Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with "This computer is being attacked" virus


  • This topic is locked This topic is locked
24 replies to this topic

#1 khiks

khiks

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:10 PM

Posted 07 November 2009 - 02:46 PM

Hi,

My computer is infected with a " this computer is being attacked virus, with this I have an annoying pop-up and the task manager is disabled I also can't use my dvd rom. I don't know how I acquire this virus and by searching the net I found out that you're group are generous enough in helping people like me to resolve this kind of problems. I hope to hear from yu soon. Thanks!

below is the log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:38:12 AM, on 11/8/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe
C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\O2Micro Oz128 Driver\o2flash.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterRuntime.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\PROGRA~1\Symbian\Shared\SYMBIA~1\SYMBIA~1.EXE
C:\PROGRA~1\Symbian\Shared\SYMBIA~1\SCBAL.exe
C:\DOCUME~1\acer\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\DOCUME~1\acer\LOCALS~1\Temp\dmbtv.exe
C:\DOCUME~1\acer\LOCALS~1\Temp\lnomby.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = pofpx7001.maniladc.com:3128
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll (file missing)
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (file missing)
O2 - BHO: ShoppingReport - {100EB1FD-D03E-47FD-81F3-EE91287F9465} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll (file missing)
O2 - BHO: DNSEred - {26cdee35-a606-a6fa-e195-d549a1646bba} - C:\WINDOWS\system32\iednser.dll (file missing)
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: cpmsky.biz browser optimizer - {BCA95E31-1FBF-4F84-8F23-1BA653007A1E} - C:\WINDOWS\system32\cpmsky.dll (file missing)
O2 - BHO: mysidesearch search enhancer - {CA70569C-F789-B2AD-F154-01CB4121A98D} - C:\WINDOWS\system32\wkqsdgldec.dll (file missing)
O2 - BHO: adzgalore - {e1a4df4a-9824-b2aa-a852-642e26ddeb9c} - C:\WINDOWS\system32\b5d70539-13ae-302d-7b6e-ed449ee8e4f3.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll (file missing)
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [BroadcomWireless] C:\Program Files\Broadcom\Wireless\Utility\WlanUtil.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
O4 - HKLM\..\Run: [MyWebSearch Plugin] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL,UPF
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [] C:\WINDOWS\system\KEYBOARD.exe
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [PC Suite for Smartphones] "C:\Program Files\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [74BE16] C:\WINDOWS\system32\ACF7EF\74BE16.EXE
O4 - HKLM\..\RunOnce: [] C:\WINDOWS\system32\dllcache\Default.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTZDetec.exe] C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [mRouterConfig] "C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe"
O4 - HKCU\..\Run: [kxva] C:\WINDOWS\system32\kxvo.exe
O4 - HKCU\..\Run: [kamsoft] C:\WINDOWS\system32\ckvo.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\RunOnce: [] C:\WINDOWS\system32\dllcache\Default.exe
O4 - HKLM\..\Policies\Explorer\Run: [sys] C:\WINDOWS\Fonts\Fonts.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZKman000
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll (file missing)
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15033/CTPID.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\rlai.dll
O20 - Winlogon Notify: RelevantKnowledge - C:\WINDOWS\system32\rlls.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)
O23 - Service: O2Micro Flash Memory Card Service (o2flash) - O2Micro International - C:\Program Files\O2Micro Oz128 Driver\o2flash.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\WINDOWS\system32\DRIVERS\xaudio.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 17599 bytes

Edited by khiks, 07 November 2009 - 02:47 PM.


BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:10 AM

Posted 07 November 2009 - 05:42 PM

Hello khiks,
  • Welcome to Bleeping Computer.
  • Sorry for delayed response. Forums have been really busy.
  • My name is fireman4it and I will be helping you with your Malware problem.
  • As I am still in training I will be helping you under supervision of our expert teachers, so there may be a delay between posts.
Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  • I will be analyzing your log. I will get back to you with instructions after it is approved.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:10 AM

Posted 10 November 2009 - 04:43 PM

Hello khiks,

1.One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

2.
Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply
3.
Download Combofix from any of the links below. You must rename it 1234.scr before saving it. Save it to your desktop.

Link 1
Link 2


Posted Image


Posted Image
--------------------------------------------------------------------

Double click on 1234.scr & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

4.
We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.



Things to include in your next reply:
Combofix.txt
RootRepeal log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#4 khiks

khiks
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:10 PM

Posted 10 November 2009 - 09:07 PM

Hi Fiireman,

Thank you for your assistance, please see notes below:
Rkill
I'm not sure if it runs but yes a black screen appeared and disappeared after a couple of seconds.

Combofix
the links that you've given are not working.

RootRepeal log

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/11 10:05
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0x9E204000 Size: 778240 File Visible: No Signed: -
Status: -

Name: hjolgq.sys
Image Path: C:\WINDOWS\system32\drivers\hjolgq.sys
Address: 0xF8B61000 Size: 5184 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9CE1A000 Size: 49152 File Visible: No Signed: -
Status: -

==EOF==

How is your machine running now?
no improvement yet =(

Edited by khiks, 10 November 2009 - 09:08 PM.


#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:10 AM

Posted 11 November 2009 - 07:05 PM

Hello,

Please run Rkill Again then try and download Combofix again and run it. I have tried those links and they worked. They may have been down.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 khiks

khiks
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:10 PM

Posted 11 November 2009 - 09:57 PM

Hi,

I can now see a good development in the performance of my computer please see logs below:

Combo Fix

ComboFix 09-11-11.02 - acer 11/12/2009 10:08.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.139 [GMT 8:00]
Running from: c:\documents and settings\acer\Desktop\ComboFix.exe
AV: AVG 7.5.560 *On-access scanning enabled* (Outdated) {41564737-3200-1071-989B-0000E87B4FB1}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\2.cmd
C:\autorun.inf
C:\by.bat
c:\docume~1\acer\LOCALS~1\Temp\E_N4
c:\docume~1\acer\LOCALS~1\Temp\E_N4\cnvpe.fne
c:\docume~1\acer\LOCALS~1\Temp\E_N4\dp1.fne
c:\docume~1\acer\LOCALS~1\Temp\E_N4\eAPI.fne
c:\docume~1\acer\LOCALS~1\Temp\E_N4\HtmlView.fne
c:\docume~1\acer\LOCALS~1\Temp\E_N4\internet.fne
c:\docume~1\acer\LOCALS~1\Temp\E_N4\krnln.fnr
c:\docume~1\acer\LOCALS~1\Temp\E_N4\shell.fne
c:\docume~1\acer\LOCALS~1\Temp\E_N4\spec.fne
c:\docume~1\acer\LOCALS~1\Temp\tmp1.tmp
c:\docume~1\acer\LOCALS~1\Temp\tmp2.tmp
C:\kk3.bat
C:\MS-DOS.com
c:\program files\Fast Browser Search
c:\program files\Fast Browser Search\IE\1.bat
c:\program files\Fast Browser Search\IE\about.html
c:\program files\Fast Browser Search\IE\affid.dat
c:\program files\Fast Browser Search\IE\basis.xml
c:\program files\Fast Browser Search\IE\basis_br.xml
c:\program files\Fast Browser Search\IE\basis_de.xml
c:\program files\Fast Browser Search\IE\basis_en.xml
c:\program files\Fast Browser Search\IE\basis_es.xml
c:\program files\Fast Browser Search\IE\basis_fr.xml
c:\program files\Fast Browser Search\IE\basis_it.xml
c:\program files\Fast Browser Search\IE\basis_nr.xml
c:\program files\Fast Browser Search\IE\basis_pt.xml
c:\program files\Fast Browser Search\IE\basis_ru.xml
c:\program files\Fast Browser Search\IE\basis_tr.xml
c:\program files\Fast Browser Search\IE\BHO.dll
c:\program files\Fast Browser Search\IE\ClearRecycleBin.exe
c:\program files\Fast Browser Search\IE\error.html
c:\program files\Fast Browser Search\IE\FBSPlugin.dll
c:\program files\Fast Browser Search\IE\fbsProtection.xml
c:\program files\Fast Browser Search\IE\FbsSearchProvider.xml
c:\program files\Fast Browser Search\IE\FbsSearchProviderIE8.exe
c:\program files\Fast Browser Search\IE\FBStoolbar.dll
c:\program files\Fast Browser Search\IE\fbstoolbar.jar
c:\program files\Fast Browser Search\IE\fbstoolbar.manifest
c:\program files\Fast Browser Search\IE\icons.bmp
c:\program files\Fast Browser Search\IE\info.txt
c:\program files\Fast Browser Search\IE\local.xml
c:\program files\Fast Browser Search\IE\logobg.bmp
c:\program files\Fast Browser Search\IE\MTWBtoolbar.html
c:\program files\Fast Browser Search\IE\search.bmp
c:\program files\Fast Browser Search\IE\search_br.bmp
c:\program files\Fast Browser Search\IE\search_de.bmp
c:\program files\Fast Browser Search\IE\search_es.bmp
c:\program files\Fast Browser Search\IE\search_fr.bmp
c:\program files\Fast Browser Search\IE\search_it.bmp
c:\program files\Fast Browser Search\IE\search_pt.bmp
c:\program files\Fast Browser Search\IE\search_ru.bmp
c:\program files\Fast Browser Search\IE\SearchGuardPlus.exe
c:\program files\Fast Browser Search\IE\SearchGuardPlus.ico
c:\program files\Fast Browser Search\IE\SGPU.ico
c:\program files\Fast Browser Search\IE\sgpUpdater.exe
c:\program files\Fast Browser Search\IE\sgpUpdater.xml
c:\program files\Fast Browser Search\IE\SGPUpdaterS.exe
c:\program files\Fast Browser Search\IE\tbhelper.dll
c:\program files\Fast Browser Search\IE\tbs_include_script_003175.js
c:\program files\Fast Browser Search\IE\tbs_include_script_005064.js
c:\program files\Fast Browser Search\IE\tbs_include_script_012817.js
c:\program files\Fast Browser Search\IE\Toolbar Help.htm
c:\program files\Fast Browser Search\IE\uninstall.exe
c:\program files\Fast Browser Search\IE\uninstalSGP.exe
c:\program files\Fast Browser Search\IE\uninstalSGPU.exe
c:\program files\Fast Browser Search\IE\update.exe
c:\program files\Fast Browser Search\IE\version.txt
c:\program files\Mozilla Firefox\Components\095227ad-dcfe-3c8b-3872-23231a3abd51.dll
c:\program files\SGPSA
c:\program files\SGPSA\BHO.dll
C:\rqb0v2ot.bat
C:\rs.cmd
c:\windows\Alcmtr.exe
c:\windows\Cursors\Boom.vbs
c:\windows\Fonts\fonts.exe
c:\windows\Fonts\tskmgr.exe
c:\windows\Fonts\wav.wav
c:\windows\Help\Microsoft.hlp
c:\windows\Media\rndll32.pif
c:\windows\pchealth\Global.exe
c:\windows\pchealth\helpctr\binaries\HelpHost.com
c:\windows\recover.reg
c:\windows\system\KEYBOARD.exe
c:\windows\system32\500d46e9-30e8-fb83-e9a8-861866308719.exe
c:\windows\system32\cont_adzgalore-remove.exe
c:\windows\system32\dllcache\autorun.inf
c:\windows\system32\dllcache\Default.exe
c:\windows\system32\dllcache\Global.exe
c:\windows\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}
c:\windows\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\0e93950c-a29e-4318-9b1d-255753575761
c:\windows\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\12a9c6b6-3c17-4116-bc00-3f4def172943
c:\windows\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\176ca7b3-02b0-4656-a278-75efe4caf64b
c:\windows\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\50c4c26d-68ad-4df3-831b-a38b46f0d046
c:\windows\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\56b6ecb4-d10c-4482-947d-173aaea8e90c
c:\windows\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\64159452-93cf-40a2-a07b-5c8fa1e16dd0
c:\windows\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\6d7e5854-b2d2-4672-b57a-b0f076432d2b
c:\windows\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\be65bc08-9d20-447e-8c1f-630d1a848012
c:\windows\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\c98e8195-8175-4368-9935-022bf5fb2b84
c:\windows\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\cf9f88f2-af37-4027-b191-67bab2a2387a
c:\windows\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\d1aad2f2-bb16-4e7c-9ea7-76b9cb33925d
c:\windows\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\e1a2214f-f5df-42a7-bed6-684ff177574f
c:\windows\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\ef47e29c-7f92-40a3-b64b-5259a688b523
c:\windows\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe
c:\windows\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe
c:\windows\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
c:\windows\system32\dllcache\rndll32.exe
c:\windows\system32\dllcache\tskmgr.exe
c:\windows\system32\drivers\drivers.cab.exe
c:\windows\system32\nssAC.dll
c:\windows\system32\nsxD5.dll
c:\windows\system32\regedit.exe
c:\windows\system32\setting.ini
E:\0liyv.com
E:\2.cmd
E:\AUTORUN.INF
E:\b3b9u.com
E:\by.bat
E:\c9hehpa.bat
E:\kk3.bat
E:\n.com
E:\rqb0v2ot.bat
E:\rs.cmd
E:\t1ypkh.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Service_MyWebSearchService


((((((((((((((((((((((((( Files Created from 2009-10-12 to 2009-11-12 )))))))))))))))))))))))))))))))
.

2009-11-08 20:09 . 2009-11-08 20:13 -------- d-----w- c:\documents and settings\acer\Local Settings\Application Data\AskToolbar
2009-11-07 23:58 . 2009-11-07 23:59 -------- d-----w- c:\documents and settings\acer\Application Data\ManyCam
2009-11-07 23:58 . 2009-11-07 23:59 -------- d-----w- c:\program files\ManyCam 2.4
2009-11-07 23:58 . 2009-11-07 23:58 -------- d-----w- c:\program files\Ask.com
2009-11-07 23:57 . 2009-11-07 23:57 -------- d-----w- c:\program files\AWS
2009-11-07 19:35 . 2009-11-07 19:35 -------- d-----w- c:\program files\Trend Micro
2009-11-07 15:37 . 2009-11-07 15:37 -------- d-----w- c:\windows\system32\wbem\Repository
2009-10-30 10:01 . 2009-10-30 10:01 -------- d-----w- c:\documents and settings\acer\Local Settings\Application Data\AVG Security Toolbar
2009-10-30 09:27 . 2009-10-30 09:27 -------- d-----w- C:\$AVG
2009-10-30 09:27 . 2009-10-30 09:27 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-30 09:27 . 2009-10-30 09:27 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-30 09:26 . 2009-10-30 09:26 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-30 09:26 . 2009-10-30 09:26 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-30 09:26 . 2009-11-12 02:04 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-30 09:26 . 2009-10-30 09:26 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-10-30 09:25 . 2009-10-30 09:25 -------- d-----w- c:\program files\AVG
2009-10-30 09:25 . 2009-11-12 02:02 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-10-30 09:25 . 2009-10-30 09:56 -------- d-----w- c:\windows\SxsCaPendDel
2009-10-30 08:06 . 2009-10-30 08:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg7
2009-10-25 15:20 . 2009-11-11 01:52 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-25 15:20 . 2009-11-11 01:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-25 07:43 . 2009-10-25 07:43 -------- d-----w- c:\documents and settings\acer\Application Data\Malwarebytes
2009-10-25 07:43 . 2009-10-25 07:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-17 05:03 . 2009-10-17 05:03 -------- d-----w- c:\documents and settings\acer\Local Settings\Application Data\Yahoo!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-12 02:28 . 2008-08-12 06:10 -------- d-----w- c:\documents and settings\acer\Application Data\Skype
2009-11-12 02:25 . 2007-12-30 11:51 -------- d-----w- c:\documents and settings\acer\Application Data\uTorrent
2009-11-12 01:28 . 2008-08-12 06:13 -------- d-----w- c:\documents and settings\acer\Application Data\skypePM
2009-11-08 20:12 . 2007-11-11 03:18 -------- d-----w- c:\documents and settings\acer\Application Data\MegauploadToolbar
2009-10-30 08:05 . 2007-08-19 10:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Grisoft
2009-10-05 07:10 . 2009-11-05 15:44 242472 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\setup.exe
2009-10-05 07:10 . 2009-11-05 15:44 95792 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\AOLFirewallMgr.dll
2009-10-05 07:10 . 2009-11-05 15:44 83752 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\ProgUpd.dll
2009-10-05 07:10 . 2009-11-05 15:44 106336 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\postproc.exe
2009-10-05 07:10 . 2009-11-05 15:44 1025384 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\gui.dll
2009-10-03 15:58 . 2008-12-29 10:07 -------- d-----w- c:\program files\TVAnts
2009-09-25 05:56 . 2004-08-03 22:56 662016 ----a-w- c:\windows\system32\wininet.dll
2009-09-25 05:56 . 2004-08-03 22:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-16 13:51 . 2009-09-16 13:51 2008576 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\04B85A4AD92F471CB8EC199BEBD26C57\Emotion_detector.dll
2009-09-11 14:33 . 2004-08-03 22:56 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45 . 2004-08-03 22:56 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-30 07:28 . 2009-01-07 05:29 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
2009-08-30 07:22 . 2009-01-07 05:22 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2009-08-26 08:16 . 2004-08-03 22:56 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-21 10:34 . 2009-08-21 10:34 1303040 ----a-w- c:\windows\system32\b5d70539-13ae-302d-7b6e-ed449ee8e4f3.dll
2009-02-20 03:02 . 2009-02-20 03:02 12654424 ----a-w- c:\program files\mm20enu.exe
2009-09-09 11:03 . 2009-09-09 11:03 364544 ----a-w- c:\program files\mozilla firefox\components\wkqsdgldec.dll
2008-04-10 14:39 . 2004-08-03 22:56 299008 -csha-r- c:\windows\system32\dllcache\svchost.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2009-02-26 03:25 809864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e1a4df4a-9824-b2aa-a852-642e26ddeb9c}]
2009-08-21 10:34 1303040 ----a-w- c:\windows\system32\b5d70539-13ae-302d-7b6e-ed449ee8e4f3.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-02-26 809864]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2009-02-26 809864]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1767936]
"CTZDetec.exe"="c:\program files\Creative\Creative Media Lite\CTZDetec.exe" [2007-05-15 176128]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-01-15 270128]
"mRouterConfig"="c:\program files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe" [2006-03-02 364544]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-10-30 4415488]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 185584]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-07-23 21738792]
"WeatherBugAlert"="c:\program files\AWS\WeatherBug Alert\WeatherBugAlert.exe" [2009-07-08 512000]
"ManyCam"="c:\program files\ManyCam 2.4\ManyCam.exe" [2009-08-19 1824040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\ASUSTeK\ASUSDVD\PDVDServ.exe" [2003-10-31 110592]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 244504]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-07-17 126976]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-09 226704]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-06-12 172032]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-06-12 159744]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-06-12 192512]
"USIUDF_Eject_Monitor"="c:\program files\Common Files\Ulead Systems\DVD\USISrv.exe" [2004-12-23 163840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 693880]
"PC Suite for Smartphones"="c:\program files\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe" [2007-11-08 606208]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 495616]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 411944]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 185584]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-04-12 16132608]

c:\documents and settings\acer\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 187392]
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 557056]
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-4-28 450560]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 107520]
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-8-6 51776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"RestrictCpl"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Intuwave\\Shared\\mRouterRuntime\\mRouterRuntime.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\AIM6\\anotify.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\ymsgr_tray.exe"=
"c:\\Program Files\\Common Files\\Teleca Shared\\Generic.exe"=
"c:\\PROGRA~1\\Symbian\\Shared\\SYMBIA~1\\SYMBIA~1.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\Nikon\\Monitor\\NkMonitor.exe"=
"c:\\Program Files\\Adobe\\Acrobat 8.0\\Acrobat\\Acrotray.exe"=
"c:\\Program Files\\iTunes\\iTunesHelper.exe"=
"c:\\Program Files\\Sony\\Sony Picture Utility\\VolumeWatcher\\SPUVolumeWatcher.exe"=
"c:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\reader_sl.exe"=
"c:\\Program Files\\AWS\\WeatherBug Alert\\WeatherBugAlert.exe"=
"c:\\Program Files\\Adobe\\Acrobat 8.0\\Acrobat\\AcroDist.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Ulead Systems\\DVD\\USISrv.exe"=
"c:\\DOCUME~1\\acer\\LOCALS~1\\Temp\\winjxce.exe"=
"c:\\DOCUME~1\\acer\\LOCALS~1\\Temp\\winbutw.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [8/19/2007 6:11 PM 39680]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [8/19/2007 6:11 PM 35712]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/4/2008 11:07 AM 24652]
R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\hjolgq.sys --> c:\windows\system32\drivers\hjolgq.sys [?]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [1/14/2008 6:06 PM 21632]
S2 oobwzwtq;Shell Helper;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 6:56 AM 14336]
S4 Wmp130as;Wmp130as; [x]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
oobwzwtq
.
Contents of the 'Scheduled Tasks' folder

2009-10-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 04:34]

2009-11-12 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2009-02-26 03:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?o=14302&l=dis
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = pofpx7001.maniladc.com:3128
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZKman000
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\acer\Application Data\Mozilla\Firefox\Profiles\ryga31m3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=19&q=
FF - prefs.js: browser.search.selectedEngine - Fast Browser Search
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/_ylt=AgMPiyBUU4T1KSJAEOj8euKbvZx4/SIG=1113i7cuo/**http%3A//www.yahoo.com/bin/set
FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=19&tid={FB5092E2-C52D-7742-DC04-11823887B65C}&q=
FF - component: c:\program files\Mozilla Firefox\components\wkqsdgldec.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npkimi.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)
URLSearchHooks-Rank - (no file)
BHO-{26cdee35-a606-a6fa-e195-d549a1646bba} - c:\windows\system32\iednser.dll
BHO-{CA70569C-F789-B2AD-F154-01CB4121A98D} - c:\windows\system32\wkqsdgldec.dll
HKLM-Run-BroadcomWireless - c:\program files\Broadcom\Wireless\Utility\WlanUtil.exe
HKLM-Run-AVG7_CC - c:\progra~1\Grisoft\AVG7\avgcc.exe
HKLM-Run-MyWebSearch Plugin - c:\progra~1\MYWEBS~1\bar\1.bin\M3PLUGIN.DLL
HKLM-Run-74BE16 - c:\windows\system32\ACF7EF\74BE16.EXE
HKLM-Run-NWEReboot - (no file)
HKU-Default-Run-AVG7_Run - c:\progra~1\Grisoft\AVG7\avgw.exe
SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard
AddRemove-500d46e9-30e8-fb83-e9a8-861866308719 - c:\windows\system32\500d46e9-30e8-fb83-e9a8-861866308719.exe
AddRemove-AdzgaloreDNHelper - c:\windows\system32\AdzgaloreDNHelper-uninstall.exe
AddRemove-AVG7Uninstall - c:\program files\Grisoft\AVG7\setup.exe
AddRemove-BitDownload - c:\program files\BitDownload\Uninstall.exe
AddRemove-Imikimi Plugin - c:\program files\Imikimi\uninstall.exe
AddRemove-LManager - c:\windows\UnInst32.exe
AddRemove-{5DB5B28C-4A2A-7800-A741-814E4DA83D6B} - c:\windows\system32\u_wkqsdgldec.dll.exe
AddRemove-{5e34aab5-c68c-450b-b135-c0280d7dcad8} - c:\windows\system32\rlvknlg.exe
AddRemove-stupid admin that - c:\docume~1\acer\APPLIC~1\SETTIN~1\idle software 16.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-12 10:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\oobwzwtq]
"ServiceDll"="c:\windows\system32\jvquq.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4996)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Creative\Shared Files\CTDevSrv.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\O2Micro Oz128 Driver\o2flash.exe
c:\program files\Intuwave\Shared\mRouterRuntime\mRouterRuntime.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Teleca Shared\Generic.exe
c:\progra~1\Symbian\Shared\SYMBIA~1\SYMBIA~1.EXE
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\progra~1\Symbian\Shared\SYMBIA~1\SCBAL.exe
c:\docume~1\acer\LOCALS~1\Temp\RtkBtMnt.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\docume~1\acer\LOCALS~1\Temp\winjxce.exe
c:\docume~1\acer\LOCALS~1\Temp\winbutw.exe
.
**************************************************************************
.
Completion time: 2009-11-12 10:42 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-12 02:42

Pre-Run: 828,186,624 bytes free
Post-Run: 7,878,463,488 bytes free

- - End Of File - - B2EABD9518ED855B60D5C5398820E3DA

Root Repeal
ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/12 10:46
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: catchme.sys
Image Path: C:\ComboFix\catchme.sys
Address: 0xA5D8A000 Size: 31744 File Visible: No Signed: -
Status: -

Name: Combo-Fix.sys
Image Path: Combo-Fix.sys
Address: 0xF865B000 Size: 60416 File Visible: No Signed: -
Status: -

Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0x9E4E2000 Size: 778240 File Visible: No Signed: -
Status: -

Name: hjolgq.sys
Image Path: C:\WINDOWS\system32\drivers\hjolgq.sys
Address: 0xF8AE5000 Size: 5184 File Visible: No Signed: -
Status: -

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xF8B69000 Size: 7872 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0x9D815000 Size: 49152 File Visible: No Signed: -
Status: -

==EOF==

HiJack
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:48:34 AM, on 11/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\O2Micro Oz128 Driver\o2flash.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe
C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterRuntime.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\AWS\WeatherBug Alert\WeatherBugAlert.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\ManyCam 2.4\ManyCam.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\PROGRA~1\Symbian\Shared\SYMBIA~1\SYMBIA~1.EXE
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\PROGRA~1\Symbian\Shared\SYMBIA~1\SCBAL.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\acer\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\acer\LOCALS~1\Temp\winjxce.exe
C:\DOCUME~1\acer\LOCALS~1\Temp\winbutw.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=14302&l=dis
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = pofpx7001.maniladc.com:3128
R3 - URLSearchHook: AIM Toolbar Search Class - {03402f96-3dc7-4285-bc50-9e81fefafe43} - C:\Program Files\AIM Toolbar\aimtb.dll
R3 - URLSearchHook: AOLSearchHook Class - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll (file missing)
O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: AIM Toolbar Loader - {b0cda128-b425-4eef-a174-61a11ac5dbf8} - C:\Program Files\AIM Toolbar\aimtb.dll
O2 - BHO: Ask.com Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: adzgalore - {e1a4df4a-9824-b2aa-a852-642e26ddeb9c} - C:\WINDOWS\system32\b5d70539-13ae-302d-7b6e-ed449ee8e4f3.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll (file missing)
O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Ask.com Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [PC Suite for Smartphones] "C:\Program Files\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CTZDetec.exe] C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [mRouterConfig] "C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Search Protection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [WeatherBugAlert] "C:\Program Files\AWS\WeatherBug Alert\WeatherBugAlert.exe" /st
O4 - HKCU\..\Run: [ManyCam] "C:\Program Files\ManyCam 2.4\ManyCam.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Nikon Monitor.lnk = C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AIM Toolbar Search - C:\Documents and Settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZKman000
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15033/CTPID.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: O2Micro Flash Memory Card Service (o2flash) - O2Micro International - C:\Program Files\O2Micro Oz128 Driver\o2flash.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\WINDOWS\system32\DRIVERS\xaudio.exe
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 14492 bytes


Below are the improvements in my cmputer
- No more flying pop ups
- No more beeping sounds
-CD drive is now working

Problems that I'm still encountering
-Task Manager is still disabled

I would like to thank you for your help and hopefully my computer will be entirely fixed with your help.
Please tell me what to do next.

Thanks!

#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:10 AM

Posted 12 November 2009 - 06:27 PM

Hello khiks,

Nice job getting Combofix to work. Now let's see if we can't solve your task manager issue. along with some other issues.

1.
Ask Toolbar is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know as stated in the following Articles:

http://www.benedelman.org/spyware/ask-toolbars/
http://vil.nai.com/vil/content/v_185490.htm


I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Ask Toolbar.

2.
Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case uTorrent). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Click on start > run > and then paste the following into the "open" field: appwiz.cpl and press OK. From within Add or Remove Programs uninstall the following if they exist: Viewpoint, Viewpoint Manager, Viewpoint Media Player.

4.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\docume~1\acer\LOCALS~1\Temp\winjxce.exe
c:\docume~1\acer\LOCALS~1\Temp\winbutw.exe
c:\docume~1\acer\LOCALS~1\Temp\RtkBtMnt.exe
c:\windows\system32\jvquq.dll
c:\program files\mozilla firefox\components\wkqsdgldec.dll
c:\windows\system32\b5d70539-13ae-302d-7b6e-ed449ee8e4f3.dll

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
"DisableRegistryTools"=-
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"RestrictCpl"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
"FirewallOverride"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=-
"AntiVirusDisableNotify"=-
"FirewallDisableNotify"=-
"FirewallOverride"=-
"UpdatesDisableNotify"=-
"UacDisableNotify"=-

Firefox::
FF - ProfilePath - c:\documents and settings\acer\Application Data\Mozilla\Firefox\Profiles\ryga31m3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=19&q=
FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=19&tid={FB5092E2-C52D-7742-DC04-11823887B65C}&q=
FF - prefs.js: browser.search.selectedEngine - Fast Browser Search
FF - component: c:\program files\Mozilla Firefox\components\wkqsdgldec.dll

Driver::
oobwzwtq

NetSvc::
oobwzwtq


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

5.
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Things to include in your next reply:
Combofix.txt
Gmer log
Is Task Manager is still disabled?
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 khiks

khiks
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:10 PM

Posted 13 November 2009 - 07:44 PM

hi,

yesterday my laptop was back from having pop ups, beeping sounds and my cd drive from being disabled =(

should i repeat your instructions before or proceed in doing your new instructions?

Thanks

#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:10 AM

Posted 13 November 2009 - 11:49 PM

Hello,
You can go ahead and proceed with the new instructions

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:10 AM

Posted 15 November 2009 - 01:35 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding :(

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 khiks

khiks
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:10 PM

Posted 17 November 2009 - 09:58 PM

Hi,

sorry for the late reply...

I tried dragging the CFScript.txt to the Combo fix but when it runs it says that it is "Not responding"

what shall I do?

I also tried scanning my pc using GMER but after more than an hour it's not yet done, is it normal?

another thing


I think that because of the virus my detachable devices (usb,memory card, ipod etc) was infected by autorun virus

how can i fix it? thanks!

Edited by khiks, 17 November 2009 - 11:03 PM.


#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:10 AM

Posted 18 November 2009 - 05:26 PM

Hello khiks,

It seems you have been reinfected. Please refrain from using your machine until we get you all clean.

1.
Download and run Win32kDiag:2.
Download and Run RKill
  • Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply
3.
Please delete the copy of Combofix you currently have and download a fresh copy. Then try and run the CfScript from my previous post. You can download a fresh copy from the links below:

Link 1
Link 2

4.
Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

* When done, DDS will open two (2) logs:

1. DDS.txt
2. Attach.txt

Save both reports to your desktop post the contents of the DDS.txt log. Save the other report incase I need to look at it later.


Things to include in your next reply:
Combofix.txt
Win32Diag.txt
DDS.txt
Attach.txt

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 khiks

khiks
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:10 PM

Posted 18 November 2009 - 11:37 PM

Combofix.txt

ComboFix 09-11-18.06 - acer 11/19/2009 11:47.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.90 [GMT 8:00]
Running from: c:\documents and settings\acer\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\acer\Desktop\CFScript.txt
AV: AVG 7.5.560 *On-access scanning enabled* (Outdated) {41564737-3200-1071-989B-0000E87B4FB1}
* Created a new restore point

FILE ::
"c:\docume~1\acer\LOCALS~1\Temp\RtkBtMnt.exe"
"c:\docume~1\acer\LOCALS~1\Temp\winbutw.exe"
"c:\docume~1\acer\LOCALS~1\Temp\winjxce.exe"
"c:\program files\mozilla firefox\components\wkqsdgldec.dll"
"c:\windows\system32\b5d70539-13ae-302d-7b6e-ed449ee8e4f3.dll"
"c:\windows\system32\jvquq.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Mozilla Firefox\components\wkqsdgldec.dll
c:\windows\system32\b5d70539-13ae-302d-7b6e-ed449ee8e4f3.dll
E:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OOBWZWTQ
-------\Service_oobwzwtq


((((((((((((((((((((((((( Files Created from 2009-10-19 to 2009-11-19 )))))))))))))))))))))))))))))))
.

2009-11-18 02:56 . 2008-09-26 10:01 621056 ----a-w- c:\windows\system32\drivers\mod7700.sys
2009-11-18 02:56 . 2008-09-26 10:01 113664 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
2009-11-18 02:56 . 2008-09-26 10:01 101376 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2009-11-18 02:56 . 2008-09-26 10:00 24448 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2009-11-18 02:55 . 2009-11-18 03:06 -------- d-----w- c:\program files\Sun Broadband Wireless
2009-11-15 22:49 . 2009-11-15 22:49 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-07 23:58 . 2009-11-07 23:59 -------- d-----w- c:\documents and settings\acer\Application Data\ManyCam
2009-11-07 23:58 . 2009-11-07 23:59 -------- d-----w- c:\program files\ManyCam 2.4
2009-11-07 19:35 . 2009-11-07 19:35 -------- d-----w- c:\program files\Trend Micro
2009-10-30 10:01 . 2009-10-30 10:01 -------- d-----w- c:\documents and settings\acer\Local Settings\Application Data\AVG Security Toolbar
2009-10-30 09:27 . 2009-10-30 09:27 -------- d-----w- C:\$AVG
2009-10-30 09:27 . 2009-10-30 09:27 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-30 09:27 . 2009-10-30 09:27 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-30 09:26 . 2009-10-30 09:26 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-30 09:26 . 2009-10-30 09:26 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-30 09:26 . 2009-11-12 02:04 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-30 09:26 . 2009-10-30 09:26 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-10-30 09:25 . 2009-10-30 09:25 -------- d-----w- c:\program files\AVG
2009-10-30 09:25 . 2009-11-12 02:02 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-10-30 09:25 . 2009-10-30 09:56 -------- d-----w- c:\windows\SxsCaPendDel
2009-10-30 08:06 . 2009-10-30 08:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg7
2009-10-25 15:20 . 2009-11-11 01:52 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-25 15:20 . 2009-11-11 01:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-25 07:43 . 2009-10-25 07:43 -------- d-----w- c:\documents and settings\acer\Application Data\Malwarebytes
2009-10-25 07:43 . 2009-10-25 07:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-19 04:11 . 2008-08-12 06:10 -------- d-----w- c:\documents and settings\acer\Application Data\Skype
2009-11-19 04:04 . 2007-07-20 10:55 274432 ----a-w- c:\windows\system32\igfxtray.exe
2009-11-19 02:52 . 2008-08-12 06:13 -------- d-----w- c:\documents and settings\acer\Application Data\skypePM
2009-11-18 04:55 . 2007-11-11 03:18 -------- d-----w- c:\documents and settings\acer\Application Data\MegauploadToolbar
2009-11-14 05:36 . 2007-11-03 13:42 -------- d-----w- c:\program files\LimeWire
2009-11-14 05:35 . 2007-12-30 11:51 -------- d-----w- c:\documents and settings\acer\Application Data\uTorrent
2009-11-14 05:34 . 2008-11-04 03:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-10-30 08:05 . 2007-08-19 10:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Grisoft
2009-10-05 07:10 . 2009-11-05 15:44 242472 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\setup.exe
2009-10-05 07:10 . 2009-11-05 15:44 95792 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\AOLFirewallMgr.dll
2009-10-05 07:10 . 2009-11-05 15:44 83752 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\ProgUpd.dll
2009-10-05 07:10 . 2009-11-05 15:44 106336 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\postproc.exe
2009-10-05 07:10 . 2009-11-05 15:44 1025384 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\gui.dll
2009-10-03 15:58 . 2008-12-29 10:07 -------- d-----w- c:\program files\TVAnts
2009-09-25 05:56 . 2004-08-03 22:56 662016 ------w- c:\windows\system32\wininet.dll
2009-09-25 05:56 . 2004-08-03 22:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-16 13:51 . 2009-09-16 13:51 2008576 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\04B85A4AD92F471CB8EC199BEBD26C57\Emotion_detector.dll
2009-09-11 14:33 . 2004-08-03 22:56 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45 . 2004-08-03 22:56 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-30 07:28 . 2009-01-07 05:29 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
2009-08-30 07:22 . 2009-01-07 05:22 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2009-08-26 08:16 . 2004-08-03 22:56 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-02-20 03:02 . 2009-02-20 03:02 12654424 ----a-w- c:\program files\mm20enu.exe
2008-04-10 14:39 . 2004-08-03 22:56 299008 -csha-r- c:\windows\system32\dllcache\svchost.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-11-12_02.28.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-19 02:51 . 2009-11-19 02:51 16384 c:\windows\temp\Perflib_Perfdata_94c.dat
+ 2008-06-08 01:05 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
- 2008-06-08 01:05 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
+ 2004-08-03 21:17 . 2009-08-14 12:19 1850112 c:\windows\system32\win32k.sys
+ 2009-10-25 16:09 . 2009-11-15 22:50 1459184 c:\windows\system32\Restore\rstrlog.dat
+ 2007-08-19 17:53 . 2009-11-17 05:06 1579616 c:\windows\system32\FNTCACHE.DAT
- 2007-08-19 17:53 . 2009-10-30 21:55 1579616 c:\windows\system32\FNTCACHE.DAT
+ 2004-08-03 21:17 . 2009-08-14 12:19 1850112 c:\windows\system32\dllcache\win32k.sys
+ 2007-08-21 20:55 . 2009-11-05 01:36 26768832 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1767936]
"CTZDetec.exe"="c:\program files\Creative\Creative Media Lite\CTZDetec.exe" [2007-05-15 176128]
"mRouterConfig"="c:\program files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe" [2006-03-02 364544]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-10-30 4415488]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 185584]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-07-23 21738792]
"ManyCam"="c:\program files\ManyCam 2.4\ManyCam.exe" [2009-08-19 1901864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\ASUSTeK\ASUSDVD\PDVDServ.exe" [2003-10-31 110592]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 244504]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-07-17 126976]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-09 226704]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2009-11-19 274432]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-06-12 159744]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-06-12 192512]
"USIUDF_Eject_Monitor"="c:\program files\Common Files\Ulead Systems\DVD\USISrv.exe" [2004-12-23 163840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 693880]
"PC Suite for Smartphones"="c:\program files\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe" [2007-11-08 606208]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 495616]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 411944]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 185584]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-04-12 16132608]

c:\documents and settings\acer\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 187392]
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 557056]
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-4-28 450560]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 107520]
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-8-6 51776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 1 (0x1)
"EnableLUA"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Intuwave\\Shared\\mRouterRuntime\\mRouterRuntime.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\AIM6\\anotify.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\ymsgr_tray.exe"=
"c:\\Program Files\\Common Files\\Teleca Shared\\Generic.exe"=
"c:\\PROGRA~1\\Symbian\\Shared\\SYMBIA~1\\SYMBIA~1.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\Nikon\\Monitor\\NkMonitor.exe"=
"c:\\Program Files\\Adobe\\Acrobat 8.0\\Acrobat\\Acrotray.exe"=
"c:\\Program Files\\iTunes\\iTunesHelper.exe"=
"c:\\Program Files\\Sony\\Sony Picture Utility\\VolumeWatcher\\SPUVolumeWatcher.exe"=
"c:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\reader_sl.exe"=
"c:\\Program Files\\Adobe\\Acrobat 8.0\\Acrobat\\AcroDist.exe"=
"c:\\Program Files\\Common Files\\Ulead Systems\\DVD\\USISrv.exe"=
"c:\\Program Files\\ASUSTeK\\ASUSDVD\\PDVDServ.exe"=
"c:\\Program Files\\Realtek\\InstallShield\\AzMixerSel.exe"=
"c:\\Program Files\\Creative\\Creative Media Lite\\CTZDetec.exe"=
"c:\\WINDOWS\\system32\\netsh.exe"=
"c:\\Program Files\\Common Files\\Teleca Shared\\CapabilityManager.exe"=
"c:\\Program Files\\Intel\\Intel Matrix Storage Manager\\Iaanotif.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM6\\aolsoftware.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Calibration\\Adobe Gamma Loader.exe"=
"c:\\DOCUME~1\\acer\\LOCALS~1\\Temp\\tvqhsb.exe"=
"c:\\DOCUME~1\\acer\\LOCALS~1\\Temp\\winrqstg.exe"=
"c:\\DOCUME~1\\acer\\LOCALS~1\\Temp\\winavqp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [8/19/2007 6:11 PM 39680]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [8/19/2007 6:11 PM 35712]
R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\hjolgq.sys --> c:\windows\system32\drivers\hjolgq.sys [?]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [1/14/2008 6:06 PM 21632]
S4 Wmp130as;Wmp130as; [x]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{af6f130c-f237-11dc-b0a9-00197ea52cb0}]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL MS-DOS.com
\Shell\Explore\command - G:\MS-DOS.com
\Shell\Open\command - G:\MS-DOS.com
.
Contents of the 'Scheduled Tasks' folder

2009-10-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 04:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = pofpx7001.maniladc.com:3128
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZKman000
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\acer\Application Data\Mozilla\Firefox\Profiles\ryga31m3.default\
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/_ylt=AgMPiyBUU4T1KSJAEOj8euKbvZx4/SIG=1113i7cuo/**http%3A//www.yahoo.com/bin/set
FF - plugin: c:\program files\Mozilla Firefox\plugins\npkimi.dll
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)
URLSearchHooks-Rank - (no file)
BHO-{e1a4df4a-9824-b2aa-a852-642e26ddeb9c} - c:\windows\system32\b5d70539-13ae-302d-7b6e-ed449ee8e4f3.dll
HKLM-Run-AutorunRemover.exe - c:\program files\AutorunRemover\AutorunRemover.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-19 12:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(5604)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Creative\Shared Files\CTDevSrv.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\O2Micro Oz128 Driver\o2flash.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Intuwave\Shared\mRouterRuntime\mRouterRuntime.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Teleca Shared\Generic.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\progra~1\Symbian\Shared\SYMBIA~1\SYMBIA~1.EXE
c:\progra~1\Symbian\Shared\SYMBIA~1\SCBAL.exe
c:\docume~1\acer\LOCALS~1\Temp\RtkBtMnt.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\docume~1\acer\LOCALS~1\Temp\tvqhsb.exe
.
**************************************************************************
.
Completion time: 2009-11-19 12:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-19 04:25
ComboFix2.txt 2009-11-17 05:22
ComboFix3.txt 2009-11-12 02:42

Pre-Run: 5,569,638,400 bytes free
Post-Run: 5,452,382,208 bytes free

- - End Of File - - AC010092180935EE51811F494C80E5DE


Win32Diag.txt

Running from: C:\Documents and Settings\acer\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\acer\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!



DDS.txt


DDS (Ver_09-09-29.01) - NTFSx86
Run by acer at 12:30:26.76 on Thu 11/19/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.114 [GMT 8:00]

AV: AVG 7.5.560 *On-access scanning enabled* (Outdated) {41564737-3200-1071-989B-0000E87B4FB1}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\O2Micro Oz128 Driver\o2flash.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\Creative Media Lite\CTZDetec.exe
C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\ManyCam 2.4\ManyCam.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterRuntime.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Nikon\Monitor\NkMonitor.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\PROGRA~1\Symbian\Shared\SYMBIA~1\SYMBIA~1.EXE
C:\PROGRA~1\Symbian\Shared\SYMBIA~1\SCBAL.exe
C:\DOCUME~1\acer\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\acer\LOCALS~1\Temp\tvqhsb.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\acer\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = pofpx7001.maniladc.com:3128
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uURLSearchHooks: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: Megaupload Toolbar: {4e7bd74f-2b8d-469e-ccb0-b130eedbe97c} - c:\progra~1\megaup~1\MEGAUP~1.DLL
BHO: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aim search\AOLSearch.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Megaupload Toolbar: {4e7bd74f-2b8d-469e-ccb0-b130eedbe97c} - c:\progra~1\megaup~1\MEGAUP~1.DLL
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: Search panel: {be95363e-2489-80c0-ac8c-6ac6337c7cb1} - c:\windows\system32\wkqsdgldec.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [CTZDetec.exe] c:\program files\creative\creative media lite\CTZDetec.exe
uRun: [mRouterConfig] "c:\program files\intuwave\shared\mrouterruntime\mRouterConfig.exe"
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [Search Protection] c:\program files\yahoo!\search protection\SearchProtection.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [ManyCam] "c:\program files\manycam 2.4\ManyCam.exe"
mRun: [RemoteControl] "c:\program files\asustek\asusdvd\PDVDServ.exe"
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [USIUDF_Eject_Monitor] c:\program files\common files\ulead systems\dvd\USISrv.exe
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [PC Suite for Smartphones] "c:\program files\sony ericsson\mobile4\application launcher\Application Launcher.exe" /startoptions
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
StartupFolder: c:\docume~1\acer\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\acer\startm~1\programs\startup\nikonm~1.lnk - c:\program files\common files\nikon\monitor\NkMonitor.exe
StartupFolder: c:\docume~1\acer\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\volumewatcher\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE
uPolicies-system: DisableTaskMgr = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-system: DisableStatusMessages = 1 (0x1)
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZKman000
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} - hxxp://www.creative.com/su/ocx/15031/CTSUEng.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su/ocx/15033/CTPID.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\acer\applic~1\mozilla\firefox\profiles\ryga31m3.default\
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/_ylt=AgMPiyBUU4T1KSJAEOj8euKbvZx4/SIG=1113i7cuo/**http%3A//www.yahoo.com/bin/set
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npkimi.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [2007-8-19 39680]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [2007-8-19 35712]
R2 YahooAUService;Yahoo! Updater;c:\program files\yahoo!\softwareupdate\YahooAUService.exe [2008-11-10 602392]
R3 abp470n5;abp470n5;\??\c:\windows\system32\drivers\hjolgq.sys --> c:\windows\system32\drivers\hjolgq.sys [?]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
R3 zebrbus;Sony Ericsson Composite Device driver;c:\windows\system32\drivers\zebrbus.sys [2008-7-16 83200]
R3 zebrceb;Sony Ericsson Cable Emulation Bus (WDM);c:\windows\system32\drivers\zebrceb.sys [2008-7-16 63360]
R3 zebrmdfl;Sony Ericsson Modem Filter;c:\windows\system32\drivers\zebrmdfl.sys [2008-7-16 14848]
R3 zebrmdm;Sony Ericsson Modem Driver;c:\windows\system32\drivers\zebrmdm.sys [2008-7-16 109568]
R3 zebrmdmc;Sony Ericsson mRouter Port (WDM);c:\windows\system32\drivers\zebrmdmc.sys [2008-7-16 109568]
R3 zebrsce;Sony Ericsson PC-Connect Port;c:\windows\system32\drivers\zebrsce.sys [2008-7-16 91264]
S1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys --> c:\windows\system32\drivers\avg7core.sys [?]
S1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys --> c:\windows\system32\drivers\avg7rsw.sys [?]
S1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys --> c:\windows\system32\drivers\avg7rsxp.sys [?]
S1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys --> c:\windows\system32\drivers\avgclean.sys [?]
S2 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe --> c:\progra~1\grisoft\avg7\avgamsvr.exe [?]
S2 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe --> c:\progra~1\grisoft\avg7\avgupsvc.exe [?]
S4 Wmp130as;Wmp130as; [x]

=============== Created Last 30 ================

2009-11-18 10:56 621,056 a------- c:\windows\system32\drivers\mod7700.sys
2009-11-18 10:56 113,664 a------- c:\windows\system32\drivers\ewusbnet.sys
2009-11-18 10:56 101,376 a------- c:\windows\system32\drivers\ewusbmdm.sys
2009-11-18 10:56 24,448 a------- c:\windows\system32\drivers\ewdcsc.sys
2009-11-18 10:55 <DIR> --d----- c:\program files\Sun Broadband Wireless
2009-11-16 06:49 <DIR> --d----- c:\windows\system32\wbem\Repository
2009-11-12 10:03 <DIR> a-dshr-- C:\cmdcons
2009-11-12 10:00 260,608 a------- c:\windows\PEV.exe
2009-11-12 10:00 161,792 a------- c:\windows\SWREG.exe
2009-11-12 10:00 98,816 a------- c:\windows\sed.exe
2009-11-12 10:00 77,312 a------- c:\windows\MBR.exe
2009-11-08 07:58 <DIR> --d----- c:\docume~1\acer\applic~1\ManyCam
2009-11-08 07:58 <DIR> --d----- c:\program files\ManyCam 2.4
2009-11-08 03:35 <DIR> --d----- c:\program files\Trend Micro
2009-10-30 17:27 <DIR> --d----- C:\$AVG
2009-10-30 17:27 12,464 a------- c:\windows\system32\avgrsstx.dll
2009-10-30 17:27 360,584 a------- c:\windows\system32\drivers\avgtdix.sys
2009-10-30 17:26 333,192 a------- c:\windows\system32\drivers\avgldx86.sys
2009-10-30 17:26 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-10-30 17:26 <DIR> --d----- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2009-10-30 17:25 <DIR> --d----- c:\program files\AVG
2009-10-30 17:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg9
2009-10-30 17:25 <DIR> --d----- c:\windows\SxsCaPendDel
2009-10-25 23:20 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-10-25 23:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-10-25 15:43 <DIR> --d----- c:\docume~1\acer\applic~1\Malwarebytes
2009-10-25 15:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2009-11-19 12:04 274,432 a------- c:\windows\system32\igfxtray.exe
2009-09-25 13:56 662,016 -------- c:\windows\system32\wininet.dll
2009-09-25 13:56 81,920 a------- c:\windows\system32\ieencode.dll
2009-09-11 22:33 133,632 a------- c:\windows\system32\msv1_0.dll
2009-09-05 04:45 58,880 a------- c:\windows\system32\msasn1.dll
2009-08-30 15:28 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLdw.DAT
2009-08-30 15:22 20 ----h--- c:\docume~1\alluse~1\applic~1\PKP_DLdu.DAT
2009-08-26 16:16 247,326 a------- c:\windows\system32\strmdll.dll
2009-02-20 11:02 12,654,424 a------- c:\program files\mm20enu.exe
2009-01-01 17:51 524 a------- c:\program files\Shortcut to hjsplit.lnk
2008-12-30 16:56 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2008-12-29 18:05 3,006,976 a------- c:\program files\TvantsSetup.exe
2008-12-29 17:45 812,546 a------- c:\program files\SetupKHTV3.10.exe
2008-12-09 13:10 840,887 a------- c:\program files\DirectVobSub_2.37_VSFilter_2.39_win9x.zip
2008-12-09 13:05 468,907 a------- c:\program files\vsfilter.2.37_nt.exe
2008-08-07 22:02 115,712 a------- c:\docume~1\acer\applic~1\u3r4d7e5.dat
2008-07-03 09:37 7,570,648 a------- c:\program files\Firefox Setup 3.0.exe
2008-05-23 11:57 6,974,976 a------- c:\program files\QuickFix-2.1.msi
2008-03-16 11:46 7,326,267 a------- c:\program files\pqc_ipod.exe
2008-03-15 14:56 16,088 a------- c:\program files\iPod Software License.rtf
2008-03-15 11:34 59,163,944 a------- c:\program files\iTunesSetup.exe
2007-12-31 05:59 6,108,736 a------- c:\program files\Firefox Setup 2.0.0.11.exe
2007-12-12 12:38 14,286,896 a------- c:\program files\ZENStone_PCApp_CLA_ A4_1_10_08.exe
2007-11-16 10:46 24,192 a------- c:\documents and settings\acer\usbsermptxp.sys
2007-11-16 10:46 22,768 a------- c:\documents and settings\acer\usbsermpt.sys
2007-09-21 06:10 66,896 a------- c:\docume~1\acer\applic~1\GDIPFONTCACHEV1.DAT
2007-09-15 14:55 176 a------- c:\documents and settings\acer\BackupResult.DAT
2007-02-01 18:02 313,344 a------- c:\program files\hjsplit.exe
2008-04-10 22:39 299,008 ac-shr-- c:\windows\system32\dllcache\svchost.exe

============= FINISH: 12:30:53.32 ===============



Attach.txt



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-09-29.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 12/9/2007 3:19:57 AM
System Uptime: 11/19/2009 12:08:50 PM (0 hours ago)

Motherboard: Acer | | Volvi
Processor: Intel® Celeron® M CPU 520 @ 1.60GHz | U2E1 | 1599/133mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 38 GiB total, 5.145 GiB free.
D: is CDROM (UDF)
E: is FIXED (NTFS) - 37 GiB total, 1.8 GiB free.
F: is CDROM (CDFS)
G: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP20: 11/14/2009 1:31:47 PM - Removed Ask Toolbar.
RP21: 11/14/2009 1:32:15 PM - Removed Ask Toolbar.
RP22: 11/14/2009 1:35:05 PM - Removed WeatherBug Alert
RP23: 11/15/2009 3:02:52 AM - Software Distribution Service 3.0
RP24: 11/16/2009 6:42:18 AM - Restore Operation
RP25: 11/17/2009 9:12:33 AM - Software Distribution Service 3.0
RP26: 11/19/2009 11:45:17 AM - ComboFix created restore point

==== Installed Programs ======================


Acer Crystal Eye webcam
Add or Remove Adobe Creative Suite 3 Master Collection
Adobe Acrobat 8 Professional
Adobe After Effects CS3
Adobe After Effects CS3 Presets
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge 1.0
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Common File Installer
Adobe Contribute CS3
Adobe Creative Suite 3 Master Collection
Adobe Default Language CS3
Adobe Device Central CS3
Adobe Dreamweaver CS3
Adobe Encore CS3
Adobe ExtendScript Toolkit 2
Adobe Extension Manager CS3
Adobe Fireworks CS3
Adobe Flash CS3
Adobe Flash Player 10 Plugin
Adobe Flash Video Encoder
Adobe Fonts All
Adobe Help Center 2.0
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe InDesign CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS2
Adobe Photoshop CS3
Adobe Premiere Pro 2.0
Adobe Premiere Pro CS3
Adobe Premiere Pro CS3 Functional Content
Adobe Reader 7.0
Adobe Setup
Adobe SING CS3
Adobe Soundbooth CS3
Adobe Stock Photos 1.0
Adobe Stock Photos CS3
Adobe SVG Viewer 3.0
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Version Cue CS3 Server
Adobe Video Profiles
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP DVA Panels CS3
Adobe XMP Panels CS3
AHV content for Acrobat and Flash
AIM 6
AIM Search
AIM Toolbar
Apple Mobile Device Support
Apple Software Update
ASUSDVD
Avanquest update
Bonjour
Broadcom Gigabit Integrated Controller
Broadcom Wireless LAN Driver 4.100.15.7_Negative_Foxconn
Creative Media Lite
Creative ZEN Stone User's Guide
DirectVobSub (remove only)
Download Updater (AOL LLC)
Dynamic-Photo HDR Trial 4.31
HDAUDIO Soft Data Fax Modem with SmartCP
HijackThis 2.0.2
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Intel® Graphics Media Accelerator Driver
Intel® Matrix Storage Manager
iTunes
IZArc 3.81
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 7
KeyHoleTV
LightScribe 1.4.142.1
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
ManyCam 2.4 (remove only)
Megaupload Toolbar
Microsoft Office FrontPage 2003
Microsoft Office OneNote 2003
Microsoft Office Professional Edition 2003
Microsoft Office Project Professional 2003
Microsoft Office Visio Professional 2003
Microsoft Visual C++ 2005 Redistributable
Motorola Phone Tools
Mozilla Firefox (3.0.14)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
My Web Search (Webfetti)
Nikon Message Center
Nikon Transfer
NTI Backup NOW! 4.7
NTI CD & DVD-Maker
O2Micro Flash Memory Card Reader Driver Installer(x86)
PC Suite for Sony Ericsson
PDF Settings
Picture Control Utility
Platform4 Player
Platform4 Player ActiveX Control
PowerVideoMaker Professional 3.5.5
QuickFix
QuickTime
RealPlayer
Realtek High Definition Audio Driver
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Skype™ 3.8
Sony Ericsson Symbian 9 Drivers
Sony Picture Utility
Sun Broadband Wireless
The KMPlayer 2.9.4.1434
Total Video Converter 3.10
TVAnts 1.0
Ulead Data-Add 2.0
Ulead DVD MovieFactory 4.0
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
Update Service
VideoLAN VLC media player 0.8.6c
ViewNX
WebFldrs XP
Windows Installer 3.1 (KB893803)
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 11
Windows Movie Maker 2.0
Windows XP Hotfix - KB885884
Yahoo! Messenger
Yahoo! Search Protection
Yahoo! Software Update
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

11/18/2009 2:50:48 PM, error: O2SDRDR [9] -
11/14/2009 2:38:00 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Avg7Core Avg7RsW Avg7RsXP AvgClean
11/14/2009 2:37:56 AM, error: Service Control Manager [7023] - The Shell Helper service terminated with the following error: The specified module could not be found.
11/14/2009 2:37:56 AM, error: Service Control Manager [7000] - The XAudioService service failed to start due to the following error: %1 is not a valid Win32 application.
11/14/2009 2:37:56 AM, error: Service Control Manager [7000] - The AVG7 Update Service service failed to start due to the following error: The system cannot find the file specified.
11/14/2009 2:37:56 AM, error: Service Control Manager [7000] - The AVG7 Alert Manager Server service failed to start due to the following error: The system cannot find the file specified.
11/14/2009 2:37:56 AM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume E:.
11/12/2009 9:56:22 AM, error: Service Control Manager [7034] - The Creative Service for CDROM Access service terminated unexpectedly. It has done this 1 time(s).
11/12/2009 9:31:27 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Windows Malicious Software Removal Tool - November 2009 (KB890830).
11/12/2009 9:27:31 AM, error: Service Control Manager [7000] - The My Web Search Service service failed to start due to the following error: The system cannot find the path specified.

==== End Of File ===========================




Hi I just want to ask how to fix my removable device that i think was infected as well, I think that it's possible why my system sa reinfected thanks for your help!

#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:02:10 AM

Posted 19 November 2009 - 04:28 PM

Hello khiks,

Hi I just want to ask how to fix my removable device that i think was infected as well, I think that it's possible why my system sa reinfected thanks for your help!

Once again I stress don't make any changes to your computer unless instructed to. This would include dowloading anything or attaching any device. This may hinder the cleanup process.
Yes , We can deal with the removable device.

1.
Uninstalling A Program Through "add/remove"

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

My Web Search (Webfetti)

Additional instructions can be found here if needed.

2.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\docume~1\acer\LOCALS~1\Temp\RtkBtMnt.exe
c:\docume~1\acer\LOCALS~1\Temp\tvqhsb.exe
c:\docume~1\acer\applic~1\u3r4d7e5.dat
c:\DOCUME~1\acer\LOCALS~1\Temp\winrqstg.exe
c:\DOCUME~1\acer\LOCALS~1\Temp\winavqp.exe
c:\windows\system32\drivers\hjolgq.sys

Registry::
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=-
"DisableRegistryTools"=-
"DisableStatusMessages"=-

Driver::
abp470n5
Wmp130as


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

3.
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)
Posted Image
You can refer to this short video by: neomage
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.
Things to include in your next reply:
Combofix.txt
ESET log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 khiks

khiks
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:03:10 PM

Posted 21 November 2009 - 12:00 AM

Hi,

I was able to delete the webfetti, but the autorun infections are still in my removable devices

And I can't access ESET i'm not sure why I tried different browsers but I can't access it..

below is the Combofix log thanks

ComboFix 09-11-19.03 - acer 11/20/2009 6:30.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.112 [GMT 8:00]
Running from: c:\documents and settings\acer\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\acer\Desktop\CFScript.txt
AV: AVG 7.5.560 *On-access scanning enabled* (Outdated) {41564737-3200-1071-989B-0000E87B4FB1}

FILE ::
"c:\docume~1\acer\applic~1\u3r4d7e5.dat"
"c:\docume~1\acer\LOCALS~1\Temp\RtkBtMnt.exe"
"c:\docume~1\acer\LOCALS~1\Temp\tvqhsb.exe"
"c:\docume~1\acer\LOCALS~1\Temp\winavqp.exe"
"c:\docume~1\acer\LOCALS~1\Temp\winrqstg.exe"
"c:\windows\system32\drivers\hjolgq.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\acer\applic~1\u3r4d7e5.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ABP470N5
-------\Service_abp470n5
-------\Service_Wmp130as


((((((((((((((((((((((((( Files Created from 2009-10-19 to 2009-11-19 )))))))))))))))))))))))))))))))
.

2009-11-18 02:56 . 2008-09-26 10:01 621056 ----a-w- c:\windows\system32\drivers\mod7700.sys
2009-11-18 02:56 . 2008-09-26 10:01 113664 ----a-w- c:\windows\system32\drivers\ewusbnet.sys
2009-11-18 02:56 . 2008-09-26 10:01 101376 ----a-w- c:\windows\system32\drivers\ewusbmdm.sys
2009-11-18 02:56 . 2008-09-26 10:00 24448 ----a-w- c:\windows\system32\drivers\ewdcsc.sys
2009-11-18 02:55 . 2009-11-18 03:06 -------- d-----w- c:\program files\Sun Broadband Wireless
2009-11-15 22:49 . 2009-11-15 22:49 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-07 23:58 . 2009-11-07 23:59 -------- d-----w- c:\documents and settings\acer\Application Data\ManyCam
2009-11-07 23:58 . 2009-11-07 23:59 -------- d-----w- c:\program files\ManyCam 2.4
2009-11-07 19:35 . 2009-11-07 19:35 -------- d-----w- c:\program files\Trend Micro
2009-10-30 10:01 . 2009-10-30 10:01 -------- d-----w- c:\documents and settings\acer\Local Settings\Application Data\AVG Security Toolbar
2009-10-30 09:27 . 2009-10-30 09:27 -------- d-----w- C:\$AVG
2009-10-30 09:27 . 2009-10-30 09:27 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-30 09:27 . 2009-10-30 09:27 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-30 09:26 . 2009-10-30 09:26 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-30 09:26 . 2009-10-30 09:26 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-30 09:26 . 2009-11-12 02:04 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-30 09:26 . 2009-10-30 09:26 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-10-30 09:25 . 2009-10-30 09:25 -------- d-----w- c:\program files\AVG
2009-10-30 09:25 . 2009-11-12 02:02 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2009-10-30 09:25 . 2009-10-30 09:56 -------- d-----w- c:\windows\SxsCaPendDel
2009-10-30 08:06 . 2009-10-30 08:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Avg7
2009-10-25 15:20 . 2009-11-11 01:52 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-25 15:20 . 2009-11-11 01:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-25 07:43 . 2009-10-25 07:43 -------- d-----w- c:\documents and settings\acer\Application Data\Malwarebytes
2009-10-25 07:43 . 2009-10-25 07:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-19 22:56 . 2008-08-12 06:10 -------- d-----w- c:\documents and settings\acer\Application Data\Skype
2009-11-19 21:53 . 2007-11-11 03:18 -------- d-----w- c:\documents and settings\acer\Application Data\MegauploadToolbar
2009-11-19 16:02 . 2008-08-12 06:13 -------- d-----w- c:\documents and settings\acer\Application Data\skypePM
2009-11-19 04:04 . 2007-07-20 10:55 274432 ----a-w- c:\windows\system32\igfxtray.exe
2009-11-14 05:36 . 2007-11-03 13:42 -------- d-----w- c:\program files\LimeWire
2009-11-14 05:35 . 2007-12-30 11:51 -------- d-----w- c:\documents and settings\acer\Application Data\uTorrent
2009-11-14 05:34 . 2008-11-04 03:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-10-30 08:05 . 2007-08-19 10:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Grisoft
2009-10-05 07:10 . 2009-11-05 15:44 242472 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\setup.exe
2009-10-05 07:10 . 2009-11-05 15:44 95792 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\AOLFirewallMgr.dll
2009-10-05 07:10 . 2009-11-05 15:44 83752 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\ProgUpd.dll
2009-10-05 07:10 . 2009-11-05 15:44 106336 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\postproc.exe
2009-10-05 07:10 . 2009-11-05 15:44 1025384 ------w- c:\documents and settings\All Users\Application Data\AOL OCP\AIM\Storage\All Users\SUDS_BBC2683C\CACHE\4469.2.4\gui.dll
2009-10-03 15:58 . 2008-12-29 10:07 -------- d-----w- c:\program files\TVAnts
2009-09-25 05:56 . 2004-08-03 22:56 662016 ------w- c:\windows\system32\wininet.dll
2009-09-25 05:56 . 2004-08-03 22:56 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-09-16 13:51 . 2009-09-16 13:51 2008576 ----a-w- c:\documents and settings\All Users\Application Data\Skype\Plugins\Plugins\04B85A4AD92F471CB8EC199BEBD26C57\Emotion_detector.dll
2009-09-11 14:33 . 2004-08-03 22:56 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 20:45 . 2004-08-03 22:56 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-30 07:28 . 2009-01-07 05:29 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdw.DAT
2009-08-30 07:22 . 2009-01-07 05:22 20 ---h--w- c:\documents and settings\All Users\Application Data\PKP_DLdu.DAT
2009-08-26 08:16 . 2004-08-03 22:56 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-02-20 03:02 . 2009-02-20 03:02 12654424 ----a-w- c:\program files\mm20enu.exe
2008-04-10 14:39 . 2004-08-03 22:56 299008 -csha-r- c:\windows\system32\dllcache\svchost.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-11-19_16.47.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-02 08:14 . 2007-04-12 09:33 16235008 c:\windows\RTHDCPL.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1767936]
"CTZDetec.exe"="c:\program files\Creative\Creative Media Lite\CTZDetec.exe" [2007-05-15 176128]
"mRouterConfig"="c:\program files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe" [2006-03-02 364544]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-21 50472]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-10-30 4415488]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 185584]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-07-23 21738792]
"ManyCam"="c:\program files\ManyCam 2.4\ManyCam.exe" [2009-08-19 1901864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="c:\program files\ASUSTeK\ASUSDVD\PDVDServ.exe" [2003-10-31 110592]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 244504]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2006-07-17 126976]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-09 226704]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2009-11-19 274432]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-06-12 159744]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-06-12 192512]
"USIUDF_Eject_Monitor"="c:\program files\Common Files\Ulead Systems\DVD\USISrv.exe" [2004-12-23 163840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 693880]
"PC Suite for Smartphones"="c:\program files\Sony Ericsson\Mobile4\Application Launcher\Application Launcher.exe" [2007-11-08 606208]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 495616]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 411944]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 185584]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-04-12 16235008]

c:\documents and settings\acer\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 187392]
Nikon Monitor.lnk - c:\program files\Common Files\Nikon\Monitor\NkMonitor.exe [2007-10-18 557056]
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2008-4-28 450560]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 107520]
Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2003-8-6 51776]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableStatusMessages"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)
"DisableRegistryTools"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"RestrictCpl"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"UacDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Intuwave\\Shared\\mRouterRuntime\\mRouterRuntime.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\AIM6\\anotify.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\ymsgr_tray.exe"=
"c:\\Program Files\\Common Files\\Teleca Shared\\Generic.exe"=
"c:\\PROGRA~1\\Symbian\\Shared\\SYMBIA~1\\SYMBIA~1.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\Nikon\\Monitor\\NkMonitor.exe"=
"c:\\Program Files\\Adobe\\Acrobat 8.0\\Acrobat\\Acrotray.exe"=
"c:\\Program Files\\iTunes\\iTunesHelper.exe"=
"c:\\Program Files\\Sony\\Sony Picture Utility\\VolumeWatcher\\SPUVolumeWatcher.exe"=
"c:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\reader_sl.exe"=
"c:\\Program Files\\Adobe\\Acrobat 8.0\\Acrobat\\AcroDist.exe"=
"c:\\Program Files\\Common Files\\Ulead Systems\\DVD\\USISrv.exe"=
"c:\\Program Files\\ASUSTeK\\ASUSDVD\\PDVDServ.exe"=
"c:\\Program Files\\Realtek\\InstallShield\\AzMixerSel.exe"=
"c:\\Program Files\\Creative\\Creative Media Lite\\CTZDetec.exe"=
"c:\\WINDOWS\\system32\\netsh.exe"=
"c:\\Program Files\\Common Files\\Teleca Shared\\CapabilityManager.exe"=
"c:\\Program Files\\Intel\\Intel Matrix Storage Manager\\Iaanotif.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AIM6\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Calibration\\Adobe Gamma Loader.exe"=
"c:\\PROGRA~1\\Symbian\\Shared\\SYMBIA~1\\SCBAL.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\DOCUME~1\\acer\\LOCALS~1\\Temp\\winsxtqlm.exe"=
"c:\\DOCUME~1\\acer\\LOCALS~1\\Temp\\ovfcid.exe"=
"c:\\DOCUME~1\\acer\\LOCALS~1\\Temp\\jodoo.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R0 O2MDRDR;O2MDRDR;c:\windows\system32\drivers\o2media.sys [8/19/2007 6:11 PM 39680]
R0 O2SDRDR;O2SDRDR;c:\windows\system32\drivers\o2sd.sys [8/19/2007 6:11 PM 35712]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [1/14/2008 6:06 PM 21632]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ABP470N5
.
Contents of the 'Scheduled Tasks' folder

2009-10-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 04:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = pofpx7001.maniladc.com:3128
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: &AIM Toolbar Search - c:\documents and settings\All Users\Application Data\AIM Toolbar\ieToolbar\resources\en-US\local\search.html
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...html?p=ZKman000
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\acer\Application Data\Mozilla\Firefox\Profiles\ryga31m3.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=19&q=
FF - prefs.js: browser.search.selectedEngine - Fast Browser Search
FF - prefs.js: browser.startup.homepage - hxxp://m.www.yahoo.com/_ylt=AgMPiyBUU4T1KSJAEOj8euKbvZx4/SIG=1113i7cuo/**http%3A//www.yahoo.com/bin/set
FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=19&tid={FB5092E2-C52D-7742-DC04-11823887B65C}&q=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npkimi.dll
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)
URLSearchHooks-Rank - (no file)
SafeBoot-AVG Anti-Spyware Driver
SafeBoot-AVG Anti-Spyware Guard



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-20 06:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(904)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intuwave\Shared\mRouterRuntime\mRouterRuntime.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTsvcCDA.exe
c:\program files\Creative\Shared Files\CTDevSrv.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\O2Micro Oz128 Driver\o2flash.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files\Common Files\Teleca Shared\Generic.exe
c:\program files\Skype\Plugin Manager\skypePM.exe
c:\progra~1\Symbian\Shared\SYMBIA~1\SYMBIA~1.EXE
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\progra~1\Symbian\Shared\SYMBIA~1\SCBAL.exe
c:\program files\iPod\bin\iPodService.exe
c:\docume~1\acer\LOCALS~1\Temp\RtkBtMnt.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
c:\docume~1\acer\LOCALS~1\Temp\winsxtqlm.exe
.
**************************************************************************
.
Completion time: 2009-11-20 07:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-19 23:10
ComboFix2.txt 2009-11-19 16:54
ComboFix3.txt 2009-11-19 04:25

Pre-Run: 5,373,366,272 bytes free
Post-Run: 5,176,614,912 bytes free

- - End Of File - - FF4FDE48DA88D94C7EA2A74924F201AE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users