Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Antimalware Doctor


  • This topic is locked This topic is locked
13 replies to this topic

#1 candrews

candrews

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:59 AM

Posted 02 June 2010 - 06:01 PM

A few days ago, my computer was infected with Antimalware Doctor and I followed the following instructions in an attempt to get rid of it.

http://www.bleepingcomputer.com/virus-remo...imalware-doctor

Malwarebytes was never able to completely delete all infected objects and every time my computer rebooted, antimalware doctor would seemingly repair itself and return. After a few days of this, Antimalware Doctor suddenly disappeared. I am still having problems with my computer, however, and malwarebytes still detects infected objects but says that it is unable to delete them. My computer rebooting seems to be the key, as each time I do so, the infected objects seem to come back.

I will include the DDS log below. I tried to create a GMR log as well, but my computer crashes every time I attempt to have it scan my computer. Any help would be greatly appreciated.





DDS (Ver_10-03-17.01) - NTFSx86
Run by Owner at 17:33:11.45 on Wed 06/02/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1611 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Documents and Settings\Owner\Application Data\c2e83541.exe
svchost.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Hqr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\system.exe
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\galki.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
"C:\WINDOWS\System32\svchost.exe"
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
BHO: c:\windows\system32\yqiqgr.dll: {c7ba40a1-74f2-52bd-f411-04b15a2c8953} - c:\windows\system32\yqiqgr.dll
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [M5T8QL3YW3] c:\docume~1\owner\locals~1\temp\Hqr.exe
uRun: [hsfg9w8gujsokgahi8gysgnsdgefshyjy] c:\docume~1\owner\locals~1\temp\system.exe
uRun: [mcexecwin] rundll32.exe c:\docume~1\owner\locals~1\temp\x8jtxf.dll, RestoreWindows
uRun: [hsfe8owijfisjhgs7ye39gjsoighsd7y3eu] c:\docume~1\owner\locals~1\temp\galki.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [remotecontrol] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [sunjavaupdatesched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [remotecontrol8] "c:\program files\cyberlink\powerdvd8\PDVD8Serv.exe"
mRun: [nwiz] nwiz.exe /install
mRun: [adobe arm] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [adobe reader speed launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [tkbellexe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [languageshortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [pdvd8languageshortcut] "c:\program files\cyberlink\powerdvd8\language\Language.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [H2O] c:\program files\syncrosoft\pos\h2o\cledx.exe
mRun: [skb] rundll32 "ayqefofl.dll",,Run
mRun: [MChk] c:\windows\system32\xvlbyfqx.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.0/srl_bin/sysreqlab3.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
TCP: NameServer = 93.188.163.12,93.188.161.172
TCP: {444A0126-DA73-42EC-B9BB-8DA6BF9CC1D6} = 93.188.163.12,93.188.161.172
TCP: {64C58BA0-24BD-4CD8-B384-85BB14A254CD} = 93.188.163.12,93.188.161.172
TCP: {B95A887A-50E2-4B9C-AEED-9322DE9F4C3B} = 93.188.163.12,93.188.161.172
Notify: 440555d7922 - c:\windows\system32\dot3ui32.dll
STS: c:\windows\system32\yqiqgr.dll: {c7ba40a1-74f2-52bd-f411-04b15a2c8953} - c:\windows\system32\yqiqgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\gutbyjv5.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.wish-search.com/?sid=10101020100&s=
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.wish-search.com/?sid=10101020100&s=c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\cyberlink\powerdvd8\000.fcl [2008-5-15 61424]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-4-13 303952]
R3 Airgo3P;Airgo Networks AGN300 True MIMO ™ Wireless Driver;c:\windows\system32\drivers\TMIMO31P.sys [2008-11-26 781824]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [2010-4-21 33792]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-4-13 20824]
S0 efkvc;efkvc;c:\windows\system32\drivers\yknpd.sys --> c:\windows\system32\drivers\yknpd.sys [?]
S0 fdmlivd;fdmlivd;c:\windows\system32\drivers\ooquevy.sys --> c:\windows\system32\drivers\ooquevy.sys [?]
S0 jkxtqrip;jkxtqrip; [x]
S0 jqrv;jqrv;c:\windows\system32\drivers\mijyoi.sys --> c:\windows\system32\drivers\mijyoi.sys [?]
S0 nhilipti;nhilipti;c:\windows\system32\drivers\dyguh.sys --> c:\windows\system32\drivers\dyguh.sys [?]
S0 rgyx;rgyx;c:\windows\system32\drivers\jsoo.sys --> c:\windows\system32\drivers\jsoo.sys [?]
S0 yvwsftuk;yvwsftuk;c:\windows\system32\drivers\wnsruoyp.sys --> c:\windows\system32\drivers\wnsruoyp.sys [?]
S3 DfuUsb;DfuUsb;c:\windows\system32\drivers\DFUUsb.sys [2007-11-8 10880]
S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\symantec\symantec endpoint protection\smclu\setup\smcinst.exe --> c:\program files\symantec\symantec endpoint protection\smclu\setup\smcinst.exe [?]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [2009-8-2 18432]

=============== Created Last 30 ================

2010-06-01 21:14:35 156 ----a-w- c:\documents and settings\owner\defogger_reenable
2010-06-01 02:17:42 0 d-----w- c:\program files\Trend Micro
2010-05-31 19:10:19 54016 ----a-w- c:\windows\system32\drivers\yxfuekbe.sys
2010-05-31 09:05:42 50981 ----a-w- c:\windows\system32\odbtwsmamk.exe
2010-05-31 09:05:22 823808 ----a-w- c:\windows\system32\drivers\goequzx.sys
2010-05-31 09:04:52 182272 ----a-w- c:\windows\system32\dot3ui32.dll
2010-05-31 09:04:07 0 d-----w- c:\docume~1\alluse~1\applic~1\Update
2010-05-31 09:04:06 30000 ----a-w- c:\windows\system32\yqiqgr.dll
2010-05-31 09:03:46 123904 ----a-w- c:\windows\Hkicia.exe
2010-05-31 09:03:32 66560 ----a-w- c:\windows\system32\ernel32.dll
2010-05-31 09:03:22 66560 ----a-w- c:\docume~1\owner\applic~1\c2e83541.exe
2010-05-31 09:03:08 0 d-----w- c:\docume~1\owner\applic~1\A41E6C9F0F430458A3B3ADBDEB455A9F
2010-05-25 05:38:04 309248 ----a-w- c:\windows\system32\jqgixdho.dll
2010-05-24 16:31:20 40633 ----a-w- c:\windows\system32\xvlbyfqx.exe
2010-05-23 23:59:07 0 d-----w- c:\program files\mIRC
2010-05-23 23:59:07 0 d-----w- c:\docume~1\owner\applic~1\mIRC
2010-05-18 20:54:06 0 d-----w- c:\program files\MP3Gain

==================== Find3M ====================

2010-04-06 18:55:23 0 ---ha-w- c:\docume~1\owner\applic~1\.7138826AABB8C36B.sys
2010-04-06 18:14:37 717296 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-03-25 01:28:48 886272 ----a-w- c:\docume~1\owner\applic~1\System.Data.SQLite.DLL
2010-03-24 23:50:27 10485760 ----a-w- c:\docume~1\owner\applic~1\nvdisp .exe
2010-03-12 23:02:38 261632 ----a-w- c:\windows\PEV.exe
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll

============= FINISH: 17:34:47.25 ===============


BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:59 AM

Posted 02 June 2010 - 09:40 PM


Hello candrews,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.

1.
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. "If you would like to continue, then follow the steps below, otherwise please let me know"

2.
Download and Run RKill
    Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

3.
Download and Rename Combofix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below. You must rename it 1234.scr before saving it to your desktop.

Link 1
Link 2






--------------------------------------------------------------------
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on 1234.scr & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Things to include in your next reply::
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 candrews

candrews
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:59 AM

Posted 02 June 2010 - 10:03 PM

Sorry, I just wanted to get a little clarification before I try to run combofix. Before downloading it, do I rename combofix as 1234.scr or Combo-Fix?

Edited by candrews, 02 June 2010 - 10:03 PM.


#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:59 AM

Posted 02 June 2010 - 10:09 PM

Hello, rename it 1234.scr

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 candrews

candrews
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:59 AM

Posted 02 June 2010 - 11:26 PM

ComboFix 10-06-02.02 - Owner 06/02/2010 22:42:25.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1599 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\1234.scr
Command switches used :: /S

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Owner\LOCALS~1\Temp\x8jtxf.dll
c:\documents and settings\Owner\Application Data\02000000dea2842c922C.manifest
c:\documents and settings\Owner\Application Data\02000000dea2842c922O.manifest
c:\documents and settings\Owner\Application Data\02000000dea2842c922P.manifest
c:\documents and settings\Owner\Application Data\02000000dea2842c922S.manifest
c:\documents and settings\Owner\Application Data\A41E6C9F0F430458A3B3ADBDEB455A9F
c:\documents and settings\Owner\Application Data\A41E6C9F0F430458A3B3ADBDEB455A9F\enemies-names.txt
c:\documents and settings\Owner\Application Data\A41E6C9F0F430458A3B3ADBDEB455A9F\gotnewupdate000.exe
c:\documents and settings\Owner\Application Data\A41E6C9F0F430458A3B3ADBDEB455A9F\hookdll.dll
c:\documents and settings\Owner\Application Data\chrtmp
c:\documents and settings\Owner\Application Data\nvdisp .exe
c:\documents and settings\Owner\Local Settings\Temp\x8jtxf.dll
c:\windows\msv1_0.dll
c:\windows\system32\drivers\goequzx.sys
c:\windows\system32\ernel32.dll
c:\windows\system32\msvcsv60.dll
c:\windows\system32\yqIQgr.dll

Infected copy of c:\windows\system32\drivers\i8042prt.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_goequzx
-------\Service_goequzx


((((((((((((((((((((((((( Files Created from 2010-05-03 to 2010-06-03 )))))))))))))))))))))))))))))))
.

2010-06-03 04:08 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\OC1sK317w.dll
2010-06-03 03:41 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\OCE5a.dll
2010-06-03 03:39 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\G931793.dll
2010-06-03 03:32 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\7i3q7wS.dll
2010-06-02 22:30 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\7sK17gM.dll
2010-06-01 22:54 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\C9s1eIQ.dll
2010-06-01 22:14 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\5k5y5.dll
2010-06-01 21:33 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\1u93i7.dll
2010-06-01 21:21 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\EIQGM7.dll
2010-06-01 20:43 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\79317kU.dll
2010-06-01 05:43 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\o179i1qG.dll
2010-06-01 02:17 . 2010-06-01 02:17 -------- d-----w- c:\program files\Trend Micro
2010-06-01 01:19 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\31m9gM79.dll
2010-05-31 20:38 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\kUO55.dll
2010-05-31 19:15 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\Q5w5u.dll
2010-05-31 19:10 . 2010-05-31 19:10 54016 ----a-w- c:\windows\system32\drivers\yxfuekbe.sys
2010-05-31 09:05 . 2010-05-31 09:05 50981 ----a-w- c:\windows\system32\odbtwsmamk.exe
2010-05-31 09:05 . 2010-05-31 09:05 -------- d-----w- c:\program files\$NtUninstallWTF1012$
2010-05-31 09:04 . 2010-05-31 09:04 182272 ----a-w- c:\windows\system32\dot3ui32.dll
2010-05-31 09:04 . 2010-05-31 19:10 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\hrjysoxbt
2010-05-31 09:04 . 2010-05-31 09:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-05-31 09:03 . 2010-05-31 09:03 123904 ----a-w- c:\windows\Hkicia.exe
2010-05-31 09:03 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\31c9sK79.dll
2010-05-26 02:45 . 2010-05-26 02:45 0 ----a-w- c:\windows\nsreg.dat
2010-05-26 02:45 . 2010-05-26 02:45 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Mozilla
2010-05-25 05:38 . 2010-05-25 05:38 309248 ----a-w- c:\windows\system32\jqgixdho.dll
2010-05-24 16:31 . 2010-05-24 16:31 40633 ----a-w- c:\windows\system32\xvlbyfqx.exe
2010-05-23 23:59 . 2010-05-24 00:04 -------- d-----w- c:\documents and settings\Owner\Application Data\mIRC
2010-05-23 23:59 . 2010-05-24 00:02 -------- d-----w- c:\program files\mIRC
2010-05-18 20:54 . 2010-05-18 21:02 -------- d-----w- c:\program files\MP3Gain

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-01 02:14 . 2008-11-27 06:05 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-31 09:03 . 2010-05-31 09:03 66560 ----a-w- c:\documents and settings\Owner\Application Data\c2e83541.exe
2010-05-31 03:09 . 2010-02-06 06:09 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2010-05-14 20:40 . 2010-03-27 07:49 16 ----a-w- c:\windows\msocreg32.dat
2010-05-14 01:34 . 2009-07-25 20:28 -------- d-----w- c:\program files\VSTPlugIns
2010-05-07 23:32 . 2008-12-08 17:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-05-07 23:30 . 2008-12-08 17:23 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-07 23:30 . 2008-12-08 17:23 -------- d-----w- c:\program files\Symantec
2010-04-29 23:44 . 2008-11-27 03:23 48096 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-29 16:12 . 2010-04-29 16:11 -------- d-----w- c:\program files\Acoustica MP3 To Wave Converter PLUS
2010-04-29 14:34 . 2010-02-28 21:45 -------- d-----w- c:\program files\MusicLab
2010-04-25 02:09 . 2010-04-25 02:09 -------- d-----w- c:\program files\Veetle
2010-04-23 22:05 . 2010-04-23 22:05 -------- d-----w- c:\program files\EDIROL
2010-04-21 21:54 . 2009-08-03 00:09 -------- d-----w- c:\program files\Syncrosoft
2010-04-21 18:52 . 2009-08-03 00:10 -------- d-----w- c:\program files\Steinberg
2010-04-20 17:16 . 2008-12-05 23:46 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2010-04-20 02:46 . 2010-02-19 06:03 -------- d-----w- c:\program files\QuickTime
2010-04-17 03:24 . 2010-02-19 06:07 -------- d-----w- c:\program files\iTunes
2010-04-17 03:23 . 2010-04-16 15:33 -------- d-----w- c:\program files\iPod
2010-04-17 03:23 . 2008-12-05 23:45 -------- d-----w- c:\program files\Common Files\Apple
2010-04-17 03:22 . 2010-04-16 15:27 -------- d-----w- c:\program files\Bonjour
2010-04-16 15:34 . 2010-04-16 15:33 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-14 02:00 . 2010-04-13 15:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-14 01:39 . 2010-04-14 01:39 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Apple Computer
2010-04-11 00:41 . 2010-04-11 00:41 -------- d-----w- c:\program files\Microsoft Silverlight
2010-04-06 18:55 . 2010-04-06 18:55 0 ---ha-w- c:\documents and settings\Owner\Application Data\.7138826AABB8C36B.sys
2010-04-06 18:44 . 2008-11-27 02:05 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-06 18:26 . 2008-12-30 05:56 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-04-06 18:14 . 2008-12-30 05:52 717296 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-03-30 05:46 . 2010-04-13 15:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 05:45 . 2010-04-13 15:20 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-25 01:28 . 2010-03-25 01:28 886272 ----a-w- c:\documents and settings\Owner\Application Data\System.Data.SQLite.DLL
2010-03-24 22:23 . 2010-03-24 22:27 102400 ----a-w- c:\windows\system32\drivers\nvgts.sys
2010-03-11 12:38 . 2005-08-31 15:52 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2005-08-31 15:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2005-08-31 15:50 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2005-08-31 15:52 430080 ----a-w- c:\windows\system32\vbscript.dll
.
CODE
<pre>
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\Analog Devices\SoundMAX\smax4    .exe
c:\program files\Analog Devices\SoundMAX\smax4   .exe
c:\program files\Analog Devices\SoundMAX\smax4pnp .exe
c:\program files\Bradford Networks\Persistent Agent\bncsaui .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\Common Files\Symantec Shared\ccapp .exe
c:\program files\CyberLink\PowerDVD\pdvdserv .exe
c:\program files\CyberLink\PowerDVD\Language\language .exe
c:\program files\CyberLink\PowerDVD8\pdvd8serv .exe
c:\program files\CyberLink\PowerDVD8\Language\language .exe
c:\program files\CyberLink\Shared files\brs .exe
c:\program files\DAEMON Tools Lite\daemon .exe
c:\program files\HP\HP Software Update\hpwuschd2 .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Malwarebytes' Anti-Malware\mbamgui .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\QuickTime\qttask                           .exe
c:\windows\BisonCam\bisontrayicon .exe
c:\windows\system32\ctfmon .exe
c:\windows\system32\rundll32 .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"NVHotkey"="nvHotkey.dll" [2008-07-03 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-10 13529088]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [N/A]
"remotecontrol"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [N/A]
"sunjavaupdatesched"="c:\program files\Java\jre6\bin\jusched.exe" [N/A]
"remotecontrol8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [N/A]
"nwiz"="nwiz.exe" [N/A]
"adobe arm"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [N/A]
"adobe reader speed launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [N/A]
"tkbellexe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [N/A]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [N/A]
"languageshortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [N/A]
"pdvd8languageshortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [N/A]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-23 385024]
"skb"="ayqefofl.dll" [N/A]
"MChk"="c:\windows\system32\xvlbyfqx.exe" [2010-05-24 40633]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\440555d7922]
2010-05-31 09:04 182272 ----a-w- c:\windows\system32\dot3ui32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"=ma_cmidn.dll
"midi6"=ma_cmidn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2008-11-27 05:49 88365 ----a-w- c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-04-01 09:39 486856 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\muhemomagi]
kisotoye.dll [N/A]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\JDownloader.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\CyberLink\PowerDVD8\000.fcl [5/15/2008 1:07 PM 61424]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/13/2010 10:20 AM 303952]
R3 Airgo3P;Airgo Networks AGN300 True MIMO ™ Wireless Driver;c:\windows\system32\drivers\TMIMO31P.sys [11/26/2008 11:04 PM 781824]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [4/21/2010 4:40 PM 33792]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/13/2010 10:20 AM 20824]
S0 efkvc;efkvc;c:\windows\system32\drivers\yknpd.sys --> c:\windows\system32\drivers\yknpd.sys [?]
S0 fdmlivd;fdmlivd;c:\windows\system32\drivers\ooquevy.sys --> c:\windows\system32\drivers\ooquevy.sys [?]
S0 jkxtqrip;jkxtqrip; [x]
S0 jqrv;jqrv;c:\windows\system32\drivers\mijyoi.sys --> c:\windows\system32\drivers\mijyoi.sys [?]
S0 nhilipti;nhilipti;c:\windows\system32\drivers\dyguh.sys --> c:\windows\system32\drivers\dyguh.sys [?]
S0 rgyx;rgyx;c:\windows\system32\drivers\jsoo.sys --> c:\windows\system32\drivers\jsoo.sys [?]
S0 yvwsftuk;yvwsftuk;c:\windows\system32\drivers\wnsruoyp.sys --> c:\windows\system32\drivers\wnsruoyp.sys [?]
S3 DfuUsb;DfuUsb;c:\windows\system32\drivers\DFUUsb.sys [11/8/2007 3:51 PM 10880]
S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe --> c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe [?]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [8/2/2009 7:10 PM 18432]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/30/2008 12:52 AM 717296]
.
Contents of the 'Scheduled Tasks' folder

2010-05-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-06-03 c:\windows\Tasks\MSWD-c2e83541.job
- c:\documents and settings\Owner\Application Data\c2e83541.exe [2010-05-31 09:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\gutbyjv5.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.wish-search.com/?sid=10101020100&s=
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.wish-search.com/?sid=10101020100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Linplug daOrgan v2.1.1 - c:\progra~1\VSTPLU~1\\LINPLU~1\DAORGA~1\UNWISE.EXE
AddRemove-Megota Software SFPack Uninstall - c:\docume~1\Owner\Desktop\SFPack\SFPACK.EXE
AddRemove-Native Instruments FM7 VSTi DXI RTAS v1.1.3.4 - c:\progra~1\NATIVE~1\FM7\UNWISE.EXE
AddRemove-Steinberg Virtual Bassist v1.0.0.504 - c:\progra~1\STEINB~1\VSTPLU~1\VIRTUA~1\UNWISE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-02 23:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(904)
c:\windows\system32\dot3ui32.dll

- - - - - - - > 'explorer.exe'(2792)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\dot3ui32.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\M-Audio MA_CMIDI\MA_CMIDI_Inst.exe
c:\windows\system32\nvsvc32.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2010-06-02 23:19:34 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-03 04:19
ComboFix.txt 2010-03-24 19:59

Pre-Run: 51,499,589,632 bytes free
Post-Run: 55,377,850,368 bytes free

- - End Of File - - 8ECE98278494C78EECAA21FD374EB412


#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:59 AM

Posted 03 June 2010 - 06:24 PM

Hello,


The bad news is your severely infected. The good news is however we will be able to get you cleaned up.
We need to install a Recovery Console before we start cleaning your machine in case the malware decides to be difficult.


With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System



Download the file & save it as it's originally named.

---------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools


  • Drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


  • At the next prompt, click 'Yes' to run the full ComboFix scan.
  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt in your next reply.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 candrews

candrews
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:59 AM

Posted 03 June 2010 - 11:04 PM

ComboFix 10-06-03.01 - Owner 06/03/2010 20:18:16.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1563 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\1234.scr
Command switches used :: /S
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Update\seupd.exe
c:\documents and settings\Owner\Application Data\02000000dea2842c922C.manifest
c:\documents and settings\Owner\Application Data\02000000dea2842c922O.manifest
c:\documents and settings\Owner\Application Data\02000000dea2842c922P.manifest
c:\documents and settings\Owner\Application Data\02000000dea2842c922S.manifest

.
((((((((((((((((((((((((( Files Created from 2010-05-04 to 2010-06-04 )))))))))))))))))))))))))))))))
.

2010-06-03 04:08 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\OC1sK317w.dll
2010-06-03 03:41 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\OCE5a.dll
2010-06-03 03:39 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\G931793.dll
2010-06-03 03:32 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\7i3q7wS.dll
2010-06-02 22:30 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\7sK17gM.dll
2010-06-01 22:54 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\C9s1eIQ.dll
2010-06-01 22:14 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\5k5y5.dll
2010-06-01 21:33 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\1u93i7.dll
2010-06-01 21:21 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\EIQGM7.dll
2010-06-01 20:43 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\79317kU.dll
2010-06-01 05:43 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\o179i1qG.dll
2010-06-01 02:17 . 2010-06-01 02:17 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-06-01 02:17 . 2010-06-01 02:17 -------- d-----w- c:\program files\Trend Micro
2010-06-01 01:19 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\31m9gM79.dll
2010-05-31 20:38 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\kUO55.dll
2010-05-31 19:15 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\Q5w5u.dll
2010-05-31 19:10 . 2010-05-31 19:10 54016 ----a-w- c:\windows\system32\drivers\yxfuekbe.sys
2010-05-31 09:05 . 2010-05-31 09:05 50981 ----a-w- c:\windows\system32\odbtwsmamk.exe
2010-05-31 09:05 . 2010-05-31 09:05 -------- d-----w- c:\program files\$NtUninstallWTF1012$
2010-05-31 09:04 . 2010-05-31 09:04 182272 ----a-w- c:\windows\system32\dot3ui32.dll
2010-05-31 09:04 . 2010-05-31 19:10 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\hrjysoxbt
2010-05-31 09:04 . 2010-06-04 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-05-31 09:03 . 2010-05-31 09:03 123904 ----a-w- c:\windows\Hkicia.exe
2010-05-31 09:03 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\31c9sK79.dll
2010-05-31 09:03 . 2010-05-31 09:03 66560 ----a-w- c:\documents and settings\Owner\Application Data\c2e83541.exe
2010-05-26 02:45 . 2010-05-26 02:45 0 ----a-w- c:\windows\nsreg.dat
2010-05-26 02:45 . 2010-05-26 02:45 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Mozilla
2010-05-25 05:38 . 2010-05-25 05:38 309248 ----a-w- c:\windows\system32\jqgixdho.dll
2010-05-24 16:31 . 2010-05-24 16:31 40633 ----a-w- c:\windows\system32\xvlbyfqx.exe
2010-05-23 23:59 . 2010-05-24 00:04 -------- d-----w- c:\documents and settings\Owner\Application Data\mIRC
2010-05-23 23:59 . 2010-05-24 00:02 -------- d-----w- c:\program files\mIRC
2010-05-18 20:54 . 2010-05-18 21:02 -------- d-----w- c:\program files\MP3Gain

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-01 02:14 . 2008-11-27 06:05 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-31 03:09 . 2010-02-06 06:09 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2010-05-14 20:40 . 2010-03-27 07:49 16 ----a-w- c:\windows\msocreg32.dat
2010-05-14 01:34 . 2009-07-25 20:28 -------- d-----w- c:\program files\VSTPlugIns
2010-05-07 23:32 . 2008-12-08 17:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-05-07 23:30 . 2008-12-08 17:23 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-07 23:30 . 2008-12-08 17:23 -------- d-----w- c:\program files\Symantec
2010-04-29 23:44 . 2008-11-27 03:23 48096 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-29 16:12 . 2010-04-29 16:11 -------- d-----w- c:\program files\Acoustica MP3 To Wave Converter PLUS
2010-04-29 14:34 . 2010-02-28 21:45 -------- d-----w- c:\program files\MusicLab
2010-04-25 02:09 . 2010-04-25 02:09 -------- d-----w- c:\program files\Veetle
2010-04-23 22:05 . 2010-04-23 22:05 -------- d-----w- c:\program files\EDIROL
2010-04-21 21:54 . 2009-08-03 00:09 -------- d-----w- c:\program files\Syncrosoft
2010-04-21 18:52 . 2009-08-03 00:10 -------- d-----w- c:\program files\Steinberg
2010-04-20 17:16 . 2008-12-05 23:46 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2010-04-20 02:46 . 2010-02-19 06:03 -------- d-----w- c:\program files\QuickTime
2010-04-17 03:24 . 2010-02-19 06:07 -------- d-----w- c:\program files\iTunes
2010-04-17 03:23 . 2010-04-16 15:33 -------- d-----w- c:\program files\iPod
2010-04-17 03:23 . 2008-12-05 23:45 -------- d-----w- c:\program files\Common Files\Apple
2010-04-17 03:22 . 2010-04-16 15:27 -------- d-----w- c:\program files\Bonjour
2010-04-16 15:34 . 2010-04-16 15:33 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-16 15:24 . 2010-04-16 15:24 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-14 02:00 . 2010-04-13 15:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-14 01:39 . 2010-04-14 01:39 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Apple Computer
2010-04-12 21:28 . 2010-03-06 19:32 439816 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\setup.exe
2010-04-11 00:41 . 2010-04-11 00:41 -------- d-----w- c:\program files\Microsoft Silverlight
2010-04-06 18:55 . 2010-04-06 18:55 0 ---ha-w- c:\documents and settings\Owner\Application Data\.7138826AABB8C36B.sys
2010-04-06 18:55 . 2010-04-06 18:55 0 ---ha-w- c:\documents and settings\Owner\Application Data\.7138826AABB8C36B.sys
2010-04-06 18:44 . 2008-11-27 02:05 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-06 18:26 . 2008-12-30 05:56 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-04-06 18:14 . 2008-12-30 05:52 717296 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-03-30 05:46 . 2010-04-13 15:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 05:45 . 2010-04-13 15:20 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-25 01:28 . 2010-03-25 01:28 886272 ----a-w- c:\documents and settings\Owner\Application Data\System.Data.SQLite.DLL
2010-03-25 01:28 . 2010-03-25 01:28 886272 ----a-w- c:\documents and settings\Owner\Application Data\System.Data.SQLite.DLL
2010-03-24 22:23 . 2010-03-24 22:27 102400 ----a-w- c:\windows\system32\drivers\nvgts.sys
2010-03-14 06:04 . 2010-03-14 06:00 20841968 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe
2010-03-11 12:38 . 2005-08-31 15:52 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2005-08-31 15:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2005-08-31 15:50 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2005-08-31 15:52 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-07 03:43 . 2010-03-07 03:43 8405312 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2010-03-07 03:39 . 2010-03-07 03:39 149000 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\chr_helper\LaunchHelper.exe
2010-03-07 03:39 . 2010-03-07 03:39 10309448 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe
2010-03-07 03:35 . 2010-03-07 03:35 181768 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\carb\LaunchHelper.exe
2010-03-07 03:35 . 2010-03-07 03:35 283280 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\carb\CarboniteSetupLiteRealPreinstaller.exe
2010-03-07 03:35 . 2010-03-07 03:35 79368 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\RUP\vista.exe
2010-03-07 03:35 . 2010-03-07 03:35 64000 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\RUP\inst_config\gcapi_dll.dll
2010-03-07 03:35 . 2010-03-07 03:35 52288 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\RUP\inst_config\gtapi.dll
2010-03-07 03:35 . 2010-03-07 03:35 50688 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\RUP\inst_config\fftbapi.dll
2010-03-07 03:35 . 2010-03-07 03:35 49152 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\RUP\inst_config\CarboniteCompatibility.dll
2010-03-07 03:35 . 2010-03-07 03:35 118784 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\RUP\inst_config\compat.dll
.
CODE
<pre>
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\Analog Devices\SoundMAX\smax4    .exe
c:\program files\Analog Devices\SoundMAX\smax4   .exe
c:\program files\Analog Devices\SoundMAX\smax4pnp .exe
c:\program files\Bradford Networks\Persistent Agent\bncsaui .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\Common Files\Symantec Shared\ccapp .exe
c:\program files\CyberLink\PowerDVD\pdvdserv .exe
c:\program files\CyberLink\PowerDVD\Language\language .exe
c:\program files\CyberLink\PowerDVD8\pdvd8serv .exe
c:\program files\CyberLink\PowerDVD8\Language\language .exe
c:\program files\CyberLink\Shared files\brs .exe
c:\program files\DAEMON Tools Lite\daemon .exe
c:\program files\HP\HP Software Update\hpwuschd2 .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Malwarebytes' Anti-Malware\mbamgui .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\QuickTime\qttask                           .exe
c:\windows\BisonCam\bisontrayicon .exe
c:\windows\system32\ctfmon .exe
c:\windows\system32\rundll32 .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"NVHotkey"="nvHotkey.dll" [2008-07-03 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-10 13529088]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [N/A]
"remotecontrol"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [N/A]
"sunjavaupdatesched"="c:\program files\Java\jre6\bin\jusched.exe" [N/A]
"remotecontrol8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [N/A]
"nwiz"="nwiz.exe" [N/A]
"adobe arm"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [N/A]
"adobe reader speed launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [N/A]
"tkbellexe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [N/A]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [N/A]
"languageshortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [N/A]
"pdvd8languageshortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [N/A]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-23 385024]
"skb"="ayqefofl.dll" [N/A]
"MChk"="c:\windows\system32\xvlbyfqx.exe" [2010-05-24 40633]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\440555d7922]
2010-05-31 09:04 182272 ----a-w- c:\windows\system32\dot3ui32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"=ma_cmidn.dll
"midi6"=ma_cmidn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2008-11-27 05:49 88365 ----a-w- c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-04-01 09:39 486856 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\muhemomagi]
kisotoye.dll [N/A]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\JDownloader.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\CyberLink\PowerDVD8\000.fcl [5/15/2008 1:07 PM 61424]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/13/2010 10:20 AM 303952]
R3 Airgo3P;Airgo Networks AGN300 True MIMO ™ Wireless Driver;c:\windows\system32\drivers\TMIMO31P.sys [11/26/2008 11:04 PM 781824]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [4/21/2010 4:40 PM 33792]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/13/2010 10:20 AM 20824]
S0 efkvc;efkvc;c:\windows\system32\drivers\yknpd.sys --> c:\windows\system32\drivers\yknpd.sys [?]
S0 fdmlivd;fdmlivd;c:\windows\system32\drivers\ooquevy.sys --> c:\windows\system32\drivers\ooquevy.sys [?]
S0 jkxtqrip;jkxtqrip; [x]
S0 jqrv;jqrv;c:\windows\system32\drivers\mijyoi.sys --> c:\windows\system32\drivers\mijyoi.sys [?]
S0 nhilipti;nhilipti;c:\windows\system32\drivers\dyguh.sys --> c:\windows\system32\drivers\dyguh.sys [?]
S0 rgyx;rgyx;c:\windows\system32\drivers\jsoo.sys --> c:\windows\system32\drivers\jsoo.sys [?]
S0 yvwsftuk;yvwsftuk;c:\windows\system32\drivers\wnsruoyp.sys --> c:\windows\system32\drivers\wnsruoyp.sys [?]
S3 DfuUsb;DfuUsb;c:\windows\system32\drivers\DFUUsb.sys [11/8/2007 3:51 PM 10880]
S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe --> c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe [?]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [8/2/2009 7:10 PM 18432]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/30/2008 12:52 AM 717296]
.
Contents of the 'Scheduled Tasks' folder

2010-06-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-06-03 c:\windows\Tasks\MSWD-c2e83541.job
- c:\documents and settings\Owner\Application Data\c2e83541.exe [2010-05-31 09:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\gutbyjv5.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.wish-search.com/?sid=10101020100&s=
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.wish-search.com/?sid=10101020100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-03 20:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(904)
c:\windows\system32\dot3ui32.dll
.
Completion time: 2010-06-03 20:26:18
ComboFix-quarantined-files.txt 2010-06-04 01:26
ComboFix.txt 2010-03-24 19:59
ComboFix2.txt 2010-06-03 04:19

Pre-Run: 50,210,344,960 bytes free
Post-Run: 50,175,455,232 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - D9AEC4C31FC75E99F20D2D90D17AB56E


#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:59 AM

Posted 04 June 2010 - 06:45 PM

Hello,

Lets now start the cleanup process. whistling.gif


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

CODE
http://www.bleepingcomputer.com/forums/t/321129/infected-with-antimalware-doctor/
Collect::
c:\windows\system32\Spool\prtprocs\w32x86\OC1sK317w.dll
c:\windows\system32\Spool\prtprocs\w32x86\OCE5a.dll
c:\windows\system32\Spool\prtprocs\w32x86\G931793.dll
c:\windows\system32\Spool\prtprocs\w32x86\7i3q7wS.dll
c:\windows\system32\Spool\prtprocs\w32x86\7sK17gM.dll
c:\windows\system32\Spool\prtprocs\w32x86\C9s1eIQ.dll
c:\windows\system32\Spool\prtprocs\w32x86\5k5y5.dll
c:\windows\system32\Spool\prtprocs\w32x86\1u93i7.dll
c:\windows\system32\Spool\prtprocs\w32x86\EIQGM7.dll
c:\windows\system32\Spool\prtprocs\w32x86\79317kU.dll
c:\windows\system32\Spool\prtprocs\w32x86\o179i1qG.dll
c:\windows\system32\Spool\prtprocs\w32x86\31m9gM79.dll
c:\windows\system32\Spool\prtprocs\w32x86\kUO55.dll
c:\windows\system32\Spool\prtprocs\w32x86\Q5w5u.dll
c:\windows\system32\drivers\yxfuekbe.sys
c:\windows\system32\odbtwsmamk.exe
c:\windows\system32\dot3ui32.dll
c:\windows\system32\Spool\prtprocs\w32x86\31c9sK79.dll
c:\documents and settings\Owner\Application Data\c2e83541.exe
c:\windows\system32\jqgixdho.dll
c:\windows\system32\xvlbyfqx.exe
c:\windows\Hkicia.exe
c:\windows\system32\kisotoye.dll

Killall::

Domains::

File::
c:\windows\system32\drivers\yknpd.sys
c:\windows\system32\drivers\ooquevy.sys
c:\windows\system32\drivers\mijyoi.sys
c:\windows\system32\drivers\dyguh.sys
c:\windows\system32\drivers\jsoo.sys
c:\windows\system32\drivers\wnsruoyp.sys
c:\windows\Tasks\MSWD-c2e83541.job
c:\documents and settings\Owner\Application Data\c2e83541.exe

Folder::
c:\documents and settings\Owner\Local Settings\Application Data\hrjysoxbt

Firefox::
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\gutbyjv5.default\
FF - prefs.js: keyword.URL - hxxp://search.wish-search.com/?sid=10101020100&s=
FF - user.js: keyword.URL - hxxp://search.wish-search.com/?sid=10101020100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

Renv::
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\Analog Devices\SoundMAX\smax4    .exe
c:\program files\Analog Devices\SoundMAX\smax4   .exe
c:\program files\Analog Devices\SoundMAX\smax4pnp .exe
c:\program files\Bradford Networks\Persistent Agent\bncsaui .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\Common Files\Symantec Shared\ccapp .exe
c:\program files\CyberLink\PowerDVD\pdvdserv .exe
c:\program files\CyberLink\PowerDVD\Language\language .exe
c:\program files\CyberLink\PowerDVD8\pdvd8serv .exe
c:\program files\CyberLink\PowerDVD8\Language\language .exe
c:\program files\CyberLink\Shared files\brs .exe
c:\program files\DAEMON Tools Lite\daemon .exe
c:\program files\HP\HP Software Update\hpwuschd2 .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Malwarebytes' Anti-Malware\mbamgui .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\QuickTime\qttask                           .exe
c:\windows\BisonCam\bisontrayicon .exe
c:\windows\system32\ctfmon .exe
c:\windows\system32\rundll32 .exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MChk"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"skb"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\440555d7922]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\muhemomagi]

Driver::
efkvc
fdmlivd
jkxtqrip
jqrv
nhilipti
rgyx
yvwsftuk


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.




Upload Samples by ComboFix

When Combofix finishes running, the ComboFix log will open along with a message box. With the above script, ComboFix captured some files to submit for analysis.
  • Important: Ensure you are connected to the internet before clicking OK on the message box.
  • A blue-screen would appear auto-uploading the zipped file I requested.
  • After the uploading is done you should see a message near the bottom saying "Upload was Succesfull".

**NOTE**
=================
  • IF for some reason Combofix fails to upload anything please do the following:
  • Go to Start >> My Computer > C:\
  • Then Navigate to the C:\Qoobox\Quarantine folder.
  • Find the archive zip file called "[68]-Submit_Date_Time.zip"
  • Simply go to THIS CHANNEL and upload the submit.zip archive file to me.
  • Follow the instructions on that page to copy/paste/send the requested file.

Things to include in your next reply::
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 candrews

candrews
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:59 AM

Posted 05 June 2010 - 02:12 PM

ComboFix 10-06-03.01 - Owner 06/05/2010 13:43:49.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1621 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\1234.scr
Command switches used :: /S
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\02000000dea2842c922C.manifest
c:\documents and settings\Owner\Application Data\02000000dea2842c922O.manifest
c:\documents and settings\Owner\Application Data\02000000dea2842c922P.manifest
c:\documents and settings\Owner\Application Data\02000000dea2842c922S.manifest
c:\windows\system32\msvcsv60.dll

.
((((((((((((((((((((((((( Files Created from 2010-05-05 to 2010-06-05 )))))))))))))))))))))))))))))))
.

2010-06-03 04:08 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\OC1sK317w.dll
2010-06-03 03:41 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\OCE5a.dll
2010-06-03 03:39 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\G931793.dll
2010-06-03 03:32 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\7i3q7wS.dll
2010-06-02 22:30 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\7sK17gM.dll
2010-06-01 22:54 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\C9s1eIQ.dll
2010-06-01 22:14 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\5k5y5.dll
2010-06-01 21:33 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\1u93i7.dll
2010-06-01 21:21 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\EIQGM7.dll
2010-06-01 20:43 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\79317kU.dll
2010-06-01 05:43 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\o179i1qG.dll
2010-06-01 02:17 . 2010-06-01 02:17 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-06-01 02:17 . 2010-06-01 02:17 -------- d-----w- c:\program files\Trend Micro
2010-06-01 01:19 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\31m9gM79.dll
2010-05-31 20:38 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\kUO55.dll
2010-05-31 19:15 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\Q5w5u.dll
2010-05-31 19:10 . 2010-05-31 19:10 54016 ----a-w- c:\windows\system32\drivers\yxfuekbe.sys
2010-05-31 09:05 . 2010-05-31 09:05 50981 ----a-w- c:\windows\system32\odbtwsmamk.exe
2010-05-31 09:05 . 2010-05-31 09:05 -------- d-----w- c:\program files\$NtUninstallWTF1012$
2010-05-31 09:04 . 2010-05-31 09:04 182272 ----a-w- c:\windows\system32\dot3ui32.dll
2010-05-31 09:04 . 2010-05-31 19:10 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\hrjysoxbt
2010-05-31 09:04 . 2010-06-04 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-05-31 09:03 . 2010-05-31 09:03 123904 ----a-w- c:\windows\Hkicia.exe
2010-05-31 09:03 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\31c9sK79.dll
2010-05-31 09:03 . 2010-05-31 09:03 66560 ----a-w- c:\documents and settings\Owner\Application Data\c2e83541.exe
2010-05-26 02:45 . 2010-05-26 02:45 0 ----a-w- c:\windows\nsreg.dat
2010-05-26 02:45 . 2010-05-26 02:45 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Mozilla
2010-05-25 05:38 . 2010-05-25 05:38 309248 ----a-w- c:\windows\system32\jqgixdho.dll
2010-05-24 16:31 . 2010-05-24 16:31 40633 ----a-w- c:\windows\system32\xvlbyfqx.exe
2010-05-23 23:59 . 2010-05-24 00:04 -------- d-----w- c:\documents and settings\Owner\Application Data\mIRC
2010-05-23 23:59 . 2010-05-24 00:02 -------- d-----w- c:\program files\mIRC
2010-05-18 20:54 . 2010-05-18 21:02 -------- d-----w- c:\program files\MP3Gain

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-05 05:14 . 2010-02-06 06:09 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2010-06-05 02:35 . 2010-03-27 07:49 16 ----a-w- c:\windows\msocreg32.dat
2010-06-01 02:14 . 2008-11-27 06:05 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-14 01:34 . 2009-07-25 20:28 -------- d-----w- c:\program files\VSTPlugIns
2010-05-07 23:32 . 2008-12-08 17:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-05-07 23:30 . 2008-12-08 17:23 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-07 23:30 . 2008-12-08 17:23 -------- d-----w- c:\program files\Symantec
2010-04-29 23:44 . 2008-11-27 03:23 48096 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-29 16:12 . 2010-04-29 16:11 -------- d-----w- c:\program files\Acoustica MP3 To Wave Converter PLUS
2010-04-29 14:34 . 2010-02-28 21:45 -------- d-----w- c:\program files\MusicLab
2010-04-25 02:09 . 2010-04-25 02:09 -------- d-----w- c:\program files\Veetle
2010-04-23 22:05 . 2010-04-23 22:05 -------- d-----w- c:\program files\EDIROL
2010-04-21 21:54 . 2009-08-03 00:09 -------- d-----w- c:\program files\Syncrosoft
2010-04-21 18:52 . 2009-08-03 00:10 -------- d-----w- c:\program files\Steinberg
2010-04-20 17:16 . 2008-12-05 23:46 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2010-04-20 02:46 . 2010-02-19 06:03 -------- d-----w- c:\program files\QuickTime
2010-04-17 03:24 . 2010-02-19 06:07 -------- d-----w- c:\program files\iTunes
2010-04-17 03:23 . 2010-04-16 15:33 -------- d-----w- c:\program files\iPod
2010-04-17 03:23 . 2008-12-05 23:45 -------- d-----w- c:\program files\Common Files\Apple
2010-04-17 03:22 . 2010-04-16 15:27 -------- d-----w- c:\program files\Bonjour
2010-04-16 15:34 . 2010-04-16 15:33 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-16 15:24 . 2010-04-16 15:24 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-14 02:00 . 2010-04-13 15:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-14 01:39 . 2010-04-14 01:39 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Apple Computer
2010-04-12 21:28 . 2010-03-06 19:32 439816 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\setup.exe
2010-04-11 00:41 . 2010-04-11 00:41 -------- d-----w- c:\program files\Microsoft Silverlight
2010-04-06 18:55 . 2010-04-06 18:55 0 ---ha-w- c:\documents and settings\Owner\Application Data\.7138826AABB8C36B.sys
2010-04-06 18:55 . 2010-04-06 18:55 0 ---ha-w- c:\documents and settings\Owner\Application Data\.7138826AABB8C36B.sys
2010-04-06 18:14 . 2008-12-30 05:52 717296 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-03-30 05:46 . 2010-04-13 15:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 05:45 . 2010-04-13 15:20 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-25 01:28 . 2010-03-25 01:28 886272 ----a-w- c:\documents and settings\Owner\Application Data\System.Data.SQLite.DLL
2010-03-25 01:28 . 2010-03-25 01:28 886272 ----a-w- c:\documents and settings\Owner\Application Data\System.Data.SQLite.DLL
2010-03-24 22:23 . 2010-03-24 22:27 102400 ----a-w- c:\windows\system32\drivers\nvgts.sys
2010-03-14 06:04 . 2010-03-14 06:00 20841968 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe
2010-03-11 12:38 . 2005-08-31 15:52 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2005-08-31 15:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2005-08-31 15:50 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2005-08-31 15:52 430080 ----a-w- c:\windows\system32\vbscript.dll
.
CODE
<pre>
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\Analog Devices\SoundMAX\smax4    .exe
c:\program files\Analog Devices\SoundMAX\smax4   .exe
c:\program files\Analog Devices\SoundMAX\smax4pnp .exe
c:\program files\Bradford Networks\Persistent Agent\bncsaui .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\Common Files\Symantec Shared\ccapp .exe
c:\program files\CyberLink\PowerDVD\pdvdserv .exe
c:\program files\CyberLink\PowerDVD\Language\language .exe
c:\program files\CyberLink\PowerDVD8\pdvd8serv .exe
c:\program files\CyberLink\PowerDVD8\Language\language .exe
c:\program files\CyberLink\Shared files\brs .exe
c:\program files\DAEMON Tools Lite\daemon .exe
c:\program files\HP\HP Software Update\hpwuschd2 .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Malwarebytes' Anti-Malware\mbamgui .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\QuickTime\qttask                           .exe
c:\windows\BisonCam\bisontrayicon .exe
c:\windows\system32\ctfmon .exe
c:\windows\system32\rundll32 .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"NVHotkey"="nvHotkey.dll" [2008-07-03 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-10 13529088]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [N/A]
"remotecontrol"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [N/A]
"sunjavaupdatesched"="c:\program files\Java\jre6\bin\jusched.exe" [N/A]
"remotecontrol8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [N/A]
"nwiz"="nwiz.exe" [N/A]
"adobe arm"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [N/A]
"adobe reader speed launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [N/A]
"tkbellexe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [N/A]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [N/A]
"languageshortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [N/A]
"pdvd8languageshortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [N/A]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-23 385024]
"skb"="ayqefofl.dll" [N/A]
"MChk"="c:\windows\system32\xvlbyfqx.exe" [2010-05-24 40633]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\440555d7922]
2010-05-31 09:04 182272 ----a-w- c:\windows\system32\dot3ui32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"=ma_cmidn.dll
"midi6"=ma_cmidn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2008-11-27 05:49 88365 ----a-w- c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-04-01 09:39 486856 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\muhemomagi]
kisotoye.dll [N/A]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\JDownloader.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\CyberLink\PowerDVD8\000.fcl [5/15/2008 1:07 PM 61424]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/13/2010 10:20 AM 303952]
R3 Airgo3P;Airgo Networks AGN300 True MIMO ™ Wireless Driver;c:\windows\system32\drivers\TMIMO31P.sys [11/26/2008 11:04 PM 781824]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [4/21/2010 4:40 PM 33792]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/13/2010 10:20 AM 20824]
S0 efkvc;efkvc;c:\windows\system32\drivers\yknpd.sys --> c:\windows\system32\drivers\yknpd.sys [?]
S0 fdmlivd;fdmlivd;c:\windows\system32\drivers\ooquevy.sys --> c:\windows\system32\drivers\ooquevy.sys [?]
S0 jkxtqrip;jkxtqrip; [x]
S0 jqrv;jqrv;c:\windows\system32\drivers\mijyoi.sys --> c:\windows\system32\drivers\mijyoi.sys [?]
S0 nhilipti;nhilipti;c:\windows\system32\drivers\dyguh.sys --> c:\windows\system32\drivers\dyguh.sys [?]
S0 rgyx;rgyx;c:\windows\system32\drivers\jsoo.sys --> c:\windows\system32\drivers\jsoo.sys [?]
S0 yvwsftuk;yvwsftuk;c:\windows\system32\drivers\wnsruoyp.sys --> c:\windows\system32\drivers\wnsruoyp.sys [?]
S3 DfuUsb;DfuUsb;c:\windows\system32\drivers\DFUUsb.sys [11/8/2007 3:51 PM 10880]
S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe --> c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe [?]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [8/2/2009 7:10 PM 18432]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/30/2008 12:52 AM 717296]
.
Contents of the 'Scheduled Tasks' folder

2010-06-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-06-03 c:\windows\Tasks\MSWD-c2e83541.job
- c:\documents and settings\Owner\Application Data\c2e83541.exe [2010-05-31 09:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\gutbyjv5.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.wish-search.com/?sid=10101020100&s=
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.wish-search.com/?sid=10101020100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-05 13:56
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(904)
c:\windows\system32\dot3ui32.dll
.
Completion time: 2010-06-05 13:58:45
ComboFix-quarantined-files.txt 2010-06-05 18:58
ComboFix.txt 2010-03-24 19:59
ComboFix2.txt 2010-06-04 01:26
ComboFix3.txt 2010-06-03 04:19

Pre-Run: 40,151,461,888 bytes free
Post-Run: 40,138,416,128 bytes free

- - End Of File - - C36CBF3033B01F0FA34E523CE477F8D2


#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:59 AM

Posted 05 June 2010 - 02:46 PM

Hello,

I think you have given me the wrong Combofix log, Please go to C:\Combofix.txt the should be 2 logs ou want the one that is the biggest number. Should be Combofix2.txt


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 candrews

candrews
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:59 AM

Posted 08 June 2010 - 01:30 PM

Sorry for taking so long to reply. The email notification went into my spam, so I didn't know you had replied. Here's combofix2.txt.



ComboFix 10-06-03.01 - Owner 06/03/2010 20:18:16.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1563 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\1234.scr
Command switches used :: /S
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Update\seupd.exe
c:\documents and settings\Owner\Application Data\02000000dea2842c922C.manifest
c:\documents and settings\Owner\Application Data\02000000dea2842c922O.manifest
c:\documents and settings\Owner\Application Data\02000000dea2842c922P.manifest
c:\documents and settings\Owner\Application Data\02000000dea2842c922S.manifest

.
((((((((((((((((((((((((( Files Created from 2010-05-04 to 2010-06-04 )))))))))))))))))))))))))))))))
.

2010-06-03 04:08 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\OC1sK317w.dll
2010-06-03 03:41 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\OCE5a.dll
2010-06-03 03:39 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\G931793.dll
2010-06-03 03:32 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\7i3q7wS.dll
2010-06-02 22:30 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\7sK17gM.dll
2010-06-01 22:54 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\C9s1eIQ.dll
2010-06-01 22:14 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\5k5y5.dll
2010-06-01 21:33 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\1u93i7.dll
2010-06-01 21:21 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\EIQGM7.dll
2010-06-01 20:43 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\79317kU.dll
2010-06-01 05:43 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\o179i1qG.dll
2010-06-01 02:17 . 2010-06-01 02:17 388096 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-06-01 02:17 . 2010-06-01 02:17 -------- d-----w- c:\program files\Trend Micro
2010-06-01 01:19 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\31m9gM79.dll
2010-05-31 20:38 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\kUO55.dll
2010-05-31 19:15 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\Q5w5u.dll
2010-05-31 19:10 . 2010-05-31 19:10 54016 ----a-w- c:\windows\system32\drivers\yxfuekbe.sys
2010-05-31 09:05 . 2010-05-31 09:05 50981 ----a-w- c:\windows\system32\odbtwsmamk.exe
2010-05-31 09:05 . 2010-05-31 09:05 -------- d-----w- c:\program files\$NtUninstallWTF1012$
2010-05-31 09:04 . 2010-05-31 09:04 182272 ----a-w- c:\windows\system32\dot3ui32.dll
2010-05-31 09:04 . 2010-05-31 19:10 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\hrjysoxbt
2010-05-31 09:04 . 2010-06-04 01:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
2010-05-31 09:03 . 2010-05-31 09:03 123904 ----a-w- c:\windows\Hkicia.exe
2010-05-31 09:03 . 2010-05-31 09:03 66560 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\31c9sK79.dll
2010-05-31 09:03 . 2010-05-31 09:03 66560 ----a-w- c:\documents and settings\Owner\Application Data\c2e83541.exe
2010-05-26 02:45 . 2010-05-26 02:45 0 ----a-w- c:\windows\nsreg.dat
2010-05-26 02:45 . 2010-05-26 02:45 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Mozilla
2010-05-25 05:38 . 2010-05-25 05:38 309248 ----a-w- c:\windows\system32\jqgixdho.dll
2010-05-24 16:31 . 2010-05-24 16:31 40633 ----a-w- c:\windows\system32\xvlbyfqx.exe
2010-05-23 23:59 . 2010-05-24 00:04 -------- d-----w- c:\documents and settings\Owner\Application Data\mIRC
2010-05-23 23:59 . 2010-05-24 00:02 -------- d-----w- c:\program files\mIRC
2010-05-18 20:54 . 2010-05-18 21:02 -------- d-----w- c:\program files\MP3Gain

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-01 02:14 . 2008-11-27 06:05 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-31 03:09 . 2010-02-06 06:09 -------- d-----w- c:\documents and settings\Owner\Application Data\vlc
2010-05-14 20:40 . 2010-03-27 07:49 16 ----a-w- c:\windows\msocreg32.dat
2010-05-14 01:34 . 2009-07-25 20:28 -------- d-----w- c:\program files\VSTPlugIns
2010-05-07 23:32 . 2008-12-08 17:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-05-07 23:30 . 2008-12-08 17:23 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-05-07 23:30 . 2008-12-08 17:23 -------- d-----w- c:\program files\Symantec
2010-04-29 23:44 . 2008-11-27 03:23 48096 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-29 16:12 . 2010-04-29 16:11 -------- d-----w- c:\program files\Acoustica MP3 To Wave Converter PLUS
2010-04-29 14:34 . 2010-02-28 21:45 -------- d-----w- c:\program files\MusicLab
2010-04-25 02:09 . 2010-04-25 02:09 -------- d-----w- c:\program files\Veetle
2010-04-23 22:05 . 2010-04-23 22:05 -------- d-----w- c:\program files\EDIROL
2010-04-21 21:54 . 2009-08-03 00:09 -------- d-----w- c:\program files\Syncrosoft
2010-04-21 18:52 . 2009-08-03 00:10 -------- d-----w- c:\program files\Steinberg
2010-04-20 17:16 . 2008-12-05 23:46 -------- d-----w- c:\documents and settings\Owner\Application Data\Apple Computer
2010-04-20 02:46 . 2010-02-19 06:03 -------- d-----w- c:\program files\QuickTime
2010-04-17 03:24 . 2010-02-19 06:07 -------- d-----w- c:\program files\iTunes
2010-04-17 03:23 . 2010-04-16 15:33 -------- d-----w- c:\program files\iPod
2010-04-17 03:23 . 2008-12-05 23:45 -------- d-----w- c:\program files\Common Files\Apple
2010-04-17 03:22 . 2010-04-16 15:27 -------- d-----w- c:\program files\Bonjour
2010-04-16 15:34 . 2010-04-16 15:33 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-04-16 15:24 . 2010-04-16 15:24 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-14 02:00 . 2010-04-13 15:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-14 01:39 . 2010-04-14 01:39 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Apple Computer
2010-04-12 21:28 . 2010-03-06 19:32 439816 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\setup.exe
2010-04-11 00:41 . 2010-04-11 00:41 -------- d-----w- c:\program files\Microsoft Silverlight
2010-04-06 18:55 . 2010-04-06 18:55 0 ---ha-w- c:\documents and settings\Owner\Application Data\.7138826AABB8C36B.sys
2010-04-06 18:55 . 2010-04-06 18:55 0 ---ha-w- c:\documents and settings\Owner\Application Data\.7138826AABB8C36B.sys
2010-04-06 18:44 . 2008-11-27 02:05 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-06 18:26 . 2008-12-30 05:56 -------- d-----w- c:\program files\DAEMON Tools Lite
2010-04-06 18:14 . 2008-12-30 05:52 717296 ----a-w- c:\windows\system32\drivers\sptd.sys
2010-03-30 05:46 . 2010-04-13 15:20 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 05:45 . 2010-04-13 15:20 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-25 01:28 . 2010-03-25 01:28 886272 ----a-w- c:\documents and settings\Owner\Application Data\System.Data.SQLite.DLL
2010-03-25 01:28 . 2010-03-25 01:28 886272 ----a-w- c:\documents and settings\Owner\Application Data\System.Data.SQLite.DLL
2010-03-24 22:23 . 2010-03-24 22:27 102400 ----a-w- c:\windows\system32\drivers\nvgts.sys
2010-03-14 06:04 . 2010-03-14 06:00 20841968 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe
2010-03-11 12:38 . 2005-08-31 15:52 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2005-08-31 15:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2005-08-31 15:50 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2005-08-31 15:52 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-07 03:43 . 2010-03-07 03:43 8405312 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2010-03-07 03:39 . 2010-03-07 03:39 149000 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\chr_helper\LaunchHelper.exe
2010-03-07 03:39 . 2010-03-07 03:39 10309448 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe
2010-03-07 03:35 . 2010-03-07 03:35 181768 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\carb\LaunchHelper.exe
2010-03-07 03:35 . 2010-03-07 03:35 283280 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\carb\CarboniteSetupLiteRealPreinstaller.exe
2010-03-07 03:35 . 2010-03-07 03:35 79368 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\RUP\vista.exe
2010-03-07 03:35 . 2010-03-07 03:35 64000 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\RUP\inst_config\gcapi_dll.dll
2010-03-07 03:35 . 2010-03-07 03:35 52288 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\RUP\inst_config\gtapi.dll
2010-03-07 03:35 . 2010-03-07 03:35 50688 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\RUP\inst_config\fftbapi.dll
2010-03-07 03:35 . 2010-03-07 03:35 49152 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\RUP\inst_config\CarboniteCompatibility.dll
2010-03-07 03:35 . 2010-03-07 03:35 118784 ----a-w- c:\documents and settings\Owner\Application Data\Real\Update\setup3.10\RUP\inst_config\compat.dll
.
CODE
<pre>
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\Analog Devices\SoundMAX\smax4    .exe
c:\program files\Analog Devices\SoundMAX\smax4   .exe
c:\program files\Analog Devices\SoundMAX\smax4pnp .exe
c:\program files\Bradford Networks\Persistent Agent\bncsaui .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\Common Files\Symantec Shared\ccapp .exe
c:\program files\CyberLink\PowerDVD\pdvdserv .exe
c:\program files\CyberLink\PowerDVD\Language\language .exe
c:\program files\CyberLink\PowerDVD8\pdvd8serv .exe
c:\program files\CyberLink\PowerDVD8\Language\language .exe
c:\program files\CyberLink\Shared files\brs .exe
c:\program files\DAEMON Tools Lite\daemon .exe
c:\program files\HP\HP Software Update\hpwuschd2 .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Malwarebytes' Anti-Malware\mbamgui .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\QuickTime\qttask                           .exe
c:\windows\BisonCam\bisontrayicon .exe
c:\windows\system32\ctfmon .exe
c:\windows\system32\rundll32 .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"NVHotkey"="nvHotkey.dll" [2008-07-03 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-10 13529088]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [N/A]
"remotecontrol"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [N/A]
"sunjavaupdatesched"="c:\program files\Java\jre6\bin\jusched.exe" [N/A]
"remotecontrol8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [N/A]
"nwiz"="nwiz.exe" [N/A]
"adobe arm"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [N/A]
"adobe reader speed launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [N/A]
"tkbellexe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [N/A]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [N/A]
"languageshortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [N/A]
"pdvd8languageshortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [N/A]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-23 385024]
"skb"="ayqefofl.dll" [N/A]
"MChk"="c:\windows\system32\xvlbyfqx.exe" [2010-05-24 40633]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\440555d7922]
2010-05-31 09:04 182272 ----a-w- c:\windows\system32\dot3ui32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi1"=ma_cmidn.dll
"midi6"=ma_cmidn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2008-11-27 05:49 88365 ----a-w- c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-04-01 09:39 486856 ----a-w- c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\muhemomagi]
kisotoye.dll [N/A]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\launch4j-tmp\\JDownloader.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\CyberLink\PowerDVD8\000.fcl [5/15/2008 1:07 PM 61424]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/13/2010 10:20 AM 303952]
R3 Airgo3P;Airgo Networks AGN300 True MIMO ™ Wireless Driver;c:\windows\system32\drivers\TMIMO31P.sys [11/26/2008 11:04 PM 781824]
R3 CLEDX;Team H2O CLEDX service;c:\windows\system32\drivers\cledx.sys [4/21/2010 4:40 PM 33792]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/13/2010 10:20 AM 20824]
S0 efkvc;efkvc;c:\windows\system32\drivers\yknpd.sys --> c:\windows\system32\drivers\yknpd.sys [?]
S0 fdmlivd;fdmlivd;c:\windows\system32\drivers\ooquevy.sys --> c:\windows\system32\drivers\ooquevy.sys [?]
S0 jkxtqrip;jkxtqrip; [x]
S0 jqrv;jqrv;c:\windows\system32\drivers\mijyoi.sys --> c:\windows\system32\drivers\mijyoi.sys [?]
S0 nhilipti;nhilipti;c:\windows\system32\drivers\dyguh.sys --> c:\windows\system32\drivers\dyguh.sys [?]
S0 rgyx;rgyx;c:\windows\system32\drivers\jsoo.sys --> c:\windows\system32\drivers\jsoo.sys [?]
S0 yvwsftuk;yvwsftuk;c:\windows\system32\drivers\wnsruoyp.sys --> c:\windows\system32\drivers\wnsruoyp.sys [?]
S3 DfuUsb;DfuUsb;c:\windows\system32\drivers\DFUUsb.sys [11/8/2007 3:51 PM 10880]
S3 Smcinst;Symantec Auto-upgrade Agent;c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe --> c:\program files\Symantec\Symantec Endpoint Protection\SmcLU\Setup\smcinst.exe [?]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasUSB.sys [8/2/2009 7:10 PM 18432]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/30/2008 12:52 AM 717296]
.
Contents of the 'Scheduled Tasks' folder

2010-06-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]

2010-06-03 c:\windows\Tasks\MSWD-c2e83541.job
- c:\documents and settings\Owner\Application Data\c2e83541.exe [2010-05-31 09:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\gutbyjv5.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.wish-search.com/?sid=10101020100&s=
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Google
FF - user.js: browser.search.order.1 - Google
FF - user.js: keyword.URL - hxxp://search.wish-search.com/?sid=10101020100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-03 20:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(904)
c:\windows\system32\dot3ui32.dll
.
Completion time: 2010-06-03 20:26:18
ComboFix-quarantined-files.txt 2010-06-04 01:26
ComboFix.txt 2010-03-24 19:59
ComboFix2.txt 2010-06-03 04:19

Pre-Run: 50,210,344,960 bytes free
Post-Run: 50,175,455,232 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - D9AEC4C31FC75E99F20D2D90D17AB56E


#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:59 AM

Posted 08 June 2010 - 05:38 PM

Hello,

1.
Please delete the copy of Combofix you have from your desktop.


Run ComboFix with a CFscript

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.
Don't rename it this time

Link 1
Link 2

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

CODE
http://www.bleepingcomputer.com/forums/t/321129/infected-with-antimalware-doctor/
Collect::
c:\windows\system32\Spool\prtprocs\w32x86\OC1sK317w.dll
c:\windows\system32\Spool\prtprocs\w32x86\OCE5a.dll
c:\windows\system32\Spool\prtprocs\w32x86\G931793.dll
c:\windows\system32\Spool\prtprocs\w32x86\7i3q7wS.dll
c:\windows\system32\Spool\prtprocs\w32x86\7sK17gM.dll
c:\windows\system32\Spool\prtprocs\w32x86\C9s1eIQ.dll
c:\windows\system32\Spool\prtprocs\w32x86\5k5y5.dll
c:\windows\system32\Spool\prtprocs\w32x86\1u93i7.dll
c:\windows\system32\Spool\prtprocs\w32x86\EIQGM7.dll
c:\windows\system32\Spool\prtprocs\w32x86\79317kU.dll
c:\windows\system32\Spool\prtprocs\w32x86\o179i1qG.dll
c:\windows\system32\Spool\prtprocs\w32x86\31m9gM79.dll
c:\windows\system32\Spool\prtprocs\w32x86\kUO55.dll
c:\windows\system32\Spool\prtprocs\w32x86\Q5w5u.dll
c:\windows\system32\drivers\yxfuekbe.sys
c:\windows\system32\odbtwsmamk.exe
c:\windows\system32\dot3ui32.dll
c:\windows\system32\Spool\prtprocs\w32x86\31c9sK79.dll
c:\documents and settings\Owner\Application Data\c2e83541.exe
c:\windows\system32\jqgixdho.dll
c:\windows\system32\xvlbyfqx.exe
c:\windows\Hkicia.exe
c:\windows\system32\kisotoye.dll

Killall::

Domains::

File::
c:\windows\system32\drivers\yknpd.sys
c:\windows\system32\drivers\ooquevy.sys
c:\windows\system32\drivers\mijyoi.sys
c:\windows\system32\drivers\dyguh.sys
c:\windows\system32\drivers\jsoo.sys
c:\windows\system32\drivers\wnsruoyp.sys
c:\windows\Tasks\MSWD-c2e83541.job
c:\documents and settings\Owner\Application Data\c2e83541.exe

Folder::
c:\documents and settings\Owner\Local Settings\Application Data\hrjysoxbt

Firefox::
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\gutbyjv5.default\
FF - prefs.js: keyword.URL - hxxp://search.wish-search.com/?sid=10101020100&s=
FF - user.js: keyword.URL - hxxp://search.wish-search.com/?sid=10101020100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);

Renv::
c:\program files\Adobe\Reader 9.0\Reader\reader_sl .exe
c:\program files\Analog Devices\SoundMAX\smax4    .exe
c:\program files\Analog Devices\SoundMAX\smax4   .exe
c:\program files\Analog Devices\SoundMAX\smax4pnp .exe
c:\program files\Bradford Networks\Persistent Agent\bncsaui .exe
c:\program files\Common Files\Adobe\ARM\1.0\adobearm .exe
c:\program files\Common Files\InstallShield\UpdateService\issch .exe
c:\program files\Common Files\InstallShield\UpdateService\isuspm .exe
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\Common Files\Symantec Shared\ccapp .exe
c:\program files\CyberLink\PowerDVD\pdvdserv .exe
c:\program files\CyberLink\PowerDVD\Language\language .exe
c:\program files\CyberLink\PowerDVD8\pdvd8serv .exe
c:\program files\CyberLink\PowerDVD8\Language\language .exe
c:\program files\CyberLink\Shared files\brs .exe
c:\program files\DAEMON Tools Lite\daemon .exe
c:\program files\HP\HP Software Update\hpwuschd2 .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Malwarebytes' Anti-Malware\mbamgui .exe
c:\program files\Messenger\msmsgs .exe
c:\program files\QuickTime\qttask                           .exe
c:\windows\BisonCam\bisontrayicon .exe
c:\windows\system32\ctfmon .exe
c:\windows\system32\rundll32 .exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MChk"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"skb"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=-
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoFolderOptions"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\440555d7922]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\muhemomagi]

Driver::
efkvc
fdmlivd
jkxtqrip
jqrv
nhilipti
rgyx
yvwsftuk


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Things to include in your next reply::
Combofix.txt
How is your machine running now?

Edited by fireman4it, 08 June 2010 - 05:38 PM.
spelling

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:59 AM

Posted 10 June 2010 - 06:34 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding smile.gif

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:59 AM

Posted 13 June 2010 - 08:34 AM

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team member or myself. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users