Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Hijacked


  • This topic is locked This topic is locked
13 replies to this topic

#1 C2G

C2G

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 26 January 2010 - 10:56 PM

I just reinstalled windows xp home on my computer and I really have no idea how this happened. My buddy was on my computer the other day so he could have been getting into some sites or downloading something he shouldn't have. I just downloaded the Windows Security Essentials and ran that to erase the infected files. It found 2 (trojan:Win32/Vundo.gen!G was the main file and there was another file had a real similar name). I just want to get to the bottom of this before it is too late. It pretty much hacked my browser. So when I do a search it takes over and takes me to random sites. Also, after I ran the Windows Security Essentials and restarted after it deleted those files it said it had a problem loading the windows/system32/dosoyahe.dll file. HELP!



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:47:08 PM, on 1/26/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\REAPER\reaper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jyess\Desktop\hijak\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [MSSE] "C:\Program Files\Microsoft Security Essentials\msseces.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1261963484796
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1261969982921
O20 - AppInit_DLLs: tirowefa.dll c:\windows\system32\dosoyahe.dll
O22 - SharedTaskScheduler: mujuzedij - {771358ae-d3d1-48f3-9833-32c3fabe3da2} - (no file)
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 6982 bytes


BC AdBot (Login to Remove)

 


#2 C2G

C2G
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 31 January 2010 - 11:10 PM

Anybody have any ideas?

#3 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:20 AM

Posted 02 February 2010 - 06:24 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log.

We apologize for the delay of response.

Do you still require help?

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a RootRepeal log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or RootRepeal log please refer to this page and in step #6 and Step #7 for further instructions on downloading and running DDS & RootRepeal. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-RootRepeal logs
-Description of any remaining problems you may still have.


Thanks again and we apologize for the delay.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#4 C2G

C2G
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 02 February 2010 - 10:53 PM

DDS:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Jyess at 22:39:46.01 on Tue 02/02/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1544 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Jyess\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.dell4me.com/mywaybiz
uDefault_Page_URL = hxxp://www.dell4me.com/mywaybiz
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1261963484796
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1261969982921
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
AppInit_DLLs: c:\windows\system32\dosoyahe.dll c:\windows\system32\neduwozi.dll,tirowefa.dll
STS: {771358ae-d3d1-48f3-9833-32c3fabe3da2} - No File
STS: {6de4e84f-a286-4ff9-bab1-8b5f1b48250d} - No File
LSA: Notification Packages = scecli luverayu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jyess\applic~1\mozilla\firefox\profiles\9w9kz2b1.default\
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R3 mfwagsif;MOTU Audio GSIF;c:\windows\system32\drivers\mfwagsif.sys [2008-2-14 22064]
R3 mfwamidi;MOTU Audio MIDI;c:\windows\system32\drivers\mfwamidi.sys [2008-2-14 25648]
R3 mfwawave;MOTU Audio Wave;c:\windows\system32\drivers\mfwawave.sys [2008-2-14 60976]
R3 mLanBus;Yamaha mLAN Bus Driver;c:\windows\system32\drivers\mLanBus.sys [2008-4-25 93568]
R3 motubus;MOTU Audio MIDI Extension;c:\windows\system32\drivers\motubus.sys [2008-2-14 23600]
R3 MotuFWA;MotuFWA;c:\windows\system32\drivers\motufwa.sys [2008-2-14 378416]
S1 fdtnnfhu;fdtnnfhu;\??\c:\windows\system32\drivers\fdtnnfhu.sys --> c:\windows\system32\drivers\fdtnnfhu.sys [?]
S1 fkjucnum;fkjucnum;\??\c:\windows\system32\drivers\fkjucnum.sys --> c:\windows\system32\drivers\fkjucnum.sys [?]
S1 zklqepep;zklqepep;c:\windows\system32\drivers\zklqepep.sys [2010-2-2 30784]
S3 mLanMIDI;Yamaha mLAN MIDI Driver;c:\windows\system32\drivers\mLanMIDI.sys [2008-4-25 12800]
S3 mLanPDev;YAMAHA mLAN Physical Driver;c:\windows\system32\drivers\mLanPDev.sys [2006-10-4 20992]
S3 mLanStrm;Yamaha mLAN Audio Driver;c:\windows\system32\drivers\mLanStrm.sys [2008-4-25 25472]
UnknownUnknown nbbxbcdy;nbbxbcdy; [x]
UnknownUnknown yofmdkag;yofmdkag; [x]

============== File Associations ===============

regfile="regedit.exe" "%1"

=============== Created Last 30 ================

2010-02-03 02:42:19 30784 ----a-w- c:\windows\system32\drivers\zklqepep.sys
2010-01-28 05:44:18 25 ----a-w- c:\windows\IV3.INI
2010-01-28 05:39:23 0 d-----w- c:\docume~1\jyess\applic~1\Family Lawyer
2010-01-28 03:11:15 115920 ----a-w- c:\windows\system32\MSINET.OCX
2010-01-28 03:10:51 0 d-----w- c:\program files\EULAlyzer
2010-01-28 01:51:48 1966080 ----a-w- c:\windows\system32\cdintf251.dll
2010-01-28 01:51:18 0 d-----w- c:\program files\Business PlanMaker Professional
2010-01-28 01:48:36 0 d-sh--w- c:\documents and settings\jyess\PrivacIE
2010-01-27 03:07:29 30784 ----a-w- c:\windows\system32\drivers\gworikpv.sys
2010-01-27 02:54:13 30784 ----a-w- c:\windows\system32\drivers\daesnvxl.sys
2010-01-27 02:39:05 30784 ----a-w- c:\windows\system32\drivers\zutjyopn.sys
2010-01-27 02:23:29 30784 ----a-w- c:\windows\system32\drivers\ivbjnwns.sys
2010-01-27 02:07:59 30784 ----a-w- c:\windows\system32\drivers\dfdmbrka.sys
2010-01-27 01:59:14 30784 ----a-w- c:\windows\system32\drivers\thomfvvs.sys
2010-01-27 01:53:57 30784 ----a-w- c:\windows\system32\drivers\ioqlmpnq.sys
2010-01-27 01:42:57 30784 ----a-w- c:\windows\system32\drivers\xybndogg.sys
2010-01-27 01:38:04 30784 ----a-w- c:\windows\system32\drivers\uxlqczjq.sys
2010-01-27 01:15:02 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-27 01:10:09 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-01-27 01:10:09 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-01-26 04:39:38 54156 ---ha-w- c:\windows\QTFont.qfn
2010-01-26 04:39:38 1409 ----a-w- c:\windows\QTFont.for
2010-01-21 18:43:00 0 d-----w- c:\program files\Recycle
2010-01-21 18:40:53 331263 ----a-w- c:\windows\LOOP.exe
2010-01-20 23:46:55 0 d-----w- c:\program files\ASIO4ALL v2
2010-01-20 23:46:04 1554944 ----a-w- c:\windows\system32\vorbis.acm
2010-01-20 23:45:53 0 d-----w- c:\program files\Outsim
2010-01-20 23:44:12 0 d-----w- c:\program files\Image-Line
2010-01-15 04:37:43 0 d-----w- c:\docume~1\alluse~1\applic~1\Azureus
2010-01-15 04:37:39 0 d-----w- c:\docume~1\jyess\applic~1\Azureus
2010-01-15 04:37:14 0 d-----w- c:\program files\Vuze
2010-01-15 04:35:01 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-01-15 04:35:01 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-15 01:09:11 16 ----a-w- c:\windows\system32\w3data.vss
2010-01-15 01:09:11 16 ----a-w- c:\windows\system32\msvcsv60.dll
2010-01-15 01:09:11 16 ----a-w- c:\windows\msocreg32.dat
2010-01-15 00:16:14 0 d-----w- c:\program files\IK Multimedia
2010-01-15 00:13:31 0 d-----w- c:\docume~1\alluse~1\applic~1\IK Multimedia
2010-01-15 00:00:34 233472 ------w- c:\windows\system32\REX Shared Library.dll
2010-01-15 00:00:34 0 d-----w- c:\docume~1\jyess\applic~1\Propellerhead Software
2010-01-15 00:00:34 0 d-----w- c:\docume~1\alluse~1\applic~1\Propellerhead Software
2010-01-14 23:58:40 0 d-----w- c:\program files\Propellerhead
2010-01-14 23:55:53 0 d-----w- c:\program files\Sonik Synth 2 Free
2010-01-14 22:26:46 0 d-----w- C:\VSTPlugIns
2010-01-14 22:26:43 0 d-----w- c:\program files\SampleTank 2 Free
2010-01-14 20:13:54 0 d-----w- c:\docume~1\alluse~1\applic~1\mLAN Tools
2010-01-14 19:47:28 0 d-----w- c:\docume~1\alluse~1\applic~1\McAfee Security Scan
2010-01-13 00:54:11 32592 ----a-w- c:\windows\system32\msonpmon.dll
2010-01-07 20:39:56 0 d-----w- c:\program files\MySoftware
2010-01-07 04:28:38 87 ----a-w- c:\windows\system32\ssprs.tgz
2010-01-07 04:28:38 73 ----a-w- c:\windows\system32\ssprs.dll
2010-01-07 04:28:38 219 ----a-w- c:\windows\system32\lsprst7.tgz
2010-01-07 04:28:38 205 ----a-w- c:\windows\system32\lsprst7.dll
2010-01-07 04:28:38 1025 ----a-w- c:\windows\system32\sysprs7.tgz
2010-01-07 04:28:38 1025 ----a-w- c:\windows\system32\sysprs7.dll
2010-01-07 04:28:38 1025 ----a-w- c:\windows\system32\clauth2.dll
2010-01-07 04:28:38 1025 ----a-w- c:\windows\system32\clauth1.dll
2010-01-07 04:28:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Minnetonka Audio Software
2010-01-06 05:49:22 0 d-----w- c:\program files\Roxio
2010-01-06 05:43:52 0 d-----w- c:\program files\Memorex exPressit Label Design Studio
2010-01-06 05:43:52 0 d-----w- c:\program files\common files\SureThing Shared
2010-01-06 05:43:51 0 d-----w- c:\windows\MVUNINST
2010-01-06 04:14:41 0 d-----w- c:\program files\common files\Control Panels
2010-01-06 04:12:49 0 d-----w- c:\docume~1\alluse~1\applic~1\ALM
2010-01-06 01:40:02 2463976 ----a-w- c:\windows\system32\NPSWF32.dll
2010-01-06 01:40:02 190696 ----a-w- c:\windows\system32\NPSWF32_FlashUtil.exe
2010-01-06 01:31:56 0 d-----w- c:\program files\Bonjour
2010-01-06 01:27:26 0 d-----w- c:\program files\common files\Macrovision Shared

==================== Find3M ====================

2010-02-01 18:59:35 467200 ----a-w- c:\windows\system32\drivers\iaStor.sys
2009-11-21 15:51:04 471552 ------w- c:\windows\system32\dllcache\aclayers.dll
1601-01-01 00:03:28 61440 --sha-w- c:\windows\system32\tegareto.dll

============= FINISH: 22:40:02.29 ===============




ROOTREPEAL:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2010/02/02 22:41
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xA9215000 Size: 471040 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA7CF1000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

==EOF==




COMPUTER ISSUES:

I installed the Windows Security Essentials to get a quick fix and it deleted a couple important files I believe. I just uninstalled it because I hate anti-malware programs. My computer was running extremely slow earlier and after deleting the program and quarantining a couple files within the program (the worms and trojans I described above) it began running at a better speed. Other than that I have been getting popups related to the vundo worm and that is about it. This doesn't seem like it is that dangerous because I have been through worse. I just figured I would come here to make sure everything is 100% better. Thank you for your help!

#5 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:20 AM

Posted 03 February 2010 - 07:05 PM

Hello.

okay, let's start with Combofix.

Download and Run Combofix

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page on instructions on doing so.

Please include the C:\ComboFix.txt in your next reply for further review.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#6 C2G

C2G
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 07 February 2010 - 01:11 PM

ComboFix 10-02-07.01 - Jyess 02/07/2010 12:20:21.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1710 [GMT -5:00]
Running from: c:\documents and settings\Jyess\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Jyess\Desktop\Your PC Protector.lnk
c:\documents and settings\Jyess\Start Menu\Programs\Your PC Protector
c:\documents and settings\Jyess\Start Menu\Programs\Your PC Protector\Your PC Protector.lnk
c:\program files\adc32.dll
c:\program files\alggui.exe
c:\program files\nuar.old
c:\program files\svchost.exe
c:\program files\wp3.dat
c:\program files\wp4.dat
c:\program files\Your PC Protector
c:\program files\Your PC Protector\Your PC Protector.exe
c:\windows\system32\bszip.dll
c:\windows\system32\kelewaba.dll
c:\windows\system32\kidoyera.dll
c:\windows\system32\liwadefi.dll
c:\windows\system32\lopibeki.dll
c:\windows\system32\lsprst7.dll
c:\windows\system32\luverayu.dll
c:\windows\system32\msvcsv60.dll
c:\windows\system32\ssprs.dll
c:\windows\system32\twain_32.dll
c:\windows\Tasks\omhokdat.job

----- BITS: Possible infected sites -----

hxxp://77.74.48.111
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ADBUPD
-------\Service_AdbUpd


((((((((((((((((((((((((( Files Created from 2010-01-07 to 2010-02-07 )))))))))))))))))))))))))))))))
.

2010-02-07 17:12 . 2010-02-07 17:12 -------- d-----w- C:\Your PC Protector
2010-02-07 17:06 . 2010-02-07 17:06 -------- d-----w- c:\program files\schtml
2010-02-07 17:01 . 2010-02-07 17:01 36 ----a-w- c:\program files\skynet.dat
2010-02-07 17:01 . 2010-02-07 17:01 1057800 ----a-w- c:\program files\wpp.exe
2010-01-28 05:39 . 2010-01-28 05:39 -------- d-----w- c:\documents and settings\Jyess\Application Data\Family Lawyer
2010-01-28 03:19 . 2010-01-28 03:19 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-28 03:10 . 2010-01-28 03:11 -------- d-----w- c:\program files\EULAlyzer
2010-01-28 01:51 . 2006-11-09 19:43 1966080 ----a-w- c:\windows\system32\cdintf251.dll
2010-01-28 01:51 . 2010-02-03 02:43 -------- d-----w- c:\program files\Business PlanMaker Professional
2010-01-28 01:48 . 2010-01-28 01:48 -------- d-sh--w- c:\documents and settings\Jyess\PrivacIE
2010-01-27 03:07 . 2010-01-27 03:07 30784 ----a-w- c:\windows\system32\drivers\gworikpv.sys
2010-01-27 02:54 . 2010-01-27 02:54 30784 ----a-w- c:\windows\system32\drivers\daesnvxl.sys
2010-01-27 02:39 . 2010-01-27 02:39 30784 ----a-w- c:\windows\system32\drivers\zutjyopn.sys
2010-01-27 02:23 . 2010-01-27 02:23 30784 ----a-w- c:\windows\system32\drivers\ivbjnwns.sys
2010-01-27 02:07 . 2010-01-27 02:07 30784 ----a-w- c:\windows\system32\drivers\dfdmbrka.sys
2010-01-27 01:59 . 2010-01-27 01:59 30784 ----a-w- c:\windows\system32\drivers\thomfvvs.sys
2010-01-27 01:53 . 2010-01-27 01:53 30784 ----a-w- c:\windows\system32\drivers\ioqlmpnq.sys
2010-01-27 01:42 . 2010-01-27 01:42 30784 ----a-w- c:\windows\system32\drivers\xybndogg.sys
2010-01-27 01:38 . 2010-01-27 01:38 30784 ----a-w- c:\windows\system32\drivers\uxlqczjq.sys
2010-01-27 01:15 . 2010-01-14 16:12 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-27 01:10 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-01-21 22:51 . 2010-01-21 22:51 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-01-21 18:43 . 2010-01-21 18:43 -------- d-----w- c:\program files\Recycle
2010-01-21 18:40 . 2004-02-07 06:48 331263 ----a-w- c:\windows\LOOP.exe
2010-01-20 23:46 . 2010-01-20 23:46 -------- d-----w- c:\program files\ASIO4ALL v2
2010-01-20 23:45 . 2010-01-20 23:45 -------- d-----w- c:\program files\Outsim
2010-01-20 23:44 . 2010-01-20 23:46 -------- d-----w- c:\program files\Image-Line
2010-01-17 04:30 . 2010-01-17 04:30 -------- d-----w- c:\windows\Sun
2010-01-15 04:37 . 2010-01-15 04:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus
2010-01-15 04:37 . 2010-01-26 22:57 -------- d-----w- c:\documents and settings\Jyess\Application Data\Azureus
2010-01-15 04:37 . 2010-01-15 04:37 -------- d-----w- c:\program files\Vuze
2010-01-15 04:35 . 2010-01-15 04:34 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-15 04:34 . 2010-01-15 04:34 152576 ----a-w- c:\documents and settings\Jyess\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-15 04:33 . 2010-01-15 04:33 79488 ----a-w- c:\documents and settings\Jyess\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-15 01:09 . 2010-01-21 03:40 16 ----a-w- c:\windows\msocreg32.dat
2010-01-15 00:16 . 2010-01-15 00:16 -------- d-----w- c:\program files\IK Multimedia
2010-01-15 00:13 . 2010-01-15 00:13 -------- d-----w- c:\documents and settings\Jyess\Application Data\InstallShield
2010-01-15 00:13 . 2010-01-15 00:13 -------- d-----w- c:\documents and settings\All Users\Application Data\IK Multimedia
2010-01-15 00:00 . 2010-01-21 18:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Propellerhead Software
2010-01-15 00:00 . 2010-01-21 18:41 -------- d-----w- c:\documents and settings\Jyess\Application Data\Propellerhead Software
2010-01-15 00:00 . 2010-01-15 00:00 233472 ------w- c:\windows\system32\REX Shared Library.dll
2010-01-14 23:58 . 2010-01-14 23:58 -------- d-----w- c:\program files\Propellerhead
2010-01-14 23:55 . 2010-01-14 23:55 -------- d-----w- c:\program files\Sonik Synth 2 Free
2010-01-14 22:26 . 2010-01-14 23:55 -------- d-----w- C:\VSTPlugIns
2010-01-14 22:26 . 2010-01-14 22:26 -------- d-----w- c:\program files\SampleTank 2 Free
2010-01-14 20:13 . 2010-01-14 20:13 -------- d-----w- c:\documents and settings\All Users\Application Data\mLAN Tools
2010-01-14 19:47 . 2010-01-14 19:47 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2010-01-13 00:54 . 2006-10-27 00:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
2010-01-13 00:54 . 2006-10-27 00:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
2010-01-13 00:53 . 2010-01-13 00:53 -------- d-----w- c:\program files\Microsoft Works
2010-01-13 00:53 . 2010-01-13 00:53 -------- d-----w- c:\program files\Microsoft.NET
2010-01-13 00:52 . 2010-01-13 00:52 -------- d-----w- c:\documents and settings\Jyess\Local Settings\Application Data\Microsoft Help
2010-01-13 00:52 . 2010-01-13 00:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-13 00:51 . 2010-01-13 00:51 -------- d-----r- C:\MSOCache
2010-01-10 05:15 . 2010-01-10 05:15 -------- d-----w- c:\documents and settings\Jyess\Application Data\Roxio

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-07 17:24 . 2005-06-22 23:59 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000004-00000000-00000002-00001102-00000004-20061102}.dat
2010-02-07 17:24 . 2005-06-22 23:59 384 ----a-w- c:\windows\system32\DVCState-{00000004-00000000-00000002-00001102-00000004-20061102}.dat
2010-02-01 18:59 . 1980-01-01 05:00 467200 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-01-21 03:59 . 2009-12-30 01:17 -------- d-----w- c:\program files\REAPER
2010-01-20 02:11 . 2009-12-28 01:04 93096 ----a-w- c:\documents and settings\Jyess\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-15 04:34 . 2005-06-22 23:57 -------- d-----w- c:\program files\Java
2010-01-15 00:16 . 2005-06-22 23:58 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-01-14 20:12 . 2009-12-30 02:13 -------- d-----w- c:\program files\mLAN Tools
2010-01-07 20:39 . 2010-01-07 20:39 -------- d-----w- c:\program files\MySoftware
2010-01-07 04:28 . 2010-01-07 04:28 1025 ----a-w- c:\windows\system32\sysprs7.dll
2010-01-07 04:28 . 2010-01-07 04:28 1025 ----a-w- c:\windows\system32\clauth2.dll
2010-01-07 04:28 . 2010-01-07 04:28 1025 ----a-w- c:\windows\system32\clauth1.dll
2010-01-07 04:28 . 2010-01-07 04:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Minnetonka Audio Software
2010-01-06 05:50 . 2010-01-06 05:48 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-01-06 05:49 . 2010-01-06 05:49 -------- d-----w- c:\program files\Roxio
2010-01-06 05:49 . 2010-01-06 05:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2010-01-06 05:46 . 2010-01-06 05:43 -------- d-----w- c:\program files\Memorex exPressit Label Design Studio
2010-01-06 05:43 . 2010-01-06 05:43 -------- d-----w- c:\program files\Common Files\SureThing Shared
2010-01-06 05:38 . 2010-01-06 05:38 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-01-06 04:16 . 2009-12-30 02:16 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-06 04:14 . 2010-01-06 04:14 -------- d-----w- c:\program files\Common Files\Control Panels
2010-01-06 04:12 . 2010-01-06 04:12 -------- d-----w- c:\documents and settings\All Users\Application Data\ALM
2010-01-06 01:31 . 2010-01-06 01:31 -------- d-----w- c:\program files\Bonjour
2010-01-06 01:27 . 2010-01-06 01:27 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-12-30 23:44 . 2009-12-30 01:17 -------- d-----w- c:\documents and settings\Jyess\Application Data\REAPER
2009-12-30 03:51 . 2009-12-30 03:51 -------- d-----w- c:\documents and settings\Jyess\Application Data\Auslogics
2009-12-30 01:54 . 2009-12-30 01:54 -------- d-----w- c:\program files\Sony Setup
2009-12-30 01:29 . 2009-12-30 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\iZotope
2009-12-30 01:29 . 2009-12-30 01:29 -------- d-----w- c:\program files\Common Files\iZotope
2009-12-30 01:29 . 2009-12-30 01:29 -------- d-----w- c:\program files\iZotope
2009-12-30 01:25 . 2009-12-30 01:25 -------- d-----w- c:\documents and settings\Jyess\Application Data\Waves Audio
2009-12-30 01:25 . 2009-12-30 01:24 -------- d-----w- c:\program files\Waves
2009-12-30 01:25 . 2009-12-30 01:25 -------- d-----w- c:\program files\Common Files\Digidesign
2009-12-30 01:24 . 2009-12-30 01:24 -------- d-----w- c:\program files\Steinberg
2009-12-30 01:17 . 2009-12-30 01:17 -------- d-----w- c:\program files\Auslogics
2009-12-30 01:15 . 2009-12-30 01:15 -------- d-----w- c:\program files\CCleaner
2009-12-28 03:21 . 2009-12-28 03:21 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-12-28 02:42 . 2009-12-28 02:42 -------- d-----w- c:\program files\MSXML 4.0
2009-12-28 02:07 . 2009-12-28 02:07 -------- d-----w- c:\program files\HP
2009-12-28 01:53 . 2004-08-10 18:13 78011 ----a-w- c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2009-12-28 01:35 . 2009-12-28 01:35 -------- d-----w- c:\program files\Common Files\SWF Studio
2009-12-28 01:17 . 2009-12-28 01:17 -------- d-----w- c:\program files\MOTU
2009-12-28 01:03 . 2009-12-28 01:03 -------- d-----w- c:\program files\Microsoft Broadband Networking
2009-12-28 00:22 . 2005-06-23 00:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-12-28 00:22 . 2005-06-23 00:08 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-28 00:21 . 2005-06-23 00:08 -------- d-----w- c:\program files\Symantec
2009-12-24 05:02 . 2005-06-23 00:05 -------- d-----w- c:\program files\Common Files\AOL
2009-12-24 05:02 . 2005-06-23 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-11-21 15:51 . 2004-08-04 10:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
1601-01-01 00:03 . 1601-01-01 00:03 52224 --sha-w- c:\windows\SYSTEM32\buzakayo.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03 93696 --sha-w- c:\windows\SYSTEM32\fonemike.dll
1601-01-01 00:03 . 1601-01-01 00:03 52224 --sha-w- c:\windows\SYSTEM32\jayamuja.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03 54272 --sha-w- c:\windows\SYSTEM32\pabewisa.dll
1601-01-01 00:03 . 1601-01-01 00:03 52224 --sha-w- c:\windows\SYSTEM32\sidenohe.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03 54272 --sha-w- c:\windows\SYSTEM32\vamejinu.dll
1601-01-01 00:03 . 1601-01-01 00:03 60928 --sha-w- c:\windows\SYSTEM32\vedofumu.dll
1601-01-01 00:03 . 1601-01-01 00:03 39424 --sha-w- c:\windows\SYSTEM32\wulemake.dll
1601-01-01 00:03 . 1601-01-01 00:03 39424 --sha-w- c:\windows\SYSTEM32\yunukino.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fd1b62ac-4f8c-4bb5-9a5a-ec11fbd084ad}]
1601-01-01 00:03 54272 --sha-w- c:\windows\SYSTEM32\pabewisa.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 135168]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Broadband Networking.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Broadband Networking.lnk
backup=c:\windows\pss\Microsoft Broadband Networking.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^mLAN Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\mLAN Manager.lnk
backup=c:\windows\pss\mLAN Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MOTU Pedal Handler.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MOTU Pedal Handler.lnk
backup=c:\windows\pss\MOTU Pedal Handler.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2007-05-11 03:46 624248 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2004-08-25 17:52 339968 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
2004-02-19 13:23 61440 ----a-w- c:\dell\BLDBUBG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
2003-06-18 06:00 45056 ----a-w- c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2004-03-11 14:50 28672 ----a-w- c:\windows\SYSTEM32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
2003-09-17 15:43 57344 ----a-w- c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2004-07-19 12:51 306688 ----a-w- c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-01-27 06:02 86016 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 21:19 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 21:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 21:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2004-09-14 13:50 53248 ----a-w- c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2004-09-14 13:50 131072 ----a-w- c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]
2004-11-11 15:26 26112 ----a-w- c:\program files\Intuit\QuickBooks 2005\Atom\QBReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-06-23 00:06 98304 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2005-06-23 00:06 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2005-06-09 14:51 1695744 ----a-w- c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-15 04:34 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Mozilla Firefox\\crashreporter.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R3 mfwagsif;MOTU Audio GSIF;c:\windows\SYSTEM32\DRIVERS\mfwagsif.sys [2/14/2008 6:14 PM 22064]
R3 mfwamidi;MOTU Audio MIDI;c:\windows\SYSTEM32\DRIVERS\mfwamidi.sys [2/14/2008 6:14 PM 25648]
R3 mfwawave;MOTU Audio Wave;c:\windows\SYSTEM32\DRIVERS\mfwawave.sys [2/14/2008 6:13 PM 60976]
R3 mLanBus;Yamaha mLAN Bus Driver;c:\windows\SYSTEM32\DRIVERS\mLanBus.sys [4/25/2008 2:48 PM 93568]
R3 motubus;MOTU Audio MIDI Extension;c:\windows\SYSTEM32\DRIVERS\motubus.sys [2/14/2008 6:14 PM 23600]
R3 MotuFWA;MotuFWA;c:\windows\SYSTEM32\DRIVERS\motufwa.sys [2/14/2008 6:13 PM 378416]
S1 fdtnnfhu;fdtnnfhu;\??\c:\windows\system32\drivers\fdtnnfhu.sys --> c:\windows\system32\drivers\fdtnnfhu.sys [?]
S1 fkjucnum;fkjucnum;\??\c:\windows\system32\drivers\fkjucnum.sys --> c:\windows\system32\drivers\fkjucnum.sys [?]
S1 zklqepep;zklqepep;\??\c:\windows\system32\drivers\zklqepep.sys --> c:\windows\system32\drivers\zklqepep.sys [?]
S3 mLanMIDI;Yamaha mLAN MIDI Driver;c:\windows\SYSTEM32\DRIVERS\mLanMIDI.sys [4/25/2008 2:48 PM 12800]
S3 mLanPDev;YAMAHA mLAN Physical Driver;c:\windows\SYSTEM32\DRIVERS\mLanPDev.sys [10/4/2006 10:10 AM 20992]
S3 mLanStrm;Yamaha mLAN Audio Driver;c:\windows\SYSTEM32\DRIVERS\mLanStrm.sys [4/25/2008 2:48 PM 25472]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell4me.com/mywaybiz
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Jyess\Application Data\Mozilla\Firefox\Profiles\9w9kz2b1.default\
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

BHO-{77DC0Baa-3235-4ba9-8BE8-aa9EB678FA02} - c:\program files\adc32.dll
HKLM-Run-bimemisuh - c:\windows\system32\liwadefi.dll
HKLM-Run-nefirobafu - lopibeki.dll
SharedTaskScheduler-{771358ae-d3d1-48f3-9833-32c3fabe3da2} - (no file)
SharedTaskScheduler-{6de4e84f-a286-4ff9-bab1-8b5f1b48250d} - (no file)
SharedTaskScheduler-{c497c93c-17ab-462c-9f99-e6b0aa2065ef} - c:\windows\system32\liwadefi.dll
SSODL-nutorujur-{c497c93c-17ab-462c-9f99-e6b0aa2065ef} - c:\windows\system32\liwadefi.dll
AddRemove-{A1062847-0846-427A-92A1-BB8251A91E91} - c:\program files\HP\Digital Imaging\{A1062847-0846-427A-92A1-BB8251A91E91}\setup\hpzscr01.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-07 12:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:27,cc,af,c2,4a,c5,0d,d8,95,87,4f,b5,26,3f,e5,34,fd,7d,70,e8,c8,
e3,a5,87,0f,c8,ed,90,3e,57,23,5e,96,a4,81,33,2d,b8,00,eb,4b,86,13,68,8a,99,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:27,cc,af,c2,4a,c5,0d,d8,95,87,4f,b5,26,3f,e5,34,fd,7d,70,e8,c8,
e3,a5,87,0f,c8,ed,90,3e,57,23,5e,96,a4,81,33,2d,b8,00,eb,4b,86,13,68,8a,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1776)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Intel\Intel Application Accelerator\iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2010-02-07 12:30:50 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-07 17:30

Pre-Run: 204,520,026,112 bytes free
Post-Run: 204,365,508,608 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 089E29CDC34674DD62DB412B5DD8FBC2


#7 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:20 AM

Posted 08 February 2010 - 08:12 PM

Hello again.

Run ComboFix with CFScript

We will run ComboFix again. This time it will be slightly different from the initial run.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    CODE
    http://www.bleepingcomputer.com/forums/t/290857/browser-hijacked/

    Collect::
    c:\windows\system32\drivers\gworikpv.sys
    c:\windows\system32\drivers\daesnvxl.sys
    c:\windows\system32\drivers\zutjyopn.sys
    c:\windows\system32\drivers\ivbjnwns.sys
    c:\windows\system32\drivers\dfdmbrka.sys
    c:\windows\system32\drivers\thomfvvs.sys
    c:\windows\system32\drivers\ioqlmpnq.sys
    c:\windows\system32\drivers\xybndogg.sys
    c:\windows\system32\drivers\uxlqczjq.sys
    c:\windows\LOOP.exe
    c:\windows\SYSTEM32\buzakayo.dll.tmp
    c:\windows\SYSTEM32\fonemike.dll
    c:\windows\SYSTEM32\jayamuja.dll.tmp
    c:\windows\SYSTEM32\pabewisa.dll
    c:\windows\SYSTEM32\sidenohe.dll.tmp
    c:\windows\SYSTEM32\vamejinu.dll
    c:\windows\SYSTEM32\vedofumu.dll
    c:\windows\SYSTEM32\wulemake.dll
    c:\windows\SYSTEM32\yunukino.dll
    c:\windows\system32\drivers\fdtnnfhu.sys
    c:\windows\system32\drivers\fkjucnum.sys
    c:\windows\system32\drivers\zklqepep.sys
    c:\program files\skynet.dat
    Folder::
    C:\Your PC Protector
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fd1b62ac-4f8c-4bb5-9a5a-ec11fbd084ad}]
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
    Driver::
    fdtnnfhu
    fkjucnum
    zklqepep
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
  • Refering to the picture above, drag CFScript into ComboFix.exe.
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"
  • Please post the contents of the Combofix log in your next reply.

Upload Samples by ComboFix

When Combofix finishes running, the ComboFix log will open along with a message box. With the above script, ComboFix captured some files to submit for analysis.
  • Important: Ensure you are connected to the internet before clicking OK on the message box.
  • A blue-screen would appear auto-uploading the zipped file I requested.
  • After the uploading is done you should see a message near the bottom saying "Upload was Succesfull".

**NOTE**
=================
  • IF for some reason Combofix fails to upload anything please do the following:
  • Go to Start >> My Computer > C:\
  • Then Navigate to the C:\Qoobox\Quarantine folder.
  • Find the archive zip file called "[4]-Submit_Date_Time.zip"
  • Simply go to This Channel and upload the submit.zip archive file to me.
  • Follow the instructions on that page to copy/paste/send the requested file.

Let me know how it goes and if the upload went successfully or not in your next reply.

---

Download and run MalwareBytes Anti-Malware

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#8 C2G

C2G
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 09 February 2010 - 11:38 PM

Combofix:

ComboFix 10-02-09.03 - Jyess 02/09/2010 22:17:06.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1714 [GMT -5:00]
Running from: c:\documents and settings\Jyess\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jyess\Desktop\CFScript.txt.txt

file zipped: c:\program files\skynet.dat
file zipped: c:\windows\LOOP.exe
file zipped: c:\windows\SYSTEM32\buzakayo.dll.tmp
file zipped: c:\windows\system32\drivers\daesnvxl.sys
file zipped: c:\windows\system32\drivers\dfdmbrka.sys
file zipped: c:\windows\system32\drivers\gworikpv.sys
file zipped: c:\windows\system32\drivers\ioqlmpnq.sys
file zipped: c:\windows\system32\drivers\ivbjnwns.sys
file zipped: c:\windows\system32\drivers\thomfvvs.sys
file zipped: c:\windows\system32\drivers\uxlqczjq.sys
file zipped: c:\windows\system32\drivers\xybndogg.sys
file zipped: c:\windows\system32\drivers\zutjyopn.sys
file zipped: c:\windows\SYSTEM32\fonemike.dll
file zipped: c:\windows\SYSTEM32\jayamuja.dll.tmp
file zipped: c:\windows\SYSTEM32\pabewisa.dll
file zipped: c:\windows\SYSTEM32\sidenohe.dll.tmp
file zipped: c:\windows\SYSTEM32\vamejinu.dll
file zipped: c:\windows\SYSTEM32\vedofumu.dll
file zipped: c:\windows\SYSTEM32\wulemake.dll
file zipped: c:\windows\SYSTEM32\yunukino.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Jyess\Desktop\Your PC Protector.lnk
c:\documents and settings\Jyess\Start Menu\Programs\Your PC Protector
c:\documents and settings\Jyess\Start Menu\Programs\Your PC Protector\Your PC Protector.lnk
c:\program files\adc32.dll
c:\program files\alggui.exe
c:\program files\nuar.old
c:\program files\skynet.dat
c:\program files\svchost.exe
c:\program files\wp3.dat
c:\program files\wp4.dat
c:\program files\Your PC Protector
c:\program files\Your PC Protector\Your PC Protector.exe
c:\windows\LOOP.exe
c:\windows\SYSTEM32\buzakayo.dll.tmp
c:\windows\system32\drivers\daesnvxl.sys
c:\windows\system32\drivers\dfdmbrka.sys
c:\windows\system32\drivers\gworikpv.sys
c:\windows\system32\drivers\ioqlmpnq.sys
c:\windows\system32\drivers\ivbjnwns.sys
c:\windows\system32\drivers\thomfvvs.sys
c:\windows\system32\drivers\uxlqczjq.sys
c:\windows\system32\drivers\xybndogg.sys
c:\windows\system32\drivers\zutjyopn.sys
c:\windows\SYSTEM32\fonemike.dll
c:\windows\SYSTEM32\jayamuja.dll.tmp
c:\windows\system32\msvcsv60.dll
c:\windows\SYSTEM32\pabewisa.dll
c:\windows\SYSTEM32\sidenohe.dll.tmp
c:\windows\SYSTEM32\vamejinu.dll
c:\windows\system32\vedofumu.dll
c:\windows\system32\wulemake.dll
c:\windows\system32\yunukino.dll
c:\windows\Tasks\dvqkgfrm.job
C:\Your PC Protector
c:\your pc protector\Your PC Protector.lnk

----- BITS: Possible infected sites -----

hxxp://aj+|Cv+@J:NGD_DQ{zcxLJS@~E#Nh`_:WU Client DownloadS-1-5-18`HT4?? 6VwoQZCDHM6VwoQZCDHMXu
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ADBUPD
-------\Service_AdbUpd
-------\Service_fdtnnfhu
-------\Service_fkjucnum
-------\Service_zklqepep


((((((((((((((((((((((((( Files Created from 2010-01-10 to 2010-02-10 )))))))))))))))))))))))))))))))
.

2010-02-10 03:09 . 2010-02-10 03:09 -------- d-----w- c:\documents and settings\Jyess\Application Data\Malwarebytes
2010-02-10 03:09 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-10 03:09 . 2010-02-10 03:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-10 03:09 . 2010-02-10 03:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-10 03:09 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-10 01:36 . 2010-02-10 03:16 39936 ----a-w- c:\program files\lib32_D60D04.exe
2010-02-07 17:06 . 2010-02-10 02:38 -------- d-----w- c:\program files\schtml
2010-02-07 17:01 . 2010-02-10 01:35 1057288 ----a-w- c:\program files\wpp.exe
2010-01-28 05:39 . 2010-01-28 05:39 -------- d-----w- c:\documents and settings\Jyess\Application Data\Family Lawyer
2010-01-28 03:19 . 2010-02-10 03:08 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-01-28 03:10 . 2010-01-28 03:11 -------- d-----w- c:\program files\EULAlyzer
2010-01-28 01:51 . 2006-11-09 19:43 1966080 ----a-w- c:\windows\system32\cdintf251.dll
2010-01-28 01:51 . 2010-02-03 02:43 -------- d-----w- c:\program files\Business PlanMaker Professional
2010-01-28 01:48 . 2010-01-28 01:48 -------- d-sh--w- c:\documents and settings\Jyess\PrivacIE
2010-01-27 01:15 . 2010-01-14 16:12 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-27 01:10 . 2009-08-07 00:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-01-21 22:51 . 2010-01-21 22:51 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-01-21 18:43 . 2010-01-21 18:43 -------- d-----w- c:\program files\Recycle
2010-01-20 23:46 . 2010-01-20 23:46 -------- d-----w- c:\program files\ASIO4ALL v2
2010-01-20 23:45 . 2010-01-20 23:45 -------- d-----w- c:\program files\Outsim
2010-01-20 23:44 . 2010-01-20 23:46 -------- d-----w- c:\program files\Image-Line
2010-01-17 04:30 . 2010-01-17 04:30 -------- d-----w- c:\windows\Sun
2010-01-15 04:37 . 2010-01-15 04:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Azureus
2010-01-15 04:37 . 2010-01-26 22:57 -------- d-----w- c:\documents and settings\Jyess\Application Data\Azureus
2010-01-15 04:37 . 2010-01-15 04:37 -------- d-----w- c:\program files\Vuze
2010-01-15 04:35 . 2010-01-15 04:34 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-15 04:34 . 2010-01-15 04:34 152576 ----a-w- c:\documents and settings\Jyess\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2010-01-15 04:33 . 2010-01-15 04:33 79488 ----a-w- c:\documents and settings\Jyess\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2010-01-15 01:09 . 2010-02-10 02:54 32 ----a-w- c:\windows\msocreg32.dat
2010-01-15 00:16 . 2010-02-10 02:51 -------- d-----w- c:\program files\IK Multimedia
2010-01-15 00:13 . 2010-01-15 00:13 -------- d-----w- c:\documents and settings\Jyess\Application Data\InstallShield
2010-01-15 00:13 . 2010-01-15 00:13 -------- d-----w- c:\documents and settings\All Users\Application Data\IK Multimedia
2010-01-15 00:00 . 2010-01-21 18:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Propellerhead Software
2010-01-15 00:00 . 2010-01-21 18:41 -------- d-----w- c:\documents and settings\Jyess\Application Data\Propellerhead Software
2010-01-15 00:00 . 2010-01-15 00:00 233472 ------w- c:\windows\system32\REX Shared Library.dll
2010-01-14 23:58 . 2010-01-14 23:58 -------- d-----w- c:\program files\Propellerhead
2010-01-14 23:55 . 2010-01-14 23:55 -------- d-----w- c:\program files\Sonik Synth 2 Free
2010-01-14 22:26 . 2010-01-14 23:55 -------- d-----w- C:\VSTPlugIns
2010-01-14 22:26 . 2010-01-14 22:26 -------- d-----w- c:\program files\SampleTank 2 Free
2010-01-14 20:13 . 2010-01-14 20:13 -------- d-----w- c:\documents and settings\All Users\Application Data\mLAN Tools
2010-01-14 19:47 . 2010-01-14 19:47 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee Security Scan
2010-01-13 00:54 . 2006-10-27 00:56 33104 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\msonpppr.dll
2010-01-13 00:54 . 2006-10-27 00:56 32592 ----a-w- c:\windows\system32\msonpmon.dll
2010-01-13 00:53 . 2010-01-13 00:53 -------- d-----w- c:\program files\Microsoft Works
2010-01-13 00:53 . 2010-01-13 00:53 -------- d-----w- c:\program files\Microsoft.NET
2010-01-13 00:52 . 2010-01-13 00:52 -------- d-----w- c:\documents and settings\Jyess\Local Settings\Application Data\Microsoft Help
2010-01-13 00:52 . 2010-01-13 00:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-13 00:51 . 2010-01-13 00:51 -------- d-----r- C:\MSOCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-10 03:23 . 2005-06-22 23:59 384 ----a-w- c:\windows\system32\DVCStateBkp-{00000004-00000000-00000002-00001102-00000004-20061102}.dat
2010-02-10 03:23 . 2005-06-22 23:59 384 ----a-w- c:\windows\system32\DVCState-{00000004-00000000-00000002-00001102-00000004-20061102}.dat
2010-02-10 02:52 . 2005-06-22 23:58 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-01 18:59 . 1980-01-01 05:00 467200 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-01-21 03:59 . 2009-12-30 01:17 -------- d-----w- c:\program files\REAPER
2010-01-20 02:11 . 2009-12-28 01:04 93096 ----a-w- c:\documents and settings\Jyess\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-15 04:34 . 2005-06-22 23:57 -------- d-----w- c:\program files\Java
2010-01-14 20:12 . 2009-12-30 02:13 -------- d-----w- c:\program files\mLAN Tools
2010-01-10 05:15 . 2010-01-10 05:15 -------- d-----w- c:\documents and settings\Jyess\Application Data\Roxio
2010-01-07 20:39 . 2010-01-07 20:39 -------- d-----w- c:\program files\MySoftware
2010-01-07 04:28 . 2010-01-07 04:28 1025 ----a-w- c:\windows\system32\sysprs7.dll
2010-01-07 04:28 . 2010-01-07 04:28 1025 ----a-w- c:\windows\system32\clauth2.dll
2010-01-07 04:28 . 2010-01-07 04:28 1025 ----a-w- c:\windows\system32\clauth1.dll
2010-01-07 04:28 . 2010-01-07 04:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Minnetonka Audio Software
2010-01-06 05:50 . 2010-01-06 05:48 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-01-06 05:49 . 2010-01-06 05:49 -------- d-----w- c:\program files\Roxio
2010-01-06 05:49 . 2010-01-06 05:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2010-01-06 05:46 . 2010-01-06 05:43 -------- d-----w- c:\program files\Memorex exPressit Label Design Studio
2010-01-06 05:43 . 2010-01-06 05:43 -------- d-----w- c:\program files\Common Files\SureThing Shared
2010-01-06 05:38 . 2010-01-06 05:38 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2010-01-06 04:16 . 2009-12-30 02:16 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-06 04:14 . 2010-01-06 04:14 -------- d-----w- c:\program files\Common Files\Control Panels
2010-01-06 04:12 . 2010-01-06 04:12 -------- d-----w- c:\documents and settings\All Users\Application Data\ALM
2010-01-06 01:31 . 2010-01-06 01:31 -------- d-----w- c:\program files\Bonjour
2010-01-06 01:27 . 2010-01-06 01:27 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-12-30 23:44 . 2009-12-30 01:17 -------- d-----w- c:\documents and settings\Jyess\Application Data\REAPER
2009-12-30 03:51 . 2009-12-30 03:51 -------- d-----w- c:\documents and settings\Jyess\Application Data\Auslogics
2009-12-30 01:54 . 2009-12-30 01:54 -------- d-----w- c:\program files\Sony Setup
2009-12-30 01:29 . 2009-12-30 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\iZotope
2009-12-30 01:29 . 2009-12-30 01:29 -------- d-----w- c:\program files\Common Files\iZotope
2009-12-30 01:29 . 2009-12-30 01:29 -------- d-----w- c:\program files\iZotope
2009-12-30 01:25 . 2009-12-30 01:25 -------- d-----w- c:\documents and settings\Jyess\Application Data\Waves Audio
2009-12-30 01:25 . 2009-12-30 01:24 -------- d-----w- c:\program files\Waves
2009-12-30 01:25 . 2009-12-30 01:25 -------- d-----w- c:\program files\Common Files\Digidesign
2009-12-30 01:24 . 2009-12-30 01:24 -------- d-----w- c:\program files\Steinberg
2009-12-30 01:17 . 2009-12-30 01:17 -------- d-----w- c:\program files\Auslogics
2009-12-30 01:15 . 2009-12-30 01:15 -------- d-----w- c:\program files\CCleaner
2009-12-28 03:21 . 2009-12-28 03:21 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-12-28 02:42 . 2009-12-28 02:42 -------- d-----w- c:\program files\MSXML 4.0
2009-12-28 02:07 . 2009-12-28 02:07 -------- d-----w- c:\program files\HP
2009-12-28 01:53 . 2004-08-10 18:13 78011 ----a-w- c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
2009-12-28 01:35 . 2009-12-28 01:35 -------- d-----w- c:\program files\Common Files\SWF Studio
2009-12-28 01:17 . 2009-12-28 01:17 -------- d-----w- c:\program files\MOTU
2009-12-28 01:03 . 2009-12-28 01:03 -------- d-----w- c:\program files\Microsoft Broadband Networking
2009-12-28 00:22 . 2005-06-23 00:08 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-12-28 00:22 . 2005-06-23 00:08 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-12-28 00:21 . 2005-06-23 00:08 -------- d-----w- c:\program files\Symantec
2009-12-24 05:02 . 2005-06-23 00:05 -------- d-----w- c:\program files\Common Files\AOL
2009-12-24 05:02 . 2005-06-23 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-11-21 15:51 . 2004-08-04 10:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
1601-01-01 00:03 . 1601-01-01 00:03 61952 --sha-w- c:\windows\SYSTEM32\hofonike.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-02-07_17.24.54 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77DC0Baa-3235-4ba9-8BE8-aa9EB678FA02}]
c:\program files\adc32.dll [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lib32_D60D04.exe"="c:\program files\lib32_D60D04.exe" [2010-02-10 39936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-03-23 135168]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"lib32_D60D04.exe"="c:\program files\lib32_D60D04.exe" [2010-02-10 39936]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Broadband Networking.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Broadband Networking.lnk
backup=c:\windows\pss\Microsoft Broadband Networking.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^mLAN Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\mLAN Manager.lnk
backup=c:\windows\pss\mLAN Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MOTU Pedal Handler.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MOTU Pedal Handler.lnk
backup=c:\windows\pss\MOTU Pedal Handler.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2007-05-11 03:46 624248 ----a-w- c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
2004-08-25 17:52 339968 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BuildBU]
2004-02-19 13:23 61440 ----a-w- c:\dell\BLDBUBG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
2003-06-18 06:00 45056 ----a-w- c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2004-03-11 14:50 28672 ----a-w- c:\windows\SYSTEM32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
2003-09-17 15:43 57344 ----a-w- c:\program files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2004-07-19 12:51 306688 ----a-w- c:\program files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-01-27 06:02 86016 ----a-w- c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 21:19 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 21:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-07-27 21:50 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2004-09-14 13:50 53248 ----a-w- c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2004-09-14 13:50 131072 ----a-w- c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QBReminderFlash]
2004-11-11 15:26 26112 ----a-w- c:\program files\Intuit\QuickBooks 2005\Atom\QBReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2005-06-23 00:06 98304 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2005-06-23 00:06 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2005-06-09 14:51 1695744 ----a-w- c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-15 04:34 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Mozilla Firefox\\crashreporter.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R3 mfwagsif;MOTU Audio GSIF;c:\windows\SYSTEM32\DRIVERS\mfwagsif.sys [2/14/2008 6:14 PM 22064]
R3 mfwamidi;MOTU Audio MIDI;c:\windows\SYSTEM32\DRIVERS\mfwamidi.sys [2/14/2008 6:14 PM 25648]
R3 mfwawave;MOTU Audio Wave;c:\windows\SYSTEM32\DRIVERS\mfwawave.sys [2/14/2008 6:13 PM 60976]
R3 mLanBus;Yamaha mLAN Bus Driver;c:\windows\SYSTEM32\DRIVERS\mLanBus.sys [4/25/2008 2:48 PM 93568]
R3 motubus;MOTU Audio MIDI Extension;c:\windows\SYSTEM32\DRIVERS\motubus.sys [2/14/2008 6:14 PM 23600]
R3 MotuFWA;MotuFWA;c:\windows\SYSTEM32\DRIVERS\motufwa.sys [2/14/2008 6:13 PM 378416]
S3 mLanMIDI;Yamaha mLAN MIDI Driver;c:\windows\SYSTEM32\DRIVERS\mLanMIDI.sys [4/25/2008 2:48 PM 12800]
S3 mLanPDev;YAMAHA mLAN Physical Driver;c:\windows\SYSTEM32\DRIVERS\mLanPDev.sys [10/4/2006 10:10 AM 20992]
S3 mLanStrm;Yamaha mLAN Audio Driver;c:\windows\SYSTEM32\DRIVERS\mLanStrm.sys [4/25/2008 2:48 PM 25472]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dell4me.com/mywaybiz
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Jyess\Application Data\Mozilla\Firefox\Profiles\9w9kz2b1.default\
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-09 22:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:27,cc,af,c2,4a,c5,0d,d8,95,87,4f,b5,26,3f,e5,34,fd,7d,70,e8,c8,
e3,a5,87,0f,c8,ed,90,3e,57,23,5e,96,a4,81,33,2d,b8,00,eb,4b,86,13,68,8a,99,\

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:27,cc,af,c2,4a,c5,0d,d8,95,87,4f,b5,26,3f,e5,34,fd,7d,70,e8,c8,
e3,a5,87,0f,c8,ed,90,3e,57,23,5e,96,a4,81,33,2d,b8,00,eb,4b,86,13,68,8a,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1880)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\CTsvcCDA.EXE
c:\program files\Intel\Intel Application Accelerator\iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\msiexec.exe
c:\windows\system32\MsiExec.exe
.
**************************************************************************
.
Completion time: 2010-02-09 22:32:24 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-10 03:32
ComboFix2.txt 2010-02-07 17:30

Pre-Run: 203,740,012,544 bytes free
Post-Run: 202,922,131,456 bytes free

- - End Of File - - 21F4C0F070836930CA0AD001BF483E85


MBAM:

Malwarebytes' Anti-Malware 1.44
Database version: 3718
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/9/2010 11:34:55 PM
mbam-log-2010-02-09 (23-34-55).txt

Scan type: Full Scan (C:\|G:\|Z:\|)
Objects scanned: 345752
Time elapsed: 47 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 50

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{77dc0baa-3235-4ba9-8be8-aa9eb678fa02} (Rogue.ASCAntispyware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{77dc0baa-3235-4ba9-8be8-aa9eb678fa02} (Rogue.ASCAntispyware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{77dc0baa-3235-4ba9-8be8-aa9eb678fa02} (Rogue.ASCAntispyware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77dc0baa-3235-4ba9-8be8-aa9eb678fa02} (Rogue.ASCAntispyware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{df058c45-cd18-453e-8745-5a77f60722ab} (Adware.Gdown) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b5a33c35-7298-4d15-8753-a2e851e2eab3} (Adware.Gdown) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f0d2b812-752d-4af1-a2fb-968c4d8446db} (Adware.Gdown) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e856b973-45fd-4559-8f82-eab539144667} (Adware.Gdown) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\schtml (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images (Rogue.YourPCProtector) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\SYSTEM32\hofonike.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\Program Files\wpp.exe (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Recycle\UNWISE.EXE (Malware.Packer.Morphine) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\adc32.dll.vir (Rogue.ASCAntiSpyware) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Your PC Protector\Your PC Protector.exe.vir (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000021.dll (Rogue.ASCAntiSpyware) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000025.exe (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000131.exe (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000138.dll (Rogue.ASCAntiSpyware) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000147.dll (Rogue.ASCAntiSpyware) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000194.dll (Rogue.ASCAntiSpyware) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000302.exe (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\GTDownDE_87.ocx (Adware.Gdown) -> Quarantined and deleted successfully.
G:\2009 backup\Azureus Downloads\Sony Vegas 7 + DVD Architect 4\DVD Architect 4.0.125\Sony DVD Architect v4.0 Keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
G:\2009 backup\Azureus Downloads\Sony Vegas 7 + DVD Architect 4\Vegas 7.0a\Sony Vegas v7.0a Keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
Z:\TEMP\win10.tmp (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
Z:\TEMP\win11.tmp (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
Z:\TEMP\win12.tmp (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
Z:\TEMP\winE.tmp (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
Z:\TEMP\winF.tmp (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
C:\Program Files\schtml\dbsinit.exe (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\wispex.html (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\i1.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\i2.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\i3.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\j1.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\j2.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\j3.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\jj1.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\jj2.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\jj3.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\l1.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\l2.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\l3.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\pix.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\t1.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\t2.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\Thumbs.db (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\up1.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\up2.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\w1.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\w11.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\w2.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\w3.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\w3.jpg (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\word.doc (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\wt1.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\wt2.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Program Files\schtml\images\wt3.gif (Rogue.YourPCProtector) -> Quarantined and deleted successfully.
C:\Your PC Protector.lnk (Rogue.PcProtector) -> Quarantined and deleted successfully.


#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:20 AM

Posted 10 February 2010 - 04:06 PM

Hello.

Let's get an online scan.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

\Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 C2G

C2G
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 18 February 2010 - 09:32 PM

DDS:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Jyess at 21:29:31.90 on Thu 02/18/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1509 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Documents and Settings\Jyess\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.dell4me.com/mywaybiz
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
Trusted Zone: is-software-download.com
Trusted Zone: is-software-download25.com
Trusted Zone: is10-soft-download.com
Trusted Zone: buy-internetsecurity10.com
Trusted Zone: buy-is2010.com
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1261963484796
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1261969982921
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jyess\applic~1\mozilla\firefox\profiles\9w9kz2b1.default\
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R3 mfwagsif;MOTU Audio GSIF;c:\windows\system32\drivers\mfwagsif.sys [2008-2-14 22064]
R3 mfwamidi;MOTU Audio MIDI;c:\windows\system32\drivers\mfwamidi.sys [2008-2-14 25648]
R3 mfwawave;MOTU Audio Wave;c:\windows\system32\drivers\mfwawave.sys [2008-2-14 60976]
R3 mLanBus;Yamaha mLAN Bus Driver;c:\windows\system32\drivers\mLanBus.sys [2008-4-25 93568]
R3 motubus;MOTU Audio MIDI Extension;c:\windows\system32\drivers\motubus.sys [2008-2-14 23600]
R3 MotuFWA;MotuFWA;c:\windows\system32\drivers\motufwa.sys [2008-2-14 378416]
S3 mLanMIDI;Yamaha mLAN MIDI Driver;c:\windows\system32\drivers\mLanMIDI.sys [2008-4-25 12800]
S3 mLanPDev;YAMAHA mLAN Physical Driver;c:\windows\system32\drivers\mLanPDev.sys [2006-10-4 20992]
S3 mLanStrm;Yamaha mLAN Audio Driver;c:\windows\system32\drivers\mLanStrm.sys [2008-4-25 25472]

=============== Created Last 30 ================

2010-02-10 16:48:15 32 ----a-w- c:\windows\system32\msvcsv60.dll
2010-02-10 03:35:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-10 03:35:04 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-10 03:35:04 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-10 03:35:04 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-10 03:09:18 0 d-----w- c:\docume~1\jyess\applic~1\Malwarebytes
2010-02-07 17:18:05 0 d-sha-r- C:\cmdcons
2010-02-07 17:16:06 98816 ----a-w- c:\windows\sed.exe
2010-02-07 17:16:06 77312 ----a-w- c:\windows\MBR.exe
2010-02-07 17:16:06 261632 ----a-w- c:\windows\PEV.exe
2010-02-07 17:16:06 161792 ----a-w- c:\windows\SWREG.exe
2010-01-28 05:44:18 25 ----a-w- c:\windows\IV3.INI
2010-01-28 05:39:23 0 d-----w- c:\docume~1\jyess\applic~1\Family Lawyer
2010-01-28 03:11:15 115920 ----a-w- c:\windows\system32\MSINET.OCX
2010-01-28 03:10:51 0 d-----w- c:\program files\EULAlyzer
2010-01-28 01:51:48 1966080 ----a-w- c:\windows\system32\cdintf251.dll
2010-01-28 01:51:18 0 d-----w- c:\program files\Business PlanMaker Professional
2010-01-28 01:48:36 0 d-sh--w- c:\documents and settings\jyess\PrivacIE
2010-01-27 01:15:02 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-27 01:10:09 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-01-27 01:10:09 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-01-26 04:39:38 54156 ---ha-w- c:\windows\QTFont.qfn
2010-01-26 04:39:38 1409 ----a-w- c:\windows\QTFont.for
2010-01-21 18:43:00 0 d-----w- c:\program files\Recycle
2010-01-20 23:46:55 0 d-----w- c:\program files\ASIO4ALL v2
2010-01-20 23:46:04 1554944 ----a-w- c:\windows\system32\vorbis.acm
2010-01-20 23:45:53 0 d-----w- c:\program files\Outsim
2010-01-20 23:44:12 0 d-----w- c:\program files\Image-Line

==================== Find3M ====================

2010-02-01 18:59:35 467200 ----a-w- c:\windows\system32\drivers\iaStor.sys
2010-01-15 04:34:54 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-01-15 00:00:34 233472 ------w- c:\windows\system32\REX Shared Library.dll
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 18:43:27 343040 ------w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:08:23 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-08 19:27:51 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-08 19:26:15 2145280 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 19:26:15 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-08 18:43:51 2023936 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 18:43:51 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-08 18:43:50 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-08 09:23:28 474112 ------w- c:\windows\system32\dllcache\shlwapi.dll
2009-12-04 18:22:22 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 17920 ------w- c:\windows\system32\dllcache\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11:44 1291776 ------w- c:\windows\system32\dllcache\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 8704 ------w- c:\windows\system32\dllcache\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:35 28672 ------w- c:\windows\system32\dllcache\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 84992 ------w- c:\windows\system32\dllcache\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 48128 ------w- c:\windows\system32\dllcache\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07:34 11264 ------w- c:\windows\system32\dllcache\msrle32.dll
2009-11-21 15:51:04 471552 ------w- c:\windows\system32\dllcache\aclayers.dll

============= FINISH: 21:30:00.29 ===============


KASPERSKY:

Thursday, February 18, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, February 18, 2010 22:52:53
Records in database: 3555787
Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes
Scan area My Computer
A:\
C:\
E:\
F:\
G:\
Z:\
Scan statistics
Objects scanned 239805
Threats found 11
Infected objects found 23
Suspicious objects found 0
Scan duration 03:18:46

File name Threat Threats count
C:\Qoobox\Quarantine\C\Program Files\alggui.exe.vir Infected: Trojan.Win32.FraudPack.akzc 1
C:\Qoobox\Quarantine\C\Program Files\InternetSecurity2010\IS2010.exe.vir Infected: Trojan.Win32.FraudPack.akyf 1
C:\Qoobox\Quarantine\C\Program Files\svchost.exe.vir Infected: Trojan.Win32.FraudPack.akzi 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\helper32.dll.vir Infected: Packed.Win32.Krap.an 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kidoyera.dll.vir Infected: Trojan.Win32.Monder.cyle 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\smss32.exe.vir Infected: Packed.Win32.Krap.an 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\winlogon32.exe.vir Infected: Packed.Win32.Krap.an 1
C:\Qoobox\Quarantine\[4]-Submit_2010-02-09_22.16.47.zip Infected: Packed.Win32.TDSS.aa 3
C:\Qoobox\Quarantine\[4]-Submit_2010-02-09_22.16.47.zip Infected: Packed.Win32.Tdss.c 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000022.exe Infected: Trojan.Win32.FraudPack.akyo 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000024.exe Infected: Trojan.Win32.Agent2.cnqa 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1\A0000028.dll Infected: Trojan.Win32.Monder.cyle 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000139.exe Infected: Trojan.Win32.FraudPack.akzc 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP2\A0000140.exe Infected: Trojan.Win32.Agent2.cnrn 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000148.exe Infected: Trojan.Win32.FraudPack.akzc 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000149.exe Infected: Trojan.Win32.Agent2.cnrn 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000195.exe Infected: Trojan.Win32.Agent2.cnrn 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000198.exe Infected: Trojan.Win32.FraudPack.akzc 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP3\A0000301.exe Infected: Trojan.Win32.FraudPack.akzi 1
G:\computer backup\Azureus Downloads\Registry Mechanic 7.0 (Working Crack)\Install.exe Infected: Trojan.Win32.Buzus.rsf 1
G:\computer backup\my documents\Azureus Downloads\Registry Mechanic 7.0 (Working Crack)\Install.exe Infected: Trojan.Win32.Buzus.rsf 1
Selected area has been scanned.



My computer is running better than before. I can tell that the main issue is gone but it seems that these programs keep on finding little things in the background and I'm sure that won't help me out. My browser is no longer getting highjacked and it seems as if the vundo trojan is gone. Thank you for you help so far!

#11 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:20 AM

Posted 19 February 2010 - 05:18 PM

Hello.

That's good. Most of what Kaspersky detected were Combofix quarantined items and infected system restore point which will deal with shortly upon uninstalling Combofix.

Delete these files:
G:\computer backup\Azureus Downloads\Registry Mechanic 7.0 (Working Crack)\Install.exe
G:\computer backup\my documents\Azureus Downloads\Registry Mechanic 7.0 (Working Crack)\Install.exe

Even better if you can delete the whole Registry Mechanic 7.0 (working crack) folder. I hope that you're not using any cracks/keygen files. Why? You should know that use of these is considered illegal activity, as it bypasses copyright laws. Some of the worst types of malware infections can be contracted and spread by visiting crack, keygen, warez and other pirated software sites. In many cases, these sites are infested with a sm?rg?sbord of malware. Those who attempt to get software for free can end up with a computer system so badly damaged that recovery is not possible and it cannot be repaired. When that happens there is nothing you can do besides reformatting and reinstalling Windows. Merely visiting such sites without downloading ANYTHING is one of the worst things a user can do online. They are illegal. Cracked software is notorious for carrying malware/infections. How do you think these people make their money... Antivirus programs cannot protect you against what you are deliberately running. If you have or are using a CRACKED version of ANY security programs you are basically infecting yourself by installing that software, as it's not going to protect you.

--
Let's get you an Anti-Virus software installed now.

Install Antivirus

An anti-virus is essential in keeping your computer safe while surfing the Internet. Please install a (ONE) free anti-virus program from one of the links below:
Update It after the installation is complete please.


Please follow/read the steps below to remove the tools we used and for some more information. smile.gif


Uninstall ComboFix

Remove Combofix now that we're done with it.
  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the "x" and "/")
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.
This will uninstall Combofix and anything assoicated with it.

Download and Run OTC

We will now remove the tools we used during this fix using OTC.
  • Download OTC by OldTimer and save it to your desktop.
  • Double click icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

System A bit Slow? Try StartupLight

You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.

If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.


Congratulations! You now appear clean! specool.gif

Now that you are clean, please follow and read some of the prevention tips below.

Preventing Infections in the Future


Please also have a look at the following links, giving some advice and Tips to protect yourself against malware and reduce the potential for re-infection:

Some of the main things you should consider to perform/read are:
  • Disabling Autorun/Play on Flash-Drive/Removable Drives
  • Avoid gaming sites, underground web pages, pirated software sites, and Peer to Peer Programs
  • Keep Windows Updated through going to Windows Updates
  • Updating Non-Microsoft Programs
  • Keeping Security softwares updated

It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

Update all programs regularly - Make sure you update all the programs you have installed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help and thank you for choosing Bleeping Computer as you malware removal source.
Don't forget to tell your friends about us and Good luck thumbup2.gif


If you have no more questions, comments or problems please tell us, so we can close off the topic.

Thanks smile.gif

With Regards,
Extremeboy

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#12 C2G

C2G
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:20 AM

Posted 25 February 2010 - 03:18 PM

Extremeboy,

Thanks so much. Yeah when I was younger I toyed around with p2p stuff and that was why those files were in a backup folder. I forgot I even had them and I deleted them. I am running the cleanup right now so I have to go but I really do appreciate your help and I'll spread the word.

Thanks Again,
C2G

#13 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:20 AM

Posted 26 February 2010 - 05:27 PM

No problem. I'm glad I could help out smile.gif

Take care and happy surfing again!
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:20 AM

Posted 06 March 2010 - 03:06 PM

Hello.

Since the problem appears to be resolved, this topic is now Closed. Glad we could help smile.gif
If you need this topic reopened, please Send Me a Message. In your message please include the address of this thread in your request.

This applies only to the original topic starter

Everyone else please start a new topic.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users