClient.exe -silent
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [ftutil2] rundll32.exe ftutil2.dll,SetWriteCacheMode
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AlwaysReady Power Message APP] ARPWRMSG.EXE
mRun: [DMAScheduler] "c:\program files\hp digitalmedia archive\DMAScheduler.exe"
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [<NO NAME>]
mRun: [PCDrProfiler]
mRun: [HPBootOp] "c:\program files\hewlett-packard\hp boot optimizer\HPBootOp.exe" /run
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_02\bin\jusched.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\update~1.lnk - c:\program files\updates from hp\9972322\program\Updates from HP.exe
IE: {B1C5B118-8240-47a6-AE84-103B05FB5AEF} - c:\program files\common files\search protection\spControl.exe
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
Trusted Zone: trymedia.com
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-6-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} - hxxp://www.instantaction.com/download/iaplayer.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs:

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\hp_adm~1\applic~1\mozilla\firefox\profiles\fexbmhme.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: protocol-handler.warn-external.dnUpdate - false
============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-24 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-10-24 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-10-24 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-10-24 907032]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-10-24 298776]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 SPHost;SPHost;c:\program files\common files\search protection\spHost.exe [2009-6-24 107816]

=============== Created Last 30 ================

2009-08-09 18:49 <DIR> --d----- c:\program files\Trend Micro
2009-08-09 18:06 647,872 -------- c:\windows\system32\Mscomct2.ocx
2009-08-09 18:06 41,984 -------- c:\windows\Ctregrun.exe
2009-08-09 18:04 <DIR> --d----- c:\program files\Creative
2009-08-05 22:59 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\Malwarebytes
2009-08-05 22:59 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-05 22:59 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-05 22:59 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-05 22:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-05 22:42 17,486 a------- c:\windows\system32\meratidaq.scr
2009-08-05 22:42 13,711 a------- c:\windows\pibumu.db
2009-08-05 22:42 19,724 a------- c:\windows\juruhoky.db
2009-08-05 22:42 17,562 a------- c:\docume~1\alluse~1\applic~1\kubikopemu.reg
2009-08-05 22:42 17,362 a------- c:\windows\system32\dozate.lib
2009-08-05 22:42 16,893 a------- c:\docume~1\hp_adm~1\applic~1\zyqyrujid.pif
2009-08-05 22:42 16,348 a------- c:\windows\jateru.vbs
2009-08-05 22:42 16,337 a------- c:\windows\ewuqubyvuv.sys
2009-08-05 22:42 14,777 a------- c:\windows\uvicuvoj.lib
2009-08-05 22:42 10,965 a------- c:\windows\aqex.db
2009-08-05 22:38 19,297 a------- c:\windows\izadoxiv.pif
2009-08-05 22:38 17,741 a------- c:\windows\system32\xocewywe._dl
2009-08-05 22:38 17,216 a------- c:\windows\yhyto.inf
2009-08-05 22:38 17,118 a------- c:\windows\kusemo.reg
2009-08-05 22:38 16,617 a------- c:\windows\system32\lizyhoka.dat
2009-08-05 22:38 16,601 a------- c:\windows\system32\ytaseheda.exe
2009-08-05 22:38 15,862 a------- c:\windows\system32\kajiveki.exe
2009-08-05 22:38 15,824 a------- c:\windows\ehudexeleh.sys
2009-08-05 22:38 15,174 a------- c:\windows\udejiwinu.dl
2009-08-05 22:38 13,569 a------- c:\docume~1\hp_adm~1\applic~1\dajeg.vbs
2009-08-05 22:38 12,727 a------- c:\windows\imutymo.vbs
2009-08-05 22:38 11,575 a------- c:\windows\osulujewev.inf
2009-08-05 22:38 11,371 a------- c:\docume~1\hp_adm~1\applic~1\qemiralaq.dll
2009-08-05 22:38 10,866 a------- c:\windows\system32\xezifin.dl
2009-08-05 20:43 16,837 a------- c:\windows\hohyfygan.exe
2009-08-05 20:43 16,039 a------- c:\docume~1\hp_adm~1\applic~1\wusixax.dll
2009-08-05 20:43 14,401 a------- c:\docume~1\alluse~1\applic~1\atifixaxyc.dat
2009-08-05 20:43 12,893 a------- c:\windows\zonopucyx.pif
2009-08-05 20:43 11,247 a------- c:\windows\yjek.inf
2009-08-05 20:43 10,814 a------- c:\windows\xizysyqi.dl
2009-08-05 20:43 10,397 a------- c:\windows\upaqenyje.dat
2009-08-05 20:43 19,463 a------- c:\windows\qizob.inf
2009-08-05 20:43 17,855 a------- c:\windows\system32\beda.lib
2009-08-05 20:43 17,076 a------- c:\windows\uvuqonev.vbs
2009-08-05 20:43 16,933 a------- c:\program files\common files\anonidib.pif
2009-08-05 20:43 16,752 a------- c:\docume~1\hp_adm~1\applic~1\ymiqicuder.vbs
2009-08-05 20:43 12,307 a------- c:\docume~1\alluse~1\applic~1\ufyvucaqa.bat
2009-08-05 20:43 10,674 a------- c:\windows\foqeriwu.vbs
2009-07-31 16:00 <DIR> --d----- c:\windows\system32\LogFiles
2009-07-31 15:46 <DIR> --d----- c:\program files\Comcast
2009-07-31 15:45 <DIR> --d----- c:\program files\common files\SupportSoft
2009-07-31 15:45 <DIR> --d----- c:\program files\ComcastUI
2009-07-21 14:09 <DIR> --dsh--- c:\documents and settings\hp_administrator\IECompatCache
2009-07-14 03:01 <DIR> --d----- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-07-13 21:32 268,648 a------- c:\windows\system32\mucltui.dll
2009-07-13 21:32 208,744 a------- c:\windows\system32\muweb.dll
2009-07-13 21:32 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-07-13 14:19 <DIR> --d----- c:\docume~1\hp_adm~1\applic~1\MSNInstaller
2009-07-13 03:18 <DIR> --d----- c:\documents and settings\hp_administrator\Tracing
2009-07-13 03:17 <DIR> --d----- c:\program files\Microsoft
2009-07-13 03:16 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-07-13 03:12 <DIR> --d----- c:\program files\common files\Windows Live
2009-07-11 00:34 <DIR> --dsh--- c:\documents and settings\hp_administrator\PrivacIE
2009-07-11 00:33 <DIR> --dsh--- c:\documents and settings\hp_administrator\IETldCache
2009-07-11 00:31 <DIR> --d----- c:\windows\ie8updates
2009-07-11 00:30 <DIR> --d----- c:\program files\AOL Search Toolbar
2009-07-11 00:30 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AOL Search Toolbar
2009-07-11 00:30 <DIR> --d----- c:\program files\common files\Search Protection
2009-07-11 00:30 <DIR> --d----- c:\program files\common files\Software Update Utility
2009-07-11 00:30 <DIR> --d-h--- c:\windows\msdownld.tmp
2009-07-11 00:28 <DIR> -cd-h--- c:\windows\ie8
2009-07-11 00:10 102,912 -------- c:\windows\system32\dllcache\iecompat.dll
2009-07-11 00:10 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-11 00:10 12,800 -------- c:\windows\system32\dllcache\xpshims.dll

==================== Find3M ====================

2009-08-05 22:34 38,400 a--sh--- c:\windows\system32\tifupeva.dll
2009-08-05 20:43 19,612 a------- c:\program files\common files\bijirifiwa.dl
2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 09:18 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 13:13 335,752 a------- c:\windows\system32\drivers\avgldx86.sys
2009-07-03 13:09 915,456 a------- c:\windows\system32\wininet.dll
2009-07-03 13:09 915,456 -------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 13:09 206,848 a------- c:\windows\system32\dllcache\occache.dll
2009-07-03 13:09 1,208,832 -------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 13:09 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-03 13:09 55,296 a------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-03 13:09 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll
2009-07-03 13:09 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 13:09 184,320 a------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 13:09 386,048 -------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 07:01 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-27 16:01 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-06-16 10:55 119,808 -------- c:\windows\system32\t2embed.dll
2009-06-16 10:55 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 10:55 82,432 -------- c:\windows\system32\fontsub.dll
2009-06-16 10:55 82,432 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-03 15:24 1,291,264 a------- c:\windows\system32\quartz.dll
2009-06-03 15:24 1,291,264 -------- c:\windows\system32\dllcache\quartz.dll
2009-05-19 19:25 3,506 a------- c:\docume~1\hp_adm~1\applic~1\wklnhst.dat
2008-10-23 15:37 14,740 a------- c:\program files\common files\dytic.dat
2008-10-23 15:37 14,519 a------- c:\docume~1\alluse~1\applic~1\xihe.dat
2008-10-23 15:37 14,202 a------- c:\docume~1\alluse~1\applic~1\dikorokyxo.vbs
2008-10-23 15:37 13,075 a------- c:\program files\common files\sohaloc.pif
2008-10-23 15:37 10,939 a------- c:\docume~1\hp_adm~1\applic~1\fasagase.reg
2008-10-23 15:37 10,006 a------- c:\program files\common files\syde.pif
2008-09-05 16:47 24 a------- c:\documents and settings\hp_administrator\jagex_runescape_preferences.dat
2008-03-10 18:14 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2006-12-01 19:15 22 a--sh--- c:\windows\sminst\HPCD.SYS

============= FINISH: 18:58:19.32 ===============

Hope you can help me out :D

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 miekiemoes

Malware Killer Dog

Malware Response Team
19,420 posts
OFFLINE

Gender:Female
Location:Belgium
Local time:08:40 PM

Posted 10 August 2009 - 12:21 PM

Hi,

Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to it and browse to next file:

C:\Program Files\Common Files\Search Protection\sp.dll

Select it and click ok:
Then click the Send File button below.

Do the same for the following file:

c:\program files\common files\search protection\spHost.exe

Also, can you tell me where you downloaded this "Search protection" program? Can you give me the link?

Also, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Karalex

Topic Starter

Members
5 posts
OFFLINE

Local time:02:40 PM

Posted 10 August 2009 - 02:44 PM

As to the "Search protection" thing, I have no idea where it came from, it may have been on ym comp when I bought it? I got it from Circut City and they installed all the programs on it, so that may be it

I ran ComboFix, and disabled all my anti-virus/firewalls and such before I ran it, here is the log

ComboFix 09-08-10.01 - HP_Administrator 08/10/2009 15:26.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1469 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((( Files Created from 2009-07-10 to 2009-08-10 )))))))))))))))))))))))))))))))
.

2009-08-10 14:58 . 2009-08-10 14:58 -------- d-----w- c:\windows\LastGood
2009-08-09 23:28 . 2009-08-09 23:29 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Creative
2009-08-09 22:49 . 2009-08-09 22:49 -------- d-----w- c:\program files\Trend Micro
2009-08-09 22:06 . 1999-10-10 17:00 41984 ------w- c:\windows\Ctregrun.exe
2009-08-09 22:05 . 2009-08-09 22:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Creative
2009-08-09 22:04 . 2009-08-09 22:06 -------- d-----w- c:\program files\Creative
2009-08-06 02:59 . 2009-08-06 02:59 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-08-06 02:59 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-06 02:59 . 2009-08-06 02:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-06 02:59 . 2009-08-06 02:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-06 02:59 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-06 02:42 . 2009-08-06 02:42 18450 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\uqiso.bat
2009-08-06 02:42 . 2009-08-06 02:42 17486 ----a-w- c:\windows\system32\meratidaq.scr
2009-08-06 02:42 . 2009-08-06 02:42 16893 ----a-w- c:\documents and settings\HP_Administrator\Application Data\zyqyrujid.pif
2009-08-06 02:42 . 2009-08-06 02:42 16348 ----a-w- c:\windows\jateru.vbs
2009-08-06 02:42 . 2009-08-06 02:42 16337 ----a-w- c:\windows\ewuqubyvuv.sys
2009-08-06 02:42 . 2009-08-06 02:42 13928 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\orukib.bat
2009-08-06 02:38 . 2009-08-06 02:38 19297 ----a-w- c:\windows\izadoxiv.pif
2009-08-06 02:38 . 2009-08-06 02:38 17118 ----a-w- c:\windows\kusemo.reg
2009-08-06 02:38 . 2009-08-06 02:38 16617 ----a-w- c:\windows\system32\lizyhoka.dat
2009-08-06 02:38 . 2009-08-06 02:38 16601 ----a-w- c:\windows\system32\ytaseheda.exe
2009-08-06 02:38 . 2009-08-06 02:38 15862 ----a-w- c:\windows\system32\kajiveki.exe
2009-08-06 02:38 . 2009-08-06 02:38 15824 ----a-w- c:\windows\ehudexeleh.sys
2009-08-06 02:38 . 2009-08-06 02:38 13148 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\irywyd.dat
2009-08-06 02:38 . 2009-08-06 02:38 12727 ----a-w- c:\windows\imutymo.vbs
2009-08-06 02:38 . 2009-08-06 02:38 11371 ----a-w- c:\documents and settings\HP_Administrator\Application Data\qemiralaq.dll
2009-08-06 02:38 . 2009-08-06 02:38 11085 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\qiro.dat
2009-08-06 02:27 . 2009-08-06 02:27 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-06 00:43 . 2009-08-06 00:43 19600 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\oxyduquqi.scr
2009-08-06 00:43 . 2009-08-06 00:43 16837 ----a-w- c:\windows\hohyfygan.exe
2009-08-06 00:43 . 2009-08-06 00:43 16039 ----a-w- c:\documents and settings\HP_Administrator\Application Data\wusixax.dll
2009-08-06 00:43 . 2009-08-06 00:43 12893 ----a-w- c:\windows\zonopucyx.pif
2009-08-06 00:43 . 2009-08-06 00:43 10397 ----a-w- c:\windows\upaqenyje.dat
2009-08-06 00:43 . 2009-08-06 00:43 17114 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\emal.scr
2009-08-06 00:43 . 2009-08-06 00:43 17076 ----a-w- c:\windows\uvuqonev.vbs
2009-08-06 00:43 . 2009-08-06 00:43 16933 ----a-w- c:\program files\Common Files\anonidib.pif
2009-08-06 00:43 . 2009-08-06 00:43 12307 ----a-w- c:\documents and settings\All Users\Application Data\ufyvucaqa.bat
2009-08-06 00:43 . 2009-08-06 00:43 10674 ----a-w- c:\windows\foqeriwu.vbs
2009-07-31 20:00 . 2009-07-31 20:00 -------- d-----w- c:\windows\system32\LogFiles
2009-07-31 19:46 . 2009-07-31 19:46 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-07-31 19:46 . 2009-07-31 19:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SupportSoft
2009-07-31 19:46 . 2009-07-31 19:46 -------- d-----w- c:\program files\Comcast
2009-07-31 19:45 . 2009-08-01 14:13 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\SupportSoft
2009-07-31 19:45 . 2009-07-31 19:46 -------- d-----w- c:\program files\Common Files\SupportSoft
2009-07-31 19:45 . 2009-07-31 19:45 -------- d-----w- c:\program files\ComcastUI
2009-07-21 23:32 . 2009-07-21 23:32 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\HP
2009-07-21 23:32 . 2009-07-21 23:32 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\IsolatedStorage
2009-07-21 23:32 . 2009-07-21 23:32 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\HP
2009-07-21 18:09 . 2009-07-21 18:09 -------- d-sh--w- c:\documents and settings\HP_Administrator\IECompatCache
2009-07-14 07:01 . 2009-07-14 07:01 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-07-14 01:32 . 2008-10-16 18:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-07-14 01:32 . 2008-10-16 18:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-07-13 18:19 . 2009-07-13 18:19 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\MSNInstaller
2009-07-13 07:18 . 2009-08-10 07:53 -------- d-----w- c:\documents and settings\HP_Administrator\Tracing
2009-07-13 07:17 . 2009-07-13 07:17 -------- d-----w- c:\program files\Microsoft
2009-07-13 07:16 . 2009-07-13 07:16 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-07-13 07:16 . 2009-07-13 07:16 -------- d-----w- c:\program files\Windows Live
2009-07-13 07:12 . 2009-07-13 07:12 -------- d-----w- c:\program files\Common Files\Windows Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-10 14:56 . 2008-07-30 06:24 -------- d-----w- c:\program files\Steam
2009-08-10 05:28 . 2008-04-03 22:21 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\LimeWire
2009-08-09 22:06 . 2006-08-24 14:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-07 22:15 . 2008-03-09 02:52 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Skype
2009-08-07 22:14 . 2008-03-10 22:14 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\skypePM
2009-08-06 02:42 . 2009-08-06 02:42 17562 ----a-w- c:\documents and settings\All Users\Application Data\kubikopemu.reg
2009-08-06 02:38 . 2009-08-06 02:38 13569 ----a-w- c:\documents and settings\HP_Administrator\Application Data\dajeg.vbs
2009-08-06 02:34 . 2009-05-06 02:34 38400 --sha-w- c:\windows\system32\tifupeva.dll
2009-08-06 00:43 . 2009-08-06 00:43 14401 ----a-w- c:\documents and settings\All Users\Application Data\atifixaxyc.dat
2009-08-06 00:43 . 2009-08-06 00:43 19612 ----a-w- c:\program files\Common Files\bijirifiwa.dl
2009-08-06 00:43 . 2009-08-06 00:43 16752 ----a-w- c:\documents and settings\HP_Administrator\Application Data\ymiqicuder.vbs
2009-08-04 15:53 . 2008-05-04 23:10 -------- d-----w- c:\program files\World of Warcraft
2009-07-17 17:13 . 2008-10-24 20:26 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-13 07:17 . 2006-08-24 14:11 55928 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-11 04:30 . 2009-07-11 04:30 -------- d-----w- c:\program files\AOL Search Toolbar
2009-07-11 04:30 . 2009-07-11 04:30 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Search Toolbar
2009-07-11 04:30 . 2009-07-11 04:30 -------- d-----w- c:\program files\Common Files\Search Protection
2009-07-11 04:30 . 2009-07-11 04:30 -------- d-----w- c:\program files\Common Files\Software Update Utility
2009-07-03 17:09 . 2004-08-10 04:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-28 20:30 . 2009-06-28 20:30 -------- d-----w- c:\program files\Curse
2009-06-27 20:01 . 2008-10-24 20:26 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-27 20:01 . 2008-10-24 20:26 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-26 16:18 . 2009-06-26 16:18 102400 ----a-w- c:\documents and settings\All Users\Application Data\AOL Search Toolbar\ieToolbar\resources\en-US\aolsearchtbres.dll
2009-06-16 14:55 . 2004-08-10 04:00 82432 ------w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2004-08-10 04:00 119808 ------w- c:\windows\system32\t2embed.dll
2009-06-12 07:19 . 2009-06-12 07:19 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-03 19:24 . 2004-08-10 04:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-02 15:35 . 2009-06-02 15:35 4878336 ----a-w- c:\documents and settings\HP_Administrator\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\102\install\Legions.exe
2009-06-02 15:35 . 2009-06-02 15:35 3727720 ----a-w- c:\documents and settings\HP_Administrator\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\102\install\d3dx9_35.dll
2009-06-02 15:35 . 2009-06-02 15:35 345088 ----a-w- c:\documents and settings\HP_Administrator\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\102\install\fmodex.dll
2009-05-19 23:25 . 2008-03-08 23:12 3506 ----a-w- c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
2008-10-23 19:37 . 2008-10-23 19:37 14740 ----a-w- c:\program files\Common Files\dytic.dat
2008-10-23 19:37 . 2008-10-23 19:37 13075 ----a-w- c:\program files\Common Files\sohaloc.pif
2008-10-23 19:37 . 2008-10-23 19:37 10006 ----a-w- c:\program files\Common Files\syde.pif
2006-12-01 23:15 . 2008-03-09 00:56 22 --sha-w- c:\windows\SMINST\HPCD.SYS
.

------- Sigcheck -------

[7] 2006-02-15 00:22 142464 1EE7B434BA961EF845DE136224C30FEC c:\windows\$hf_mig$\KB900485\SP2QFE\aec.sys
[7] 2004-08-04 12:39 142464 841F385C6CFAF66B58FBD898722BB4F0 c:\windows\$NtUninstallKB900485$\aec.sys
[7] 2006-02-15 00:22 142464 1EE7B434BA961EF845DE136224C30FEC c:\windows\Driver Cache\i386\aec.sys
[-] 2008-04-13 16:39 142592 8BED39E3C35D6A489438B8141717A557 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\aec.sys
[7] 2006-02-15 00:22 142464 1EE7B434BA961EF845DE136224C30FEC c:\windows\system32\dllcache\aec.sys

c:\windows\system32\drivers\beep.sys ... is missing !!
c:\windows\system32\drivers\aec.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{DEE1F01A-E6A8-4740-B420-3C521F234F74}"= "c:\program files\Common Files\Search Protection\sp.dll" [2009-06-24 107816]

[HKEY_CLASSES_ROOT\clsid\{dee1f01a-e6a8-4740-b420-3c521f234f74}]
[HKEY_CLASSES_ROOT\sp.spBHO.1]
[HKEY_CLASSES_ROOT\TypeLib\{041E26B2-4F53-4ACD-9D61-2204FDB64AC3}]
[HKEY_CLASSES_ROOT\sp.spBHO]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-08-06 279944]

[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-16 68856]
"Steam"="c:\program files\steam\steam.exe" [2009-06-10 1217784]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2009-07-31 1935360]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 700416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-27 1948440]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-17 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-17 86016]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"ftutil2"="ftutil2.dll" - c:\windows\system32\ftutil2.dll [2004-06-07 106496]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-06-14 16239616]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-03 77312]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-17 1657376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-8-24 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-27 20:01 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\DISC\\DISCUpdMgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Dowloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/24/2008 4:26 PM 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/24/2008 4:26 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [10/24/2008 4:26 PM 907032]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/24/2008 4:26 PM 298776]
R2 SPHost;SPHost;c:\program files\Common Files\Search Protection\spHost.exe [6/24/2009 2:38 PM 107816]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-PCDrProfiler - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: {{B1C5B118-8240-47a6-AE84-103B05FB5AEF} - c:\program files\Common Files\Search Protection\spControl.exe
Trusted Zone: trymedia.com
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\fexbmhme.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll

---- FIREFOX POLICIES ----
FF - user.js: protocol-handler.warn-external.dnUpdate - false);user_pref(general.useragent.extra.zencast, Creative ZENcast v1.02.08.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-10 15:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-08-10 15:38
ComboFix-quarantined-files.txt 2009-08-10 19:38

Pre-Run: 185,975,672,832 bytes free
Post-Run: 187,133,911,040 bytes free

221 --- E O F --- 2009-08-10 07:01

#4 miekiemoes

Malware Killer Dog

Malware Response Team
19,420 posts
OFFLINE

Gender:Female
Location:Belgium
Local time:08:40 PM

Posted 10 August 2009 - 03:13 PM

Hi,

The search protection appears to be a part of AOL; so it's ok. :thumbup2:

Please uninstall the Ask Toolbar via software > add&remove programs since this one is not recommended.
Reboot afterwards.

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\documents and settings\HP_Administrator\Local Settings\Application Data\uqiso.bat
c:\windows\system32\meratidaq.scr
c:\documents and settings\HP_Administrator\Application Data\zyqyrujid.pif
c:\windows\jateru.vbs
c:\windows\ewuqubyvuv.sys
c:\documents and settings\HP_Administrator\Local Settings\Application Data\orukib.bat
c:\windows\izadoxiv.pif
c:\windows\kusemo.reg
c:\windows\system32\lizyhoka.dat
c:\windows\system32\ytaseheda.exe
c:\windows\system32\kajiveki.exe
c:\windows\ehudexeleh.sys
c:\documents and settings\HP_Administrator\Local Settings\Application Data\irywyd.dat
c:\windows\imutymo.vbs
c:\documents and settings\HP_Administrator\Application Data\qemiralaq.dll
c:\documents and settings\HP_Administrator\Local Settings\Application Data\qiro.dat
c:\documents and settings\HP_Administrator\Local Settings\Application Data\oxyduquqi.scr
c:\windows\hohyfygan.exe
c:\documents and settings\HP_Administrator\Application Data\wusixax.dll
c:\windows\zonopucyx.pif
c:\windows\upaqenyje.dat
c:\documents and settings\HP_Administrator\Local Settings\Application Data\emal.scr
c:\windows\uvuqonev.vbs
c:\program files\Common Files\anonidib.pif
c:\documents and settings\All Users\Application Data\ufyvucaqa.bat
c:\windows\foqeriwu.vbs
c:\documents and settings\All Users\Application Data\kubikopemu.reg
c:\documents and settings\HP_Administrator\Application Data\dajeg.vbs
c:\windows\system32\tifupeva.dll
c:\documents and settings\All Users\Application Data\atifixaxyc.dat
c:\program files\Common Files\bijirifiwa.dl
c:\documents and settings\HP_Administrator\Application Data\ymiqicuder.vbs
c:\program files\Common Files\dytic.dat
c:\program files\Common Files\sohaloc.pif
c:\program files\Common Files\syde.pif

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Once we are done here, you need to update to service pack 3 asap, because you are missing some system files and updating should restore them again.

#5 Karalex

Topic Starter

Members
5 posts
OFFLINE

Local time:02:40 PM

Posted 10 August 2009 - 05:19 PM

All instructions done, posting log

ComboFix 09-08-10.01 - HP_Administrator 08/10/2009 18:07.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1484 [GMT -4:00]
Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

FILE ::
"c:\documents and settings\All Users\Application Data\atifixaxyc.dat"
"c:\documents and settings\All Users\Application Data\kubikopemu.reg"
"c:\documents and settings\All Users\Application Data\ufyvucaqa.bat"
"c:\documents and settings\HP_Administrator\Application Data\dajeg.vbs"
"c:\documents and settings\HP_Administrator\Application Data\qemiralaq.dll"
"c:\documents and settings\HP_Administrator\Application Data\wusixax.dll"
"c:\documents and settings\HP_Administrator\Application Data\ymiqicuder.vbs"
"c:\documents and settings\HP_Administrator\Application Data\zyqyrujid.pif"
"c:\documents and settings\HP_Administrator\Local Settings\Application Data\emal.scr"
"c:\documents and settings\HP_Administrator\Local Settings\Application Data\irywyd.dat"
"c:\documents and settings\HP_Administrator\Local Settings\Application Data\orukib.bat"
"c:\documents and settings\HP_Administrator\Local Settings\Application Data\oxyduquqi.scr"
"c:\documents and settings\HP_Administrator\Local Settings\Application Data\qiro.dat"
"c:\documents and settings\HP_Administrator\Local Settings\Application Data\uqiso.bat"
"c:\program files\Common Files\anonidib.pif"
"c:\program files\Common Files\bijirifiwa.dl"
"c:\program files\Common Files\dytic.dat"
"c:\program files\Common Files\sohaloc.pif"
"c:\program files\Common Files\syde.pif"
"c:\windows\ehudexeleh.sys"
"c:\windows\ewuqubyvuv.sys"
"c:\windows\foqeriwu.vbs"
"c:\windows\hohyfygan.exe"
"c:\windows\imutymo.vbs"
"c:\windows\izadoxiv.pif"
"c:\windows\jateru.vbs"
"c:\windows\kusemo.reg"
"c:\windows\system32\kajiveki.exe"
"c:\windows\system32\lizyhoka.dat"
"c:\windows\system32\meratidaq.scr"
"c:\windows\system32\tifupeva.dll"
"c:\windows\system32\ytaseheda.exe"
"c:\windows\upaqenyje.dat"
"c:\windows\uvuqonev.vbs"
"c:\windows\zonopucyx.pif"
.

((((((((((((((((((((((((( Files Created from 2009-07-10 to 2009-08-10 )))))))))))))))))))))))))))))))
.

2009-08-09 23:28 . 2009-08-09 23:29 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Creative
2009-08-09 22:49 . 2009-08-09 22:49 -------- d-----w- c:\program files\Trend Micro
2009-08-09 22:06 . 1999-10-10 17:00 41984 ------w- c:\windows\Ctregrun.exe
2009-08-09 22:05 . 2009-08-09 22:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Creative
2009-08-09 22:04 . 2009-08-09 22:06 -------- d-----w- c:\program files\Creative
2009-08-06 02:59 . 2009-08-06 02:59 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Malwarebytes
2009-08-06 02:59 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-06 02:59 . 2009-08-06 02:59 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-06 02:59 . 2009-08-06 02:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-06 02:59 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-06 02:42 . 2009-08-06 02:42 18450 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\uqiso.bat
2009-08-06 02:42 . 2009-08-06 02:42 17486 ----a-w- c:\windows\system32\meratidaq.scr
2009-08-06 02:42 . 2009-08-10 22:07 16337 ----a-w- c:\windows\ewuqubyvuv.sys
2009-08-06 02:42 . 2009-08-06 02:42 16893 ----a-w- c:\documents and settings\HP_Administrator\Application Data\zyqyrujid.pif
2009-08-06 02:42 . 2009-08-06 02:42 16348 ----a-w- c:\windows\jateru.vbs
2009-08-06 02:42 . 2009-08-06 02:42 13928 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\orukib.bat
2009-08-06 02:38 . 2009-08-10 22:07 16601 ----a-w- c:\windows\system32\ytaseheda.exe
2009-08-06 02:38 . 2009-08-10 22:07 15862 ----a-w- c:\windows\system32\kajiveki.exe
2009-08-06 02:38 . 2009-08-10 22:07 15824 ----a-w- c:\windows\ehudexeleh.sys
2009-08-06 02:38 . 2009-08-10 22:07 11371 ----a-w- c:\documents and settings\HP_Administrator\Application Data\qemiralaq.dll
2009-08-06 02:38 . 2009-08-06 02:38 19297 ----a-w- c:\windows\izadoxiv.pif
2009-08-06 02:38 . 2009-08-06 02:38 17118 ----a-w- c:\windows\kusemo.reg
2009-08-06 02:38 . 2009-08-06 02:38 16617 ----a-w- c:\windows\system32\lizyhoka.dat
2009-08-06 02:38 . 2009-08-06 02:38 13148 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\irywyd.dat
2009-08-06 02:38 . 2009-08-06 02:38 12727 ----a-w- c:\windows\imutymo.vbs
2009-08-06 02:38 . 2009-08-06 02:38 11085 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\qiro.dat
2009-08-06 02:27 . 2009-08-06 02:27 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-06 00:43 . 2009-08-10 22:07 16837 ----a-w- c:\windows\hohyfygan.exe
2009-08-06 00:43 . 2009-08-10 22:07 16039 ----a-w- c:\documents and settings\HP_Administrator\Application Data\wusixax.dll
2009-08-06 00:43 . 2009-08-06 00:43 19600 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\oxyduquqi.scr
2009-08-06 00:43 . 2009-08-06 00:43 12893 ----a-w- c:\windows\zonopucyx.pif
2009-08-06 00:43 . 2009-08-06 00:43 10397 ----a-w- c:\windows\upaqenyje.dat
2009-08-06 00:43 . 2009-08-06 00:43 17114 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\emal.scr
2009-08-06 00:43 . 2009-08-06 00:43 17076 ----a-w- c:\windows\uvuqonev.vbs
2009-08-06 00:43 . 2009-08-06 00:43 16933 ----a-w- c:\program files\Common Files\anonidib.pif
2009-08-06 00:43 . 2009-08-06 00:43 12307 ----a-w- c:\documents and settings\All Users\Application Data\ufyvucaqa.bat
2009-08-06 00:43 . 2009-08-06 00:43 10674 ----a-w- c:\windows\foqeriwu.vbs
2009-07-31 20:00 . 2009-07-31 20:00 -------- d-----w- c:\windows\system32\LogFiles
2009-07-31 19:46 . 2009-07-31 19:46 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-07-31 19:46 . 2009-07-31 19:46 -------- d-----w- c:\documents and settings\All Users\Application Data\SupportSoft
2009-07-31 19:46 . 2009-07-31 19:46 -------- d-----w- c:\program files\Comcast
2009-07-31 19:45 . 2009-08-01 14:13 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\SupportSoft
2009-07-31 19:45 . 2009-07-31 19:46 -------- d-----w- c:\program files\Common Files\SupportSoft
2009-07-31 19:45 . 2009-07-31 19:45 -------- d-----w- c:\program files\ComcastUI
2009-07-21 23:32 . 2009-07-21 23:32 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\HP
2009-07-21 23:32 . 2009-07-21 23:32 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\IsolatedStorage
2009-07-21 23:32 . 2009-07-21 23:32 -------- d-----w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\HP
2009-07-21 18:09 . 2009-07-21 18:09 -------- d-sh--w- c:\documents and settings\HP_Administrator\IECompatCache
2009-07-14 07:01 . 2009-07-14 07:01 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-07-14 01:32 . 2008-10-16 18:06 268648 ----a-w- c:\windows\system32\mucltui.dll
2009-07-14 01:32 . 2008-10-16 18:06 208744 ----a-w- c:\windows\system32\muweb.dll
2009-07-13 18:19 . 2009-07-13 18:19 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\MSNInstaller
2009-07-13 07:18 . 2009-08-10 07:53 -------- d-----w- c:\documents and settings\HP_Administrator\Tracing
2009-07-13 07:17 . 2009-07-13 07:17 -------- d-----w- c:\program files\Microsoft
2009-07-13 07:16 . 2009-07-13 07:16 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-07-13 07:16 . 2009-07-13 07:16 -------- d-----w- c:\program files\Windows Live
2009-07-13 07:12 . 2009-07-13 07:12 -------- d-----w- c:\program files\Common Files\Windows Live

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-10 22:07 . 2009-05-06 02:34 38400 --sha-w- c:\windows\system32\tifupeva.dll
2009-08-10 22:02 . 2008-07-30 06:24 -------- d-----w- c:\program files\Steam
2009-08-10 05:28 . 2008-04-03 22:21 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\LimeWire
2009-08-09 22:06 . 2006-08-24 14:12 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-07 22:15 . 2008-03-09 02:52 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\Skype
2009-08-07 22:14 . 2008-03-10 22:14 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\skypePM
2009-08-06 02:42 . 2009-08-06 02:42 17562 ----a-w- c:\documents and settings\All Users\Application Data\kubikopemu.reg
2009-08-06 02:38 . 2009-08-06 02:38 13569 ----a-w- c:\documents and settings\HP_Administrator\Application Data\dajeg.vbs
2009-08-06 00:43 . 2009-08-06 00:43 14401 ----a-w- c:\documents and settings\All Users\Application Data\atifixaxyc.dat
2009-08-06 00:43 . 2009-08-06 00:43 19612 ----a-w- c:\program files\Common Files\bijirifiwa.dl
2009-08-06 00:43 . 2009-08-06 00:43 16752 ----a-w- c:\documents and settings\HP_Administrator\Application Data\ymiqicuder.vbs
2009-08-04 15:53 . 2008-05-04 23:10 -------- d-----w- c:\program files\World of Warcraft
2009-07-17 17:13 . 2008-10-24 20:26 335752 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-13 07:17 . 2006-08-24 14:11 55928 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-11 04:30 . 2009-07-11 04:30 -------- d-----w- c:\program files\AOL Search Toolbar
2009-07-11 04:30 . 2009-07-11 04:30 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Search Toolbar
2009-07-11 04:30 . 2009-07-11 04:30 -------- d-----w- c:\program files\Common Files\Search Protection
2009-07-11 04:30 . 2009-07-11 04:30 -------- d-----w- c:\program files\Common Files\Software Update Utility
2009-07-03 17:09 . 2004-08-10 04:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-28 20:30 . 2009-06-28 20:30 -------- d-----w- c:\program files\Curse
2009-06-27 20:01 . 2008-10-24 20:26 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-27 20:01 . 2008-10-24 20:26 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-26 16:18 . 2009-06-26 16:18 102400 ----a-w- c:\documents and settings\All Users\Application Data\AOL Search Toolbar\ieToolbar\resources\en-US\aolsearchtbres.dll
2009-06-16 14:55 . 2004-08-10 04:00 82432 ------w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2004-08-10 04:00 119808 ------w- c:\windows\system32\t2embed.dll
2009-06-12 07:19 . 2009-06-12 07:19 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-06-03 19:24 . 2004-08-10 04:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-06-02 15:35 . 2009-06-02 15:35 4878336 ----a-w- c:\documents and settings\HP_Administrator\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\102\install\Legions.exe
2009-06-02 15:35 . 2009-06-02 15:35 3727720 ----a-w- c:\documents and settings\HP_Administrator\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\102\install\d3dx9_35.dll
2009-06-02 15:35 . 2009-06-02 15:35 345088 ----a-w- c:\documents and settings\HP_Administrator\Application Data\GarageGames\IAPlayer\products\www_instantaction_com\102\install\fmodex.dll
2009-05-19 23:25 . 2008-03-08 23:12 3506 ----a-w- c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
2008-10-23 19:37 . 2008-10-23 19:37 14740 ----a-w- c:\program files\Common Files\dytic.dat
2008-10-23 19:37 . 2008-10-23 19:37 13075 ----a-w- c:\program files\Common Files\sohaloc.pif
2008-10-23 19:37 . 2008-10-23 19:37 10006 ----a-w- c:\program files\Common Files\syde.pif
2006-12-01 23:15 . 2008-03-09 00:56 22 --sha-w- c:\windows\SMINST\HPCD.SYS
.

------- Sigcheck -------

[7] 2006-02-15 00:22 142464 1EE7B434BA961EF845DE136224C30FEC c:\windows\$hf_mig$\KB900485\SP2QFE\aec.sys
[7] 2004-08-04 12:39 142464 841F385C6CFAF66B58FBD898722BB4F0 c:\windows\$NtUninstallKB900485$\aec.sys
[7] 2006-02-15 00:22 142464 1EE7B434BA961EF845DE136224C30FEC c:\windows\Driver Cache\i386\aec.sys
[-] 2008-04-13 16:39 142592 8BED39E3C35D6A489438B8141717A557 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\aec.sys
[7] 2006-02-15 00:22 142464 1EE7B434BA961EF845DE136224C30FEC c:\windows\system32\dllcache\aec.sys

c:\windows\system32\drivers\beep.sys ... is missing !!
c:\windows\system32\drivers\aec.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{DEE1F01A-E6A8-4740-B420-3C521F234F74}"= "c:\program files\Common Files\Search Protection\sp.dll" [2009-06-24 107816]

[HKEY_CLASSES_ROOT\clsid\{dee1f01a-e6a8-4740-b420-3c521f234f74}]
[HKEY_CLASSES_ROOT\sp.spBHO.1]
[HKEY_CLASSES_ROOT\TypeLib\{041E26B2-4F53-4ACD-9D61-2204FDB64AC3}]
[HKEY_CLASSES_ROOT\sp.spBHO]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-16 68856]
"Steam"="c:\program files\steam\steam.exe" [2009-06-10 1217784]
"CurseClient"="c:\program files\Curse\CurseClient.exe" [2009-07-31 1935360]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2006-06-12 700416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-30 67584]
"DMAScheduler"="c:\program files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-04-13 90112]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-23 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-16 249856]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-27 1948440]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-17 13680640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-02-17 86016]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"ftutil2"="ftutil2.dll" - c:\windows\system32\ftutil2.dll [2004-06-07 106496]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-06-14 16239616]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" - c:\windows\arpwrmsg.exe [2005-08-03 77312]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-02-17 1657376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Updates From HP.lnk - c:\program files\Updates from HP\9972322\Program\Updates from HP.exe [2006-8-24 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-27 20:01 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\World of Warcraft\\Launcher.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-3.1.2.9901-to-3.1.3.9947-enUS-downloader.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\World of Warcraft\\BackgroundDownloader.exe"=
"c:\\Program Files\\DISC\\DISCUpdMgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Dowloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/24/2008 4:26 PM 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/24/2008 4:26 PM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [10/24/2008 4:26 PM 907032]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [10/24/2008 4:26 PM 298776]
R2 SPHost;SPHost;c:\program files\Common Files\Search Protection\spHost.exe [6/24/2009 2:38 PM 107816]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=PAVILION&pf=desktop
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: {{B1C5B118-8240-47a6-AE84-103B05FB5AEF} - c:\program files\Common Files\Search Protection\spControl.exe
Trusted Zone: trymedia.com
FF - ProfilePath - c:\documents and settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\fexbmhme.default\
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll

---- FIREFOX POLICIES ----
FF - user.js: protocol-handler.warn-external.dnUpdate - false);user_pref(general.useragent.extra.zencast, Creative ZENcast v1.02.08.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-10 18:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\docume~1\HP_ADM~1\LOCALS~1\Temp\catchme.dll

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2009-08-10 18:14
ComboFix-quarantined-files.txt 2009-08-10 22:13
ComboFix2.txt 2009-08-10 19:38

Pre-Run: 187,101,876,224 bytes free
Post-Run: 187,104,374,784 bytes free

253 --- E O F --- 2009-08-10 07:01

#6 miekiemoes

Malware Killer Dog

Malware Response Team
19,420 posts
OFFLINE

Gender:Female
Location:Belgium
Local time:08:40 PM

Posted 11 August 2009 - 03:10 AM

Hi,

Not sure what happened here, but even though the files are listed here for deletion, combofix didn't delete them.
Could be a temporary bug in Combofix, so let's try something else to delete the easily..

Please download OTM

Save it to your desktop.
Please double-click OTM to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).

Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

:Files
c:\documents and settings\HP_Administrator\Local Settings\Application Data\uqiso.bat
c:\windows\system32\meratidaq.scr
c:\documents and settings\HP_Administrator\Application Data\zyqyrujid.pif
c:\windows\jateru.vbs
c:\windows\ewuqubyvuv.sys
c:\documents and settings\HP_Administrator\Local Settings\Application Data\orukib.bat
c:\windows\izadoxiv.pif
c:\windows\kusemo.reg
c:\windows\system32\lizyhoka.dat
c:\windows\system32\ytaseheda.exe
c:\windows\system32\kajiveki.exe
c:\windows\ehudexeleh.sys
c:\documents and settings\HP_Administrator\Local Settings\Application Data\irywyd.dat
c:\windows\imutymo.vbs
c:\documents and settings\HP_Administrator\Application Data\qemiralaq.dll
c:\documents and settings\HP_Administrator\Local Settings\Application Data\qiro.dat
c:\documents and settings\HP_Administrator\Local Settings\Application Data\oxyduquqi.scr
c:\windows\hohyfygan.exe
c:\documents and settings\HP_Administrator\Application Data\wusixax.dll
c:\windows\zonopucyx.pif
c:\windows\upaqenyje.dat
c:\documents and settings\HP_Administrator\Local Settings\Application Data\emal.scr
c:\windows\uvuqonev.vbs
c:\program files\Common Files\anonidib.pif
c:\documents and settings\All Users\Application Data\ufyvucaqa.bat
c:\windows\foqeriwu.vbs
c:\documents and settings\All Users\Application Data\kubikopemu.reg
c:\documents and settings\HP_Administrator\Application Data\dajeg.vbs
c:\windows\system32\tifupeva.dll
c:\documents and settings\All Users\Application Data\atifixaxyc.dat
c:\program files\Common Files\bijirifiwa.dl
c:\documents and settings\HP_Administrator\Application Data\ymiqicuder.vbs
c:\program files\Common Files\dytic.dat
c:\program files\Common Files\sohaloc.pif
c:\program files\Common Files\syde.pif

:Commands
[Reboot]

Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM and reboot your PC.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

#7 Karalex

Topic Starter

Members
5 posts
OFFLINE

Local time:02:40 PM

Posted 11 August 2009 - 03:24 AM

I ran this program and as it ran, it kept giving me "Bad image" error messages, the only option I had was to click "ok", this occured about 3 times throught out the scan

Here is the log:

========== FILES ==========
c:\documents and settings\HP_Administrator\Local Settings\Application Data\uqiso.bat moved successfully.
c:\windows\system32\meratidaq.scr moved successfully.
c:\documents and settings\HP_Administrator\Application Data\zyqyrujid.pif moved successfully.
c:\windows\jateru.vbs moved successfully.
c:\windows\ewuqubyvuv.sys moved successfully.
c:\documents and settings\HP_Administrator\Local Settings\Application Data\orukib.bat moved successfully.
c:\windows\izadoxiv.pif moved successfully.
c:\windows\kusemo.reg moved successfully.
c:\windows\system32\lizyhoka.dat moved successfully.
c:\windows\system32\ytaseheda.exe moved successfully.
c:\windows\system32\kajiveki.exe moved successfully.
c:\windows\ehudexeleh.sys moved successfully.
c:\documents and settings\HP_Administrator\Local Settings\Application Data\irywyd.dat moved successfully.
c:\windows\imutymo.vbs moved successfully.
LoadLibrary failed for c:\documents and settings\HP_Administrator\Application Data\qemiralaq.dll
c:\documents and settings\HP_Administrator\Application Data\qemiralaq.dll NOT unregistered.
c:\documents and settings\HP_Administrator\Application Data\qemiralaq.dll moved successfully.
c:\documents and settings\HP_Administrator\Local Settings\Application Data\qiro.dat moved successfully.
c:\documents and settings\HP_Administrator\Local Settings\Application Data\oxyduquqi.scr moved successfully.
c:\windows\hohyfygan.exe moved successfully.
LoadLibrary failed for c:\documents and settings\HP_Administrator\Application Data\wusixax.dll
c:\documents and settings\HP_Administrator\Application Data\wusixax.dll NOT unregistered.
c:\documents and settings\HP_Administrator\Application Data\wusixax.dll moved successfully.
c:\windows\zonopucyx.pif moved successfully.
c:\windows\upaqenyje.dat moved successfully.
c:\documents and settings\HP_Administrator\Local Settings\Application Data\emal.scr moved successfully.
c:\windows\uvuqonev.vbs moved successfully.
c:\program files\Common Files\anonidib.pif moved successfully.
c:\documents and settings\All Users\Application Data\ufyvucaqa.bat moved successfully.
c:\windows\foqeriwu.vbs moved successfully.
c:\documents and settings\All Users\Application Data\kubikopemu.reg moved successfully.
c:\documents and settings\HP_Administrator\Application Data\dajeg.vbs moved successfully.
LoadLibrary failed for c:\windows\system32\tifupeva.dll
c:\windows\system32\tifupeva.dll NOT unregistered.
c:\windows\system32\tifupeva.dll moved successfully.
c:\documents and settings\All Users\Application Data\atifixaxyc.dat moved successfully.
c:\program files\Common Files\bijirifiwa.dl moved successfully.
c:\documents and settings\HP_Administrator\Application Data\ymiqicuder.vbs moved successfully.
c:\program files\Common Files\dytic.dat moved successfully.
c:\program files\Common Files\sohaloc.pif moved successfully.
c:\program files\Common Files\syde.pif moved successfully.
========== COMMANDS ==========

OTM by OldTimer - Version 3.0.0.6 log created on 08112009_042144

#8 miekiemoes

Malware Killer Dog

Malware Response Team
19,420 posts
OFFLINE

Gender:Female
Location:Belgium
Local time:08:40 PM

Posted 11 August 2009 - 03:33 AM

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Then also open OTM and click the Cleanup Button.

Then reboot.

Then update your Windows to SP3 in order to restore the missing files.

Let me know in your next reply how things are now.

#9 Karalex

Topic Starter

Members
5 posts
OFFLINE

Local time:02:40 PM

Posted 11 August 2009 - 11:02 AM

I've done all these things and everything seems to be working nicely,

One last problem, I'm not sure how to update this thing I need to update, the one that will fill in my mising files, could you give me a link or a tutorial on how to do this?

Thanks, Karalex

#10 miekiemoes

Malware Killer Dog

Malware Response Team
19,420 posts
OFFLINE

Gender:Female
Location:Belgium
Local time:08:40 PM

Posted 11 August 2009 - 11:28 AM

Hi,

See here how to update Windows:

http://support.microsoft.com/kb/311047

Glad I could help. :thumbup2:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

#11 miekiemoes

Malware Killer Dog

Malware Response Team
19,420 posts
OFFLINE

Gender:Female
Location:Belgium
Local time:08:40 PM

Posted 05 September 2009 - 05:45 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.