Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with PC Antivirus 2010 (aka Antispyware 2010)


  • This topic is locked This topic is locked
9 replies to this topic

#1 Todd M

Todd M

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 13 August 2009 - 01:17 AM

I have a rogue antivirus program that actually is like a virus itself. My computer runs VERY slowly, I keep getting popups saying that I need to run Antivirus 2010, I get the "blue screen of death" periodically, and the computer shuts down sometimes on its own. Also, my history page says I've been to a lot of sites that I haven't been to, when I click on sites from Google such as the wikipedia site about registry editing, I'm directed to different sites (although this doesn't happen if I manually type in the URL address), and removing PC Antivirus 2010 through the control panel doesn't work either.

I installed Malewarbytes Anti-Malware in an attempt to rid myself of this problem, but I can't seem to run it. However, I printed the instructions...which said to contact Hijack This and send you all my DDS.txt file and attach my other Notepad file after running the DDS software. Here are the DDS file:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Millerworks at 1:51:11.56 on Thu 08/13/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_02
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.463 [GMT -4:00]

AV: Kaspersky Internet Security *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: ActiveArmor Firewall *disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
C:\DOCUME~1\MILLER~1\LOCALS~1\Temp\b.exe
C:\WINDOWS\msa.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\Classic PhoneTools\CapFax.EXE
C:\WINDOWS\AGRSMMSG.exe
svchost.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\WINDOWS\system32\braviax.exe
C:\Program Files\FinePixViewerS\QuickDCF2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\WINDOWS\system32\wisdstr.exe
C:\Documents and Settings\Millerworks\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://mail.live.com/default.aspx?wa=wsignin1.0
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
TB: AT&T Toolbar: {4e7bd74f-2b8d-469e-8cbd-fd60bb9aae2e} -
uRun: [Philips Intelligent Agent] "c:\program files\philips intelligent agent\Philips Intelligent Agent.exe" /SILENT
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [EPSON Stylus Photo R200 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /M "Stylus Photo R200" /EF "HKCU"
uRun: [Monopod] c:\docume~1\miller~1\locals~1\temp\b.exe
uRun: [braviax] c:\windows\system32\braviax.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nTrayFw] c:\program files\nvidia corporation\networkaccessmanager\bin\nTrayFw.exe
mRun: [NWEReboot]
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [CapFax] c:\program files\classic phonetools\CapFax.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [EPSON Stylus Photo R200 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
mRun: [tgcmd] "c:\program files\support.com\bellsouth\hcenter.exe" /starthidden /tgcmdwrapper
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_02\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [PC Antispyware 2010] "c:\program files\pc_antispyware2010\PC_Antispyware2010.exe" /hide
mRun: [braviax] braviax.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewers\QuickDCF2.exe
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} - hxxp://webiq005.webiqonline.com/WebIQ/DataServer/DataServer.dll?Handler=GetEngineDistribution&EDID={896A23A1-5821-4609-A6C6-6D5536C585C9}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} - hxxps://esis.ncwise.org/forms/jinitiator/jinit13128.exe
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/popcaploader_v10.cab
AppInit_DLLs: cru629.dat

============= SERVICES / DRIVERS ===============

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [2007-6-17 35968]

=============== Created Last 30 ================

2009-08-13 01:51 <DIR> --d----- c:\program files\PC_Antispyware2010
2009-08-13 00:06 69,632 a------- c:\windows\system32\drivers\horabuxodufhqrxf.sys
2009-08-13 00:03 18,217 a------- c:\program files\common files\uvejygotyq.vbs
2009-08-13 00:03 18,160 a------- c:\windows\system32\abuvi.dat
2009-08-13 00:03 17,118 a------- c:\windows\system32\ratufexi.dat
2009-08-13 00:03 15,662 a------- c:\windows\ducif.bin
2009-08-13 00:03 15,362 a------- c:\windows\icocelil.sys
2009-08-13 00:03 13,167 a------- c:\windows\paryh.db
2009-08-13 00:03 19,922 a------- c:\windows\itybuhad.db
2009-08-13 00:03 19,461 a------- c:\docume~1\miller~1\applic~1\umubemon.exe
2009-08-13 00:03 14,578 a------- c:\program files\common files\pulupuqyx.dat
2009-08-13 00:03 14,124 a------- c:\windows\ocywepyhy._sy
2009-08-13 00:03 13,138 a------- c:\windows\system32\jufoxapaha.exe
2009-08-13 00:03 11,736 a------- c:\program files\common files\anesutuku.bin
2009-08-13 00:03 11,735 a------- c:\windows\ynozekatuh.sys
2009-08-13 00:03 11,111 a------- c:\windows\pyhafusyr._sy
2009-08-13 00:03 10,461 a------- c:\program files\common files\lela.scr
2009-08-13 00:00 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-13 00:00 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-13 00:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-13 00:00 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-12 23:55 19,764 a------- c:\docume~1\miller~1\applic~1\izuhylex.sys
2009-08-12 23:55 18,033 a------- c:\docume~1\miller~1\applic~1\yfin.dat
2009-08-12 23:55 14,847 a------- c:\program files\common files\agyjake.bin
2009-08-12 23:55 14,030 a------- c:\windows\aqynuzytap.scr
2009-08-12 23:55 13,401 a------- c:\docume~1\alluse~1\applic~1\zyfapede.bin
2009-08-12 23:55 13,007 a------- c:\windows\system32\ubofen.vbs
2009-08-12 23:55 12,573 a------- c:\program files\common files\iwizemaf.exe
2009-08-12 23:55 11,566 a------- c:\windows\system32\umetymid.dat
2009-08-12 23:55 10,673 a------- c:\docume~1\alluse~1\applic~1\zedagyjy.sys
2009-08-12 23:55 10,027 a------- c:\windows\system32\hydodyny.inf
2009-08-12 23:55 15,531 a------- c:\windows\system32\tyqykeca._sy
2009-08-12 23:55 14,605 a------- c:\windows\nobaliridi.reg
2009-08-12 23:28 19,634 a------- c:\program files\common files\moxa.dll
2009-08-12 23:28 18,155 a------- c:\docume~1\alluse~1\applic~1\befululose.dll
2009-08-12 23:28 17,039 a------- c:\windows\uhaqu.sys
2009-08-12 23:28 16,372 a------- c:\windows\heviqyvavu.dll
2009-08-12 23:28 14,506 a------- c:\windows\rakev.dl
2009-08-12 23:28 11,248 a------- c:\windows\cygi.dat
2009-08-12 23:28 17,989 a------- c:\windows\system32\kydyrijege.bin
2009-08-12 23:28 17,973 a------- c:\docume~1\alluse~1\applic~1\qesyja.exe
2009-08-12 23:28 15,966 a------- c:\windows\osezuma.lib
2009-08-12 23:11 19,834 a------- c:\program files\common files\mepu.reg
2009-08-12 23:11 19,672 a------- c:\windows\system32\mugoh.bin
2009-08-12 23:11 18,476 a------- c:\docume~1\alluse~1\applic~1\abesoxa.scr
2009-08-12 23:11 16,070 a------- c:\windows\ahowifudol.lib
2009-08-12 23:11 15,615 a------- c:\windows\qeler.bin
2009-08-12 23:11 13,027 a------- c:\docume~1\miller~1\applic~1\rugawyjoxo.reg
2009-08-12 23:11 12,752 a------- c:\program files\common files\palunoxini.vbs
2009-08-12 23:11 12,633 a------- c:\windows\system32\namyx.dll
2009-08-12 23:11 10,551 a------- c:\docume~1\alluse~1\applic~1\ydevyby.reg
2009-08-12 23:11 18,623 a------- c:\windows\uwihebapu.reg
2009-08-12 23:11 15,562 a------- c:\windows\system32\gibymifa.bin
2009-08-12 23:11 15,270 a------- c:\windows\avymerequk.pif
2009-08-12 23:11 12,170 a------- c:\program files\common files\mopiz.exe
2009-08-12 22:49 19,942 a------- c:\program files\common files\aqoxi.pif
2009-08-12 22:49 19,879 a------- c:\windows\afilykadag.exe
2009-08-12 22:49 18,187 a------- c:\windows\system32\uhytuvuzu.exe
2009-08-12 22:49 14,384 a------- c:\windows\xehosyfuxo._dl
2009-08-12 22:49 14,322 a------- c:\windows\elypil.dll
2009-08-12 22:49 14,126 a------- c:\docume~1\miller~1\applic~1\micih.reg
2009-08-12 22:49 13,711 a------- c:\windows\pufypawa._sy
2009-08-12 22:49 13,414 a------- c:\windows\cocasyvip.bin
2009-08-12 22:49 12,591 a------- c:\windows\system32\oxuxacorav.vbs
2009-08-12 22:49 11,671 a------- c:\docume~1\alluse~1\applic~1\omejet.scr
2009-08-12 22:49 11,513 a------- c:\docume~1\alluse~1\applic~1\asumafeki.reg
2009-08-12 22:49 10,529 a------- c:\windows\itog.pif
2009-08-12 22:36 19,092 a------- c:\windows\cema.exe
2009-08-12 22:36 16,603 a------- c:\docume~1\alluse~1\applic~1\efac.dat
2009-08-12 22:36 16,219 a------- c:\windows\system32\muwa._dl
2009-08-12 22:36 16,179 a------- c:\program files\common files\afewax.bin
2009-08-12 22:36 15,974 a------- c:\windows\ohyhyx.reg
2009-08-12 22:36 14,693 a------- c:\windows\system32\kysybyvo.lib
2009-08-12 22:36 13,945 a------- c:\docume~1\alluse~1\applic~1\cevezew.com
2009-08-12 22:36 13,751 a------- c:\program files\common files\ixuqi.sys
2009-08-12 22:36 13,443 a------- c:\windows\byxa._dl
2009-08-12 22:36 11,924 a------- c:\docume~1\alluse~1\applic~1\comezoj.bat
2009-08-12 22:36 10,778 a------- c:\windows\inapu.pif
2009-08-12 22:36 10,711 a------- c:\windows\system32\dysyq.bin
2009-08-12 22:36 10,518 a------- c:\windows\ebypaho.ban
2009-08-12 16:52 19,809 a------- c:\docume~1\alluse~1\applic~1\mogagutike.exe
2009-08-12 16:52 18,648 a------- c:\program files\common files\arijifu.scr
2009-08-12 16:52 18,515 a------- c:\windows\system32\kavuro._sy
2009-08-12 16:52 16,395 a------- c:\docume~1\miller~1\applic~1\qepib.scr
2009-08-12 16:52 16,356 a------- c:\windows\nymyxeda.exe
2009-08-12 16:52 16,089 a------- c:\program files\common files\najed.bat
2009-08-12 16:52 15,650 a------- c:\windows\amumek.scr
2009-08-12 16:52 14,622 a------- c:\program files\common files\garedodi.dat
2009-08-12 16:52 14,107 a------- c:\windows\izicesu.bin
2009-08-12 16:52 13,684 a------- c:\windows\motahaciqy.lib
2009-08-12 16:52 13,591 a------- c:\docume~1\miller~1\applic~1\ifinu.vbs
2009-08-12 16:52 13,575 a------- c:\windows\system32\toro.exe
2009-08-12 16:52 13,532 a------- c:\docume~1\alluse~1\applic~1\wubuwyfep.bin
2009-08-12 16:52 12,383 a------- c:\program files\common files\nujokov.com
2009-08-12 16:52 10,183 a------- c:\program files\common files\asaqi.scr
2009-08-12 16:52 347,739 a------- c:\windows\system32\_scui.cpl
2009-08-12 16:46 6,144 a------- c:\windows\system32\cru629.dat
2009-08-12 16:46 6,144 a------- c:\windows\cru629.dat
2009-08-12 16:46 10,240 a------- c:\windows\braviax.exe
2009-08-12 16:45 191,605 a------- c:\windows\system32\wisdstr.exe
2009-08-12 16:45 10,240 a------- c:\windows\system32\braviax.exe
2009-08-12 16:26 197 a------- c:\windows\system32\MRT.INI
2009-08-12 00:00 147,456 a------- c:\windows\msa.exe
2009-08-12 00:00 207,876 a------- c:\windows\system32\msxml71.dll
2009-08-11 23:55 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-11 23:55 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-11 23:49 1,234,759 a------- c:\windows\system32\xa.tmp
2009-08-06 16:32 54,156 a---h--- c:\windows\QTFont.qfn
2009-08-06 16:32 1,409 a------- c:\windows\QTFont.for
2009-08-05 05:01 204,800 -c------ c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 08:21 <DIR> --d----- c:\program files\Usability Sciences
2009-07-17 15:01 58,880 -c------ c:\windows\system32\dllcache\atl.dll

==================== Find3M ====================

2009-08-13 01:51 18,984 a------- c:\program files\common files\ipode.reg
2009-08-13 01:51 18,355 a------- c:\windows\ozizuv.bin
2009-08-13 01:51 18,225 a------- c:\program files\common files\agywep.sys
2009-08-13 01:51 14,069 a------- c:\program files\common files\ozyni.reg
2009-08-13 01:51 13,801 a------- c:\windows\ykemejolup.pif
2009-08-13 01:51 12,740 a------- c:\windows\zaxyvucaz.exe
2009-08-13 01:51 11,409 a------- c:\windows\system32\vobi.bat
2009-08-13 01:51 10,244 a------- c:\windows\system32\ubuwyfe.vbs
2009-08-13 01:15 28,160 a------- c:\windows\system32\drivers\beep.sys
2009-08-13 00:03 14,567 a------- c:\program files\common files\ysax.ban
2009-08-13 00:03 11,867 a------- c:\program files\common files\ifiliwatyg.lib
2009-08-12 23:28 14,919 a------- c:\program files\common files\mucyji.inf
2009-08-12 23:28 14,192 a------- c:\program files\common files\obukujo.inf
2009-08-12 23:11 11,105 a------- c:\program files\common files\emym.inf
2009-08-12 22:36 16,676 a------- c:\program files\common files\dupuheta._dl
2009-08-12 22:36 13,593 a------- c:\program files\common files\yzevonug.db
2009-08-12 16:52 16,006 a------- c:\program files\common files\ycokugug.db
2009-08-12 16:52 13,077 a------- c:\program files\common files\ameb.lib
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-12 12:21 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-07-03 13:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-18 14:41 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 08:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 08:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 10:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 02:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-03 15:09 1,291,264 a------- c:\windows\system32\quartz.dll
2007-07-12 17:00 66,248 a------- c:\program files\INSTALL.LOG

Unfortunately, I no longer have Kaspersky, as it became out-of-date and I wasn't happy with it (it is a resource hog) and I was going to try Avast instead. This virus, however, is making it nearly impossible to download Avast. Currently, I have no antivirus sofware. I did, however, successfully enable the free Windows firewall that came with the computer.

I sincerely appreciate any help that you can provide.

Todd Martin

Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:07 PM

Posted 13 August 2009 - 04:55 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 Todd M

Todd M
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 13 August 2009 - 11:25 AM

Hi fenzodahl512.

Here is the Combo-Fix log.

ComboFix 09-08-10.06 - Millerworks 08/13/2009 12:16.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.700 [GMT -4:00]
Running from: c:\documents and settings\Millerworks\Desktop\Combo-Fix.exe
AV: Kaspersky Internet Security *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: ActiveArmor Firewall *disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\MILLER~1\LOCALS~1\Temp\1.wmv
c:\documents and settings\Millerworks\Application Data\Microsoft\Internet Explorer\Quick Launch\PC_Antispyware2010.lnk
c:\documents and settings\Millerworks\Local Settings\Temporary Internet Files\abodyte.ban
c:\documents and settings\Millerworks\Local Settings\Temporary Internet Files\anykujijez.scr
c:\documents and settings\Millerworks\Local Settings\Temporary Internet Files\bulosi.bat
c:\documents and settings\Millerworks\Local Settings\Temporary Internet Files\ekuvocufew._sy
c:\documents and settings\Millerworks\Local Settings\Temporary Internet Files\elew.vbs
c:\documents and settings\Millerworks\Local Settings\Temporary Internet Files\eqopibid.bat
c:\documents and settings\Millerworks\Local Settings\Temporary Internet Files\idenu.bin
c:\documents and settings\Millerworks\Local Settings\Temporary Internet Files\jybyce.inf
c:\documents and settings\Millerworks\Local Settings\Temporary Internet Files\kysyb.reg
c:\documents and settings\Millerworks\Local Settings\Temporary Internet Files\uhobilun.sys
c:\documents and settings\Millerworks\Local Settings\Temporary Internet Files\uvex.dat
c:\documents and settings\Millerworks\Local Settings\Temporary Internet Files\vahyfon.bin
c:\documents and settings\Millerworks\Local Settings\Temporary Internet Files\ylaheqy.dl
c:\documents and settings\Millerworks\Local Settings\Temporary Internet Files\zoratamipu.bin
c:\program files\INSTALL.LOG
c:\windows\braviax.exe
c:\windows\cru629.dat
c:\windows\msa.exe
c:\windows\run.log
c:\windows\system32\_scui.cpl
c:\windows\system32\braviax.exe
c:\windows\system32\cru629.dat
c:\windows\system32\drivers\UACdovdlyfqqa.sys
c:\windows\system32\msxml71.dll
c:\windows\system32\UACdqqwxevxew.dll
c:\windows\system32\UACiheujcghpj.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACkioykrtqlt.dat
c:\windows\system32\UACqjnknmujxv.dll
c:\windows\system32\UACxwhxymfpxx.db
c:\windows\system32\UACyyrwkbfxup.dll
c:\windows\system32\wisdstr.exe

c:\windows\system32\drivers\beep.sys . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-07-13 to 2009-08-13 )))))))))))))))))))))))))))))))
.

2009-08-13 05:51 . 2009-08-13 05:51 18984 ----a-w- c:\program files\Common Files\ipode.reg
2009-08-13 05:51 . 2009-08-13 05:51 18355 ----a-w- c:\windows\ozizuv.bin
2009-08-13 05:51 . 2009-08-13 05:51 18225 ----a-w- c:\program files\Common Files\agywep.sys
2009-08-13 05:51 . 2009-08-13 05:51 14069 ----a-w- c:\program files\Common Files\ozyni.reg
2009-08-13 05:51 . 2009-08-13 05:51 13801 ----a-w- c:\windows\ykemejolup.pif
2009-08-13 05:51 . 2009-08-13 05:51 12740 ----a-w- c:\windows\zaxyvucaz.exe
2009-08-13 05:51 . 2009-08-13 05:51 11409 ----a-w- c:\windows\system32\vobi.bat
2009-08-13 05:51 . 2009-08-13 05:51 10244 ----a-w- c:\windows\system32\ubuwyfe.vbs
2009-08-13 05:51 . 2009-08-13 05:51 -------- d-----w- c:\program files\PC_Antispyware2010
2009-08-13 04:06 . 2009-08-13 04:06 69632 ----a-w- c:\windows\system32\drivers\horabuxodufhqrxf.sys
2009-08-13 04:00 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-13 04:00 . 2009-08-13 04:00 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-08-13 04:00 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-13 04:00 . 2009-08-13 04:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-13 03:55 . 2009-08-13 03:55 19764 ----a-w- c:\documents and settings\Millerworks\Application Data\izuhylex.sys
2009-08-13 03:55 . 2009-08-13 03:55 14847 ----a-w- c:\program files\Common Files\agyjake.bin
2009-08-13 03:55 . 2009-08-13 03:55 14030 ----a-w- c:\windows\aqynuzytap.scr
2009-08-13 03:55 . 2009-08-13 03:55 13397 ----a-w- c:\documents and settings\Millerworks\Local Settings\Application Data\nuvul.com
2009-08-13 03:55 . 2009-08-13 03:55 13007 ----a-w- c:\windows\system32\ubofen.vbs
2009-08-13 03:55 . 2009-08-13 03:55 12573 ----a-w- c:\program files\Common Files\iwizemaf.exe
2009-08-13 03:55 . 2009-08-13 03:55 11566 ----a-w- c:\windows\system32\umetymid.dat
2009-08-13 03:55 . 2009-08-13 03:55 14605 ----a-w- c:\windows\nobaliridi.reg
2009-08-13 03:28 . 2009-08-13 03:28 19634 ----a-w- c:\program files\Common Files\moxa.dll
2009-08-13 03:28 . 2009-08-13 03:28 17039 ----a-w- c:\windows\uhaqu.sys
2009-08-13 03:28 . 2009-08-13 03:28 16372 ----a-w- c:\windows\heviqyvavu.dll
2009-08-13 03:28 . 2009-08-13 03:28 12549 ----a-w- c:\documents and settings\Millerworks\Local Settings\Application Data\zijunupof.scr
2009-08-13 03:28 . 2009-08-13 03:28 11248 ----a-w- c:\windows\cygi.dat
2009-08-13 03:28 . 2009-08-13 03:28 17989 ----a-w- c:\windows\system32\kydyrijege.bin
2009-08-13 03:28 . 2009-08-13 03:28 17687 ----a-w- c:\documents and settings\Millerworks\Local Settings\Application Data\gezeb.sys
2009-08-13 03:11 . 2009-08-13 03:11 19834 ----a-w- c:\program files\Common Files\mepu.reg
2009-08-13 03:11 . 2009-08-13 03:11 19672 ----a-w- c:\windows\system32\mugoh.bin
2009-08-13 03:11 . 2009-08-13 03:11 15615 ----a-w- c:\windows\qeler.bin
2009-08-13 03:11 . 2009-08-13 03:11 12752 ----a-w- c:\program files\Common Files\palunoxini.vbs
2009-08-13 03:11 . 2009-08-13 03:11 12633 ----a-w- c:\windows\system32\namyx.dll
2009-08-13 03:11 . 2009-08-13 03:11 18623 ----a-w- c:\windows\uwihebapu.reg
2009-08-13 03:11 . 2009-08-13 03:11 15562 ----a-w- c:\windows\system32\gibymifa.bin
2009-08-13 03:11 . 2009-08-13 03:11 15270 ----a-w- c:\windows\avymerequk.pif
2009-08-13 03:11 . 2009-08-13 03:11 13005 ----a-w- c:\documents and settings\Millerworks\Local Settings\Application Data\zabep.vbs
2009-08-13 03:11 . 2009-08-13 03:11 12170 ----a-w- c:\program files\Common Files\mopiz.exe
2009-08-13 02:49 . 2009-08-13 02:49 19942 ----a-w- c:\program files\Common Files\aqoxi.pif
2009-08-13 02:49 . 2009-08-13 02:49 19879 ----a-w- c:\windows\afilykadag.exe
2009-08-13 02:49 . 2009-08-13 02:49 18187 ----a-w- c:\windows\system32\uhytuvuzu.exe
2009-08-13 02:49 . 2009-08-13 02:49 14408 ----a-w- c:\documents and settings\Millerworks\Local Settings\Application Data\uvopyrasud.sys
2009-08-13 02:49 . 2009-08-13 02:49 14322 ----a-w- c:\windows\elypil.dll
2009-08-13 02:49 . 2009-08-13 02:49 13414 ----a-w- c:\windows\cocasyvip.bin
2009-08-13 02:49 . 2009-08-13 02:49 12591 ----a-w- c:\windows\system32\oxuxacorav.vbs
2009-08-13 02:49 . 2009-08-13 02:49 10529 ----a-w- c:\windows\itog.pif
2009-08-13 02:36 . 2009-08-13 02:36 19092 ----a-w- c:\windows\cema.exe
2009-08-13 02:36 . 2009-08-13 02:36 16179 ----a-w- c:\program files\Common Files\afewax.bin
2009-08-13 02:36 . 2009-08-13 02:36 15974 ----a-w- c:\windows\ohyhyx.reg
2009-08-13 02:36 . 2009-08-13 02:36 13751 ----a-w- c:\program files\Common Files\ixuqi.sys
2009-08-13 02:36 . 2009-08-13 02:36 10778 ----a-w- c:\windows\inapu.pif
2009-08-13 02:36 . 2009-08-13 02:36 10711 ----a-w- c:\windows\system32\dysyq.bin
2009-08-12 20:52 . 2009-08-12 20:52 18648 ----a-w- c:\program files\Common Files\arijifu.scr
2009-08-12 20:52 . 2009-08-12 20:52 16395 ----a-w- c:\documents and settings\Millerworks\Application Data\qepib.scr
2009-08-12 20:52 . 2009-08-12 20:52 16356 ----a-w- c:\windows\nymyxeda.exe
2009-08-12 20:52 . 2009-08-12 20:52 16089 ----a-w- c:\program files\Common Files\najed.bat
2009-08-12 20:52 . 2009-08-12 20:52 15650 ----a-w- c:\windows\amumek.scr
2009-08-12 20:52 . 2009-08-12 20:52 14622 ----a-w- c:\program files\Common Files\garedodi.dat
2009-08-12 20:52 . 2009-08-12 20:52 14107 ----a-w- c:\windows\izicesu.bin
2009-08-12 20:52 . 2009-08-12 20:52 13575 ----a-w- c:\windows\system32\toro.exe
2009-08-12 20:52 . 2009-08-12 20:52 12383 ----a-w- c:\program files\Common Files\nujokov.com
2009-08-12 20:52 . 2009-08-12 20:52 10183 ----a-w- c:\program files\Common Files\asaqi.scr
2009-08-12 20:52 . 2009-08-12 20:52 10103 ----a-w- c:\documents and settings\Millerworks\Local Settings\Application Data\nulyvatyfi.pif
2009-08-12 04:02 . 2009-08-12 04:02 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-12 03:55 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 12:21 . 2009-08-04 12:21 -------- d-----w- c:\program files\Usability Sciences
2009-07-17 19:01 . 2009-07-17 19:01 58880 -c----w- c:\windows\system32\dllcache\atl.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-13 05:51 . 2009-08-13 05:51 12464 ----a-w- c:\docume~1\ALLUSE~1\APPLIC~1\erysuh.vbs
2009-08-13 05:51 . 2009-08-13 05:51 11071 ----a-w- c:\docume~1\ALLUSE~1\APPLIC~1\ezeryzihef.pif
2009-08-13 03:55 . 2009-08-13 03:55 18033 ----a-w- c:\documents and settings\Millerworks\Application Data\yfin.dat
2009-08-13 03:55 . 2009-08-13 03:55 13401 ----a-w- c:\docume~1\ALLUSE~1\APPLIC~1\zyfapede.bin
2009-08-13 03:55 . 2009-08-13 03:55 10673 ----a-w- c:\docume~1\ALLUSE~1\APPLIC~1\zedagyjy.sys
2009-08-13 03:28 . 2009-08-13 03:28 18155 ----a-w- c:\docume~1\ALLUSE~1\APPLIC~1\befululose.dll
2009-08-13 03:28 . 2009-08-13 03:28 14919 ----a-w- c:\program files\Common Files\mucyji.inf
2009-08-13 03:28 . 2009-08-13 03:28 14192 ----a-w- c:\program files\Common Files\obukujo.inf
2009-08-13 03:28 . 2009-08-13 03:28 17973 ----a-w- c:\docume~1\ALLUSE~1\APPLIC~1\qesyja.exe
2009-08-13 03:11 . 2009-08-13 03:11 18476 ----a-w- c:\docume~1\ALLUSE~1\APPLIC~1\abesoxa.scr
2009-08-13 03:11 . 2009-08-13 03:11 13027 ----a-w- c:\documents and settings\Millerworks\Application Data\rugawyjoxo.reg
2009-08-13 03:11 . 2009-08-13 03:11 10551 ----a-w- c:\docume~1\ALLUSE~1\APPLIC~1\ydevyby.reg
2009-08-13 03:11 . 2009-08-13 03:11 11105 ----a-w- c:\program files\Common Files\emym.inf
2009-08-13 02:49 . 2009-08-13 02:49 14126 ----a-w- c:\documents and settings\Millerworks\Application Data\micih.reg
2009-08-13 02:49 . 2009-08-13 02:49 11671 ----a-w- c:\docume~1\ALLUSE~1\APPLIC~1\omejet.scr
2009-08-13 02:49 . 2009-08-13 02:49 11513 ----a-w- c:\docume~1\ALLUSE~1\APPLIC~1\asumafeki.reg
2009-08-13 02:36 . 2009-08-13 02:36 16676 ----a-w- c:\program files\Common Files\dupuheta._dl
2009-08-13 02:36 . 2009-08-13 02:36 16603 ----a-w- c:\docume~1\ALLUSE~1\APPLIC~1\efac.dat
2009-08-13 02:36 . 2009-08-13 02:36 13945 ----a-w- c:\docume~1\ALLUSE~1\APPLIC~1\cevezew.com
2009-08-13 02:36 . 2009-08-13 02:36 13593 ----a-w- c:\program files\Common Files\yzevonug.db
2009-08-13 02:36 . 2009-08-13 02:36 11924 ----a-w- c:\docume~1\ALLUSE~1\APPLIC~1\comezoj.bat
2009-08-13 02:32 . 2007-06-17 17:46 -------- d-----w- c:\program files\Philips Intelligent Agent
2009-08-13 02:27 . 2007-07-13 17:36 -------- d-----w- c:\program files\Kaspersky Lab
2009-08-12 20:52 . 2009-08-12 20:52 19809 ----a-w- c:\docume~1\ALLUSE~1\APPLIC~1\mogagutike.exe
2009-08-12 20:52 . 2009-08-12 20:52 16006 ----a-w- c:\program files\Common Files\ycokugug.db
2009-08-12 20:52 . 2009-08-12 20:52 13591 ----a-w- c:\documents and settings\Millerworks\Application Data\ifinu.vbs
2009-08-12 20:52 . 2009-08-12 20:52 13532 ----a-w- c:\docume~1\ALLUSE~1\APPLIC~1\wubuwyfep.bin
2009-08-12 20:52 . 2009-08-12 20:52 13077 ----a-w- c:\program files\Common Files\ameb.lib
2009-08-12 03:49 . 2009-08-12 03:49 1234759 ----a-w- c:\windows\system32\xa.tmp
2009-08-05 09:01 . 2006-02-28 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-01 22:03 . 2007-06-17 18:51 42944 ----a-w- c:\documents and settings\Millerworks\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-17 19:01 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 16:21 . 2006-02-28 12:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2006-02-28 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-18 18:41 . 2007-06-17 12:05 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-16 14:36 . 2006-02-28 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2006-02-28 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2006-02-28 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2006-02-28 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2006-02-28 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2007-06-17 12:02 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2006-02-28 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2006-02-28 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
.

------- Sigcheck -------

[-] 2009-08-13 05:15 28160 CF484B521FA027EF68E562386E4403C9 c:\windows\system32\dllcache\beep.sys

c:\windows\system32\drivers\beep.sys ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-09 7196672]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-12-09 86016]
"nTrayFw"="c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe" [2005-11-11 270336]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"CapFax"="c:\program files\Classic PhoneTools\CapFax.EXE" [2001-12-10 20739]
"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"tgcmd"="c:\program files\Support.com\BellSouth\hcenter.exe" [2005-08-31 1277952]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-26 267064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"PC Antispyware 2010"="c:\program files\PC_Antispyware2010\PC_Antispyware2010.exe" [2009-08-13 581637]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-07 61952]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-10-14 14864384]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-12-09 1519616]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2005-12-12 88204]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2007-10-12 303104]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [6/17/2007 8:30 AM 35968]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Philips Intelligent Agent - c:\program files\Philips Intelligent Agent\Philips Intelligent Agent.exe
HKLM-Run-NWEReboot - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} - hxxps://esis.ncwise.org/forms/jinitiator/jinit13128.exe
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-13 12:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
EPSON Stylus Photo R200 Series = c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /M "Stylus Photo R200" /EF "HKCU"??????????????????YB~r?R?????????????p????????????????????YB~????p???????????8???????????X?C~????p???????j?C~p??????????????|???????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(756)
c:\windows\system32\nvappfilter.dll
.
Completion time: 2009-08-13 12:21
ComboFix-quarantined-files.txt 2009-08-13 16:21

Pre-Run: 148,804,681,728 bytes free
Post-Run: 149,094,191,104 bytes free

246 --- E O F --- 2009-08-12 20:30

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:07 PM

Posted 13 August 2009 - 12:07 PM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
c:\program files\Common Files\ipode.reg
c:\windows\ozizuv.bin
c:\program files\Common Files\agywep.sys
c:\program files\Common Files\ozyni.reg
c:\windows\ykemejolup.pif
c:\windows\zaxyvucaz.exe
c:\windows\system32\vobi.bat
c:\windows\system32\ubuwyfe.vbs
c:\windows\system32\drivers\horabuxodufhqrxf.sys
c:\documents and settings\Millerworks\Application Data\izuhylex.sys
c:\program files\Common Files\agyjake.bin
c:\windows\aqynuzytap.scr
c:\documents and settings\Millerworks\Local Settings\Application Data\nuvul.com
c:\windows\system32\ubofen.vbs
c:\program files\Common Files\iwizemaf.exe
c:\windows\system32\umetymid.dat
c:\windows\nobaliridi.reg
c:\program files\Common Files\moxa.dll
c:\windows\uhaqu.sys
c:\windows\heviqyvavu.dll
c:\documents and settings\Millerworks\Local Settings\Application Data\zijunupof.scr
c:\windows\cygi.dat
c:\windows\system32\kydyrijege.bin
c:\documents and settings\Millerworks\Local Settings\Application Data\gezeb.sys
c:\program files\Common Files\mepu.reg
c:\windows\system32\mugoh.bin
c:\windows\qeler.bin
c:\program files\Common Files\palunoxini.vbs
c:\windows\system32\namyx.dll
c:\windows\uwihebapu.reg
c:\windows\system32\gibymifa.bin
c:\windows\avymerequk.pif
c:\documents and settings\Millerworks\Local Settings\Application Data\zabep.vbs
c:\program files\Common Files\mopiz.exe
c:\program files\Common Files\aqoxi.pif
c:\windows\afilykadag.exe
c:\windows\system32\uhytuvuzu.exe
c:\documents and settings\Millerworks\Local Settings\Application Data\uvopyrasud.sys
c:\windows\elypil.dll
c:\windows\cocasyvip.bin
c:\windows\system32\oxuxacorav.vbs
c:\windows\itog.pif
c:\windows\cema.exe
c:\program files\Common Files\afewax.bin
c:\windows\ohyhyx.reg
c:\program files\Common Files\ixuqi.sys
c:\windows\inapu.pif
c:\windows\system32\dysyq.bin
c:\program files\Common Files\arijifu.scr
c:\documents and settings\Millerworks\Application Data\qepib.scr
c:\windows\nymyxeda.exe
c:\program files\Common Files\najed.bat
c:\windows\amumek.scr
c:\program files\Common Files\garedodi.dat
c:\windows\izicesu.bin
c:\windows\system32\toro.exe
c:\program files\Common Files\nujokov.com
c:\program files\Common Files\asaqi.scr
c:\documents and settings\Millerworks\Local Settings\Application Data\nulyvatyfi.pif
c:\docume~1\ALLUSE~1\APPLIC~1\erysuh.vbs
c:\docume~1\ALLUSE~1\APPLIC~1\ezeryzihef.pif
c:\documents and settings\Millerworks\Application Data\yfin.dat
c:\docume~1\ALLUSE~1\APPLIC~1\zyfapede.bin
c:\docume~1\ALLUSE~1\APPLIC~1\zedagyjy.sys
c:\docume~1\ALLUSE~1\APPLIC~1\befululose.dll
c:\program files\Common Files\mucyji.inf
c:\program files\Common Files\obukujo.inf
c:\docume~1\ALLUSE~1\APPLIC~1\qesyja.exe
c:\docume~1\ALLUSE~1\APPLIC~1\abesoxa.scr
c:\documents and settings\Millerworks\Application Data\rugawyjoxo.reg
c:\docume~1\ALLUSE~1\APPLIC~1\ydevyby.reg
c:\program files\Common Files\emym.inf
c:\documents and settings\Millerworks\Application Data\micih.reg
c:\docume~1\ALLUSE~1\APPLIC~1\omejet.scr
c:\docume~1\ALLUSE~1\APPLIC~1\asumafeki.reg
c:\program files\Common Files\dupuheta._dl
c:\docume~1\ALLUSE~1\APPLIC~1\efac.dat
c:\docume~1\ALLUSE~1\APPLIC~1\cevezew.com
c:\program files\Common Files\yzevonug.db
c:\docume~1\ALLUSE~1\APPLIC~1\comezoj.bat
c:\docume~1\ALLUSE~1\APPLIC~1\mogagutike.exe
c:\program files\Common Files\ycokugug.db
c:\documents and settings\Millerworks\Application Data\ifinu.vbs
c:\docume~1\ALLUSE~1\APPLIC~1\wubuwyfep.bin
c:\program files\Common Files\ameb.lib
c:\windows\system32\xa.tmp

Folder::
c:\program files\PC_Antispyware2010

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 Todd M

Todd M
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 13 August 2009 - 01:35 PM

Before I do the second ComboFix, I should tell you that the first ComboFix appears to have worked. My computer seems normal again, even after a few reboots.

I was able to successfully run Malewarebytes Anti-Malware, which removed more things that were related to PC Antispyware 2010. I also was able to successfully install Avast and ran two virus scans with that.

Considering this, should I temporarily disable Avast, turn off my Windows firewall again, and then do what you've suggested in your latest respone (copy the codebox contents into Notepad, drag that file to ComboFix, and start it again), as you have suggested? ...Or does the fact that I've installed Avast and ran Malewarebytes change anything?

I'll wait until I hear from you before I do anything else. I hope I didn't mess anything up again!

Thanks,
Todd

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:07 PM

Posted 13 August 2009 - 01:45 PM

Yes, you should turn off antivirus, antispyware, firewall each and every time when running ComboFix

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 Todd M

Todd M
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 14 August 2009 - 07:52 AM

Here is my next combo-fix log, after dragging the notepad file I created from the contents above into it.

ComboFix 09-08-10.06 - Millerworks 08/14/2009 8:39.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.958.593 [GMT -4:00]
Running from: c:\documents and settings\Millerworks\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Millerworks\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090813-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Kaspersky Internet Security *On-access scanning disabled* (Outdated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: ActiveArmor Firewall *disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
FW: Kaspersky Internet Security *disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FILE ::
"c:\docume~1\ALLUSE~1\APPLIC~1\abesoxa.scr"
"c:\docume~1\ALLUSE~1\APPLIC~1\asumafeki.reg"
"c:\docume~1\ALLUSE~1\APPLIC~1\befululose.dll"
"c:\docume~1\ALLUSE~1\APPLIC~1\cevezew.com"
"c:\docume~1\ALLUSE~1\APPLIC~1\comezoj.bat"
"c:\docume~1\ALLUSE~1\APPLIC~1\efac.dat"
"c:\docume~1\ALLUSE~1\APPLIC~1\erysuh.vbs"
"c:\docume~1\ALLUSE~1\APPLIC~1\ezeryzihef.pif"
"c:\docume~1\ALLUSE~1\APPLIC~1\mogagutike.exe"
"c:\docume~1\ALLUSE~1\APPLIC~1\omejet.scr"
"c:\docume~1\ALLUSE~1\APPLIC~1\qesyja.exe"
"c:\docume~1\ALLUSE~1\APPLIC~1\wubuwyfep.bin"
"c:\docume~1\ALLUSE~1\APPLIC~1\ydevyby.reg"
"c:\docume~1\ALLUSE~1\APPLIC~1\zedagyjy.sys"
"c:\docume~1\ALLUSE~1\APPLIC~1\zyfapede.bin"
"c:\documents and settings\Millerworks\Application Data\ifinu.vbs"
"c:\documents and settings\Millerworks\Application Data\izuhylex.sys"
"c:\documents and settings\Millerworks\Application Data\micih.reg"
"c:\documents and settings\Millerworks\Application Data\qepib.scr"
"c:\documents and settings\Millerworks\Application Data\rugawyjoxo.reg"
"c:\documents and settings\Millerworks\Application Data\yfin.dat"
"c:\documents and settings\Millerworks\Local Settings\Application Data\gezeb.sys"
"c:\documents and settings\Millerworks\Local Settings\Application Data\nulyvatyfi.pif"
"c:\documents and settings\Millerworks\Local Settings\Application Data\nuvul.com"
"c:\documents and settings\Millerworks\Local Settings\Application Data\uvopyrasud.sys"
"c:\documents and settings\Millerworks\Local Settings\Application Data\zabep.vbs"
"c:\documents and settings\Millerworks\Local Settings\Application Data\zijunupof.scr"
"c:\program files\Common Files\afewax.bin"
"c:\program files\Common Files\agyjake.bin"
"c:\program files\Common Files\agywep.sys"
"c:\program files\Common Files\ameb.lib"
"c:\program files\Common Files\aqoxi.pif"
"c:\program files\Common Files\arijifu.scr"
"c:\program files\Common Files\asaqi.scr"
"c:\program files\Common Files\dupuheta._dl"
"c:\program files\Common Files\emym.inf"
"c:\program files\Common Files\garedodi.dat"
"c:\program files\Common Files\ipode.reg"
"c:\program files\Common Files\iwizemaf.exe"
"c:\program files\Common Files\ixuqi.sys"
"c:\program files\Common Files\mepu.reg"
"c:\program files\Common Files\mopiz.exe"
"c:\program files\Common Files\moxa.dll"
"c:\program files\Common Files\mucyji.inf"
"c:\program files\Common Files\najed.bat"
"c:\program files\Common Files\nujokov.com"
"c:\program files\Common Files\obukujo.inf"
"c:\program files\Common Files\ozyni.reg"
"c:\program files\Common Files\palunoxini.vbs"
"c:\program files\Common Files\ycokugug.db"
"c:\program files\Common Files\yzevonug.db"
"c:\windows\afilykadag.exe"
"c:\windows\amumek.scr"
"c:\windows\aqynuzytap.scr"
"c:\windows\avymerequk.pif"
"c:\windows\cema.exe"
"c:\windows\cocasyvip.bin"
"c:\windows\cygi.dat"
"c:\windows\elypil.dll"
"c:\windows\heviqyvavu.dll"
"c:\windows\inapu.pif"
"c:\windows\itog.pif"
"c:\windows\izicesu.bin"
"c:\windows\nobaliridi.reg"
"c:\windows\nymyxeda.exe"
"c:\windows\ohyhyx.reg"
"c:\windows\ozizuv.bin"
"c:\windows\qeler.bin"
"c:\windows\system32\drivers\horabuxodufhqrxf.sys"
"c:\windows\system32\dysyq.bin"
"c:\windows\system32\gibymifa.bin"
"c:\windows\system32\kydyrijege.bin"
"c:\windows\system32\mugoh.bin"
"c:\windows\system32\namyx.dll"
"c:\windows\system32\oxuxacorav.vbs"
"c:\windows\system32\toro.exe"
"c:\windows\system32\ubofen.vbs"
"c:\windows\system32\ubuwyfe.vbs"
"c:\windows\system32\uhytuvuzu.exe"
"c:\windows\system32\umetymid.dat"
"c:\windows\system32\vobi.bat"
"c:\windows\system32\xa.tmp"
"c:\windows\uhaqu.sys"
"c:\windows\uwihebapu.reg"
"c:\windows\ykemejolup.pif"
"c:\windows\zaxyvucaz.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\ALLUSE~1\APPLIC~1\abesoxa.scr
c:\docume~1\ALLUSE~1\APPLIC~1\asumafeki.reg
c:\docume~1\ALLUSE~1\APPLIC~1\befululose.dll
c:\docume~1\ALLUSE~1\APPLIC~1\cevezew.com
c:\docume~1\ALLUSE~1\APPLIC~1\comezoj.bat
c:\docume~1\ALLUSE~1\APPLIC~1\efac.dat
c:\docume~1\ALLUSE~1\APPLIC~1\erysuh.vbs
c:\docume~1\ALLUSE~1\APPLIC~1\ezeryzihef.pif
c:\docume~1\ALLUSE~1\APPLIC~1\mogagutike.exe
c:\docume~1\ALLUSE~1\APPLIC~1\omejet.scr
c:\docume~1\ALLUSE~1\APPLIC~1\qesyja.exe
c:\docume~1\ALLUSE~1\APPLIC~1\wubuwyfep.bin
c:\docume~1\ALLUSE~1\APPLIC~1\ydevyby.reg
c:\docume~1\ALLUSE~1\APPLIC~1\zedagyjy.sys
c:\docume~1\ALLUSE~1\APPLIC~1\zyfapede.bin
c:\documents and settings\Millerworks\Application Data\ifinu.vbs
c:\documents and settings\Millerworks\Application Data\izuhylex.sys
c:\documents and settings\Millerworks\Application Data\micih.reg
c:\documents and settings\Millerworks\Application Data\qepib.scr
c:\documents and settings\Millerworks\Application Data\rugawyjoxo.reg
c:\documents and settings\Millerworks\Application Data\yfin.dat
c:\documents and settings\Millerworks\Local Settings\Application Data\gezeb.sys
c:\documents and settings\Millerworks\Local Settings\Application Data\nulyvatyfi.pif
c:\documents and settings\Millerworks\Local Settings\Application Data\nuvul.com
c:\documents and settings\Millerworks\Local Settings\Application Data\uvopyrasud.sys
c:\documents and settings\Millerworks\Local Settings\Application Data\zabep.vbs
c:\documents and settings\Millerworks\Local Settings\Application Data\zijunupof.scr
c:\program files\Common Files\afewax.bin
c:\program files\Common Files\agyjake.bin
c:\program files\Common Files\agywep.sys
c:\program files\Common Files\ameb.lib
c:\program files\Common Files\aqoxi.pif
c:\program files\Common Files\arijifu.scr
c:\program files\Common Files\asaqi.scr
c:\program files\Common Files\dupuheta._dl
c:\program files\Common Files\emym.inf
c:\program files\Common Files\garedodi.dat
c:\program files\Common Files\ipode.reg
c:\program files\Common Files\iwizemaf.exe
c:\program files\Common Files\ixuqi.sys
c:\program files\Common Files\mepu.reg
c:\program files\Common Files\mopiz.exe
c:\program files\Common Files\moxa.dll
c:\program files\Common Files\mucyji.inf
c:\program files\Common Files\najed.bat
c:\program files\Common Files\nujokov.com
c:\program files\Common Files\obukujo.inf
c:\program files\Common Files\ozyni.reg
c:\program files\Common Files\palunoxini.vbs
c:\program files\Common Files\ycokugug.db
c:\program files\Common Files\yzevonug.db
c:\windows\afilykadag.exe
c:\windows\amumek.scr
c:\windows\aqynuzytap.scr
c:\windows\avymerequk.pif
c:\windows\cema.exe
c:\windows\cocasyvip.bin
c:\windows\cygi.dat
c:\windows\elypil.dll
c:\windows\heviqyvavu.dll
c:\windows\inapu.pif
c:\windows\itog.pif
c:\windows\izicesu.bin
c:\windows\nobaliridi.reg
c:\windows\nymyxeda.exe
c:\windows\ohyhyx.reg
c:\windows\ozizuv.bin
c:\windows\qeler.bin
c:\windows\system32\dysyq.bin
c:\windows\system32\gibymifa.bin
c:\windows\system32\kydyrijege.bin
c:\windows\system32\mugoh.bin
c:\windows\system32\namyx.dll
c:\windows\system32\oxuxacorav.vbs
c:\windows\system32\toro.exe
c:\windows\system32\ubofen.vbs
c:\windows\system32\ubuwyfe.vbs
c:\windows\system32\uhytuvuzu.exe
c:\windows\system32\umetymid.dat
c:\windows\system32\vobi.bat
c:\windows\uhaqu.sys
c:\windows\uwihebapu.reg
c:\windows\ykemejolup.pif
c:\windows\zaxyvucaz.exe

.
((((((((((((((((((((((((( Files Created from 2009-07-14 to 2009-08-14 )))))))))))))))))))))))))))))))
.

2009-08-13 16:52 . 2009-02-05 20:06 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-08-13 16:52 . 2009-02-05 20:06 51376 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-08-13 16:52 . 2009-02-05 20:05 26944 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2009-08-13 16:51 . 2009-02-05 20:07 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-08-13 16:51 . 2009-02-05 20:07 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-08-13 16:51 . 2009-02-05 20:04 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-08-13 16:51 . 2009-02-05 20:08 93296 ----a-w- c:\windows\system32\drivers\aswmon.sys
2009-08-13 16:51 . 2009-02-05 20:08 94032 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2009-08-13 16:51 . 2009-02-05 20:11 1256296 ----a-w- c:\windows\system32\aswBoot.exe
2009-08-13 16:51 . 2009-08-13 16:51 -------- d-----w- c:\program files\Alwil Software
2009-08-13 16:30 . 2009-08-13 16:30 -------- d-----w- c:\documents and settings\Millerworks\Application Data\Malwarebytes
2009-08-13 04:00 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-13 04:00 . 2009-08-13 04:00 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-08-13 04:00 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-13 04:00 . 2009-08-13 04:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-12 04:02 . 2009-08-12 04:02 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-12 03:55 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-05 09:01 . 2009-08-05 09:01 204800 -c----w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-04 12:21 . 2009-08-04 12:21 -------- d-----w- c:\program files\Usability Sciences
2009-07-17 19:01 . 2009-07-17 19:01 58880 -c----w- c:\windows\system32\dllcache\atl.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-13 02:32 . 2007-06-17 17:46 -------- d-----w- c:\program files\Philips Intelligent Agent
2009-08-13 02:27 . 2007-07-13 17:36 -------- d-----w- c:\program files\Kaspersky Lab
2009-08-05 09:01 . 2006-02-28 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-01 22:03 . 2007-06-17 18:51 42944 ----a-w- c:\documents and settings\Millerworks\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-17 19:01 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-12 16:21 . 2006-02-28 12:00 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2006-02-28 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-18 18:41 . 2007-06-17 12:05 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-16 14:36 . 2006-02-28 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2006-02-28 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 12:31 . 2006-02-28 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2006-02-28 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2006-02-28 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2007-06-17 12:02 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2006-02-28 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2006-02-28 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-08-13_16.20.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-14 12:43 . 2009-08-14 12:43 16384 c:\windows\temp\Perflib_Perfdata_65c.dat
+ 2009-08-14 12:23 . 2009-08-14 12:23 16384 c:\windows\temp\Perflib_Perfdata_658.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-12-09 7196672]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-12-09 86016]
"nTrayFw"="c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe" [2005-11-11 270336]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"CapFax"="c:\program files\Classic PhoneTools\CapFax.EXE" [2001-12-10 20739]
"EPSON Stylus Photo R200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE" [2003-07-08 99840]
"tgcmd"="c:\program files\Support.com\BellSouth\hcenter.exe" [2005-08-31 1277952]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 132496]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-26 267064]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" - c:\windows\system32\HdAShCut.exe [2005-01-07 61952]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2005-10-14 14864384]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-12-09 1519616]
"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2005-12-12 88204]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2007-10-12 303104]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [8/13/2009 12:51 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [8/13/2009 12:51 PM 20560]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [6/17/2007 8:30 AM 35968]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://mail.live.com/default.aspx?wa=wsignin1.0
mStart Page = hxxp://www.google.com
LSP: %SYSTEMROOT%\system32\nvappfilter.dll
DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} - hxxps://esis.ncwise.org/forms/jinitiator/jinit13128.exe
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-14 08:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(756)
c:\windows\system32\nvappfilter.dll

- - - - - - - > 'explorer.exe'(2644)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
c:\windows\system32\rundll32.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
c:\windows\system32\nvsvc32.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\Apache.exe
c:\windows\system32\wdfmgr.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Support.com\bin\tgcmd.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-08-14 8:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-14 12:46
ComboFix2.txt 2009-08-13 16:21

Pre-Run: 148,939,358,208 bytes free
Post-Run: 148,940,279,808 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

330 --- E O F --- 2009-08-12 20:30

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:07 PM

Posted 14 August 2009 - 08:11 AM

You have two antivirus (Avast and Kaspersky).. Uninstall one of them..


Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
How's the computer now? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 Todd M

Todd M
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 16 August 2009 - 03:18 PM

The computer seems fine to me. I really appreciate all your help.

Here is the log from the ESET scan:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=6
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6048
# api_version=3.0.2
# EOSSerial=3931aa09f587894ca069a59bb2889e71
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-08-16 08:10:42
# local_time=2009-08-16 04:10:42 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=769 21 100 100 60485312500
# scanned=59030
# found=53
# cleaned=53
# scan_time=1141
C:\Qoobox\Quarantine\C\WINDOWS\braviax.exe.vir a variant of Win32/Kryptik.ABI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\msa.exe.vir Win32/TrojanDownloader.FakeAlert.AFQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\braviax.exe.vir a variant of Win32/Kryptik.ABI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\msxml71.dll.vir Win32/TrojanDownloader.FakeAlert.AGF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACiheujcghpj.dll.vir Win32/Olmarik.KI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\_scui.cpl.vir Win32/Adware.XPSecurityCenter application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP312\A0051695.exe a variant of Win32/Kryptik.ACE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP312\A0052695.exe a variant of Win32/Kryptik.ACE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP312\A0052696.exe a variant of Win32/Kryptik.ACE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP312\A0053695.exe a variant of Win32/Kryptik.ACE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP312\A0053696.exe a variant of Win32/Kryptik.ACE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP312\A0054695.exe a variant of Win32/Kryptik.ACE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP312\A0054696.exe a variant of Win32/Kryptik.ACE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP312\A0054697.exe a variant of Win32/Kryptik.ACE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP312\A0054698.exe a variant of Win32/Kryptik.ACE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP313\A0054699.exe a variant of Win32/Kryptik.ACE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP313\A0054700.exe a variant of Win32/Kryptik.ACE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP313\A0055699.exe a variant of Win32/Kryptik.ACE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP313\A0055700.exe a variant of Win32/Kryptik.ACE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP313\A0056699.exe a variant of Win32/Kryptik.ACE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP313\A0056700.exe a variant of Win32/Kryptik.ACE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP313\A0057699.exe a variant of Win32/Kryptik.ACE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP313\A0057700.exe a variant of Win32/Kryptik.ACE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP313\A0058699.exe a variant of Win32/Kryptik.ACE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP313\A0058700.exe a variant of Win32/Kryptik.ACE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP313\A0058701.exe a variant of Win32/Kryptik.ACE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP313\A0058702.exe a variant of Win32/Kryptik.ACE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP313\A0058703.exe a variant of Win32/Kryptik.ACE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP313\A0058704.exe a variant of Win32/Kryptik.ACE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP313\A0058705.exe a variant of Win32/Kryptik.ACE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP313\A0058706.exe a variant of Win32/Kryptik.ACE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP313\A0058707.exe a variant of Win32/Kryptik.ACE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP313\A0058708.exe a variant of Win32/Kryptik.ACE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP313\A0059707.exe a variant of Win32/Kryptik.ABI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP313\A0059708.exe a variant of Win32/Kryptik.ABI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP313\A0059709.exe a variant of Win32/Kryptik.ABI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP313\A0059710.exe a variant of Win32/Kryptik.ABI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP313\A0060709.exe a variant of Win32/Kryptik.ABI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP313\A0060710.exe a variant of Win32/Kryptik.ABI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP313\A0060711.exe a variant of Win32/Kryptik.ABI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP313\A0060712.exe a variant of Win32/Kryptik.ABI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP313\A0060713.exe a variant of Win32/Kryptik.ABI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP313\A0060714.exe a variant of Win32/Kryptik.ABI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP313\A0060715.exe a variant of Win32/Kryptik.ABI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP313\A0060716.exe a variant of Win32/Kryptik.ABI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP313\A0060717.exe a variant of Win32/Kryptik.ABI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP313\A0060718.exe a variant of Win32/Kryptik.ABI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP313\A0060721.dll Win32/Olmarik.KI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP313\A0060724.exe a variant of Win32/Kryptik.ABI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP313\A0060725.exe a variant of Win32/Kryptik.ABI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP313\A0060751.exe Win32/TrojanDownloader.FakeAlert.AFQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP313\A0060752.cpl Win32/Adware.XPSecurityCenter application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{1FEE84EE-B023-4956-B362-A4FFCCC454C9}\RP313\A0060753.dll Win32/TrojanDownloader.FakeAlert.AGF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:07 PM

Posted 17 August 2009 - 01:21 AM

Looks good to me.. Lets do some cleanup...


Please download OTC and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTC
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes


Please read these excellent articles write by my friends:
Preventing Malware and Safe Computing by Rorschach112
What makes your machine slow? by Artellos


Also, please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware


Read these great info's about safe internet surfing..

http://www.pcpitstop.com/spycheck/safesurfing.asp
http://bluefive.pair.com/practice_safe_surfing.htm




Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :thumbup2:



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users