Infected witn multiple...stuff!

View previous topic View next topic Go down

Infected witn multiple...stuff!

Post by Hardykat on 31st December 2009, 6:04 am

I'm back!

Thanks again for helping me out with my work computer. It's running beautifully and I haven't had any problems since.

My home computer, however, needs big time help. Ever since it crashed back in October and I had to do a recovery, it's been getting hit with all kinds of nasty malware. I've had google hijacked, Malwarebytes disabled, system restore disabled, safe mode disabled, desktop hijacked, my computer doing weird stuff. You name it, it has happened.

I have a Gateway desktop with Windows XP Home SP3. I switched from IE 8 to Firefox because IE was just too buggy for me. I have McAfee thru Comcast. I've ran that so many times. I finally got Malwarebytes to work. It finds the nasty malware and trojans. I'm able to get my control of my computer for a while but a few minutes later and I'm infected again. Like right now! In the middle of working on a time sensitive project I got infected. Every time I clicked on a link in google I would a stupid redirect or some fake warning that this link is a virus. I ran Malwarebytes and this is my log:

Malwarebytes' Anti-Malware 1.43
Database version: 3461
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/31/2009 12:52:51 AM
mbam-log-2009-12-31 (00-52-51).txt

Scan type: Quick Scan
Objects scanned: 122085
Time elapsed: 14 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 25

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\kbdsock.dll (Spyware.Passwords) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\winsts (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ygua8e7yhuiesfha876yfauy8fe (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\yja93.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\oqnqso.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\waxfhosk.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gh3hcu404.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kbdsock.dll (Spyware.Passwords) -> Delete on reboot.
C:\WINDOWS\system32\mshlps.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vvkxrbfw3f.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\nunlj.sys (Rootkit.Agent) -> Delete on reboot.
C:\WINDOWS\Temp\3105258424.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\529451608.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\818201608.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\debug.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\drweb.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\spoolsv.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\notepad.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\win.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\jtmti.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\jyjrjnrtm.tmp (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\bh2os.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\sa331195.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Owner.YOUR-20CB7B5077\Local Settings\Temporary Internet Files\Content.IE5\E1H99H4G\SetupIS2010[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\flags.ini (Malware.Trace) -> Delete on reboot.
C:\WINDOWS\system32\uses32.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\dfgdgdfgrgdgfdrdfs.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.


I'll be forever in your debt if you can save me from Malware Hades Bring it on


Last edited by Hardykat on 31st December 2009, 5:09 pm; edited 1 time in total

Hardykat
Novice
Novice

Posts Posts : 28
Joined Joined : 2009-12-21
Gender Gender : Female
OS OS : Windows 7 Home Premium
Protection Protection : Norton 360,
Points Points : 25781
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected witn multiple...stuff!

Post by Belahzur on 31st December 2009, 4:15 pm

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Infected witn multiple...stuff!

Post by Hardykat on 31st December 2009, 5:13 pm

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 12:11:52 PM, on 12/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\zHotkey.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\NCH Swift Sound\Recordpad\recordpad.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\PROGRA~1\COMMON~1\AOL\125582~1\EE\AOLHOS~1.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\PROGRA~1\COMMON~1\AOL\125582~1\EE\AOLServiceHost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

[You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

[You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

[You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

[You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

[You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

[You must be registered and logged in to see this link.]

TP&M=GT4024
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -

C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Anti-Phishing Filter -

{41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program

files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} -

C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Browser Address Error Redirector -

{CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C}

- C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google

Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media

Reader\readericon45G.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common

Files\AOL\1255829409\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOL Spyware Protection]

"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe]

C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program

Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McAfee Backup] "C:\Program

Files\McAfee\MBK\McAfeeDataBackup.exe"
O4 - HKLM\..\Run: [VirusScan Online] \mcvsshld.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program

Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common

Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite

Backup\CarboniteUI.exe
O4 - HKLM\..\Run: [Dyawucucaqiqeje] rundll32.exe

"C:\WINDOWS\avinimiqay.dll",Startup
O4 - HKLM\..\Run: [Recordpad] "C:\Program Files\NCH Swift

Sound\Recordpad\recordpad.exe" -logon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [notepad] rundll32.exe

C:\DOCUME~1\LOCALS~1\ntload.dll,_IWMPEvents@0 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [asg984jgkfmgasi8ug98jgkfgfb]

C:\WINDOWS\TEMP\win.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -

[You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} -

c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter -

{39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program

files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -

C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -

C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs:

C:\WINDOWS\system32\kbdsock.dll,C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O22 - SharedTaskScheduler: Browseui preloader -

{438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon -

{8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common

Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online -

C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America

Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -

C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CarboniteService - Carbonite, Inc. ([You must be registered and logged in to see this link.] -

C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: Google Software Updater (gusvc) - Unknown owner -

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

(file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun

Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBackMonitor - McAfee - C:\Program

Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. -

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. -

c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. -

C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. -

c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. -

C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. -

C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee,

Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. -

C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program

Files\Comm

Hardykat
Novice
Novice

Posts Posts : 28
Joined Joined : 2009-12-21
Gender Gender : Female
OS OS : Windows 7 Home Premium
Protection Protection : Norton 360,
Points Points : 25781
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected witn multiple...stuff!

Post by Belahzur on 31st December 2009, 5:15 pm

Sorry, can barely read that. LMBO or ROFL

Open the logfile in Notepad, go into the "Format" menu, and untick Word Wrap.


Please re-post the log without Word Wrap on.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Infected witn multiple...stuff!

Post by Hardykat on 31st December 2009, 5:20 pm

LMBO or ROFL oops!

Here ya go!

Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 12:11:52 PM, on 12/31/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\zHotkey.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
C:\Program Files\NCH Swift Sound\Recordpad\recordpad.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\PROGRA~1\COMMON~1\AOL\125582~1\EE\AOLHOS~1.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\PROGRA~1\COMMON~1\AOL\125582~1\EE\AOLServiceHost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [You must be registered and logged in to see this link.]
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1255829409\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [McAfee Backup] "C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe"
O4 - HKLM\..\Run: [VirusScan Online] \mcvsshld.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe
O4 - HKLM\..\Run: [Dyawucucaqiqeje] rundll32.exe "C:\WINDOWS\avinimiqay.dll",Startup
O4 - HKLM\..\Run: [Recordpad] "C:\Program Files\NCH Swift Sound\Recordpad\recordpad.exe" -logon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [notepad] rundll32.exe C:\DOCUME~1\LOCALS~1\ntload.dll,_IWMPEvents@0 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\WINDOWS\TEMP\win.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\kbdsock.dll,C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: CarboniteService - Carbonite, Inc. ([You must be registered and logged in to see this link.] - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 9720 bytes

Hardykat
Novice
Novice

Posts Posts : 28
Joined Joined : 2009-12-21
Gender Gender : Female
OS OS : Windows 7 Home Premium
Protection Protection : Norton 360,
Points Points : 25781
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected witn multiple...stuff!

Post by Belahzur on 31st December 2009, 5:26 pm

Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    O1 - Hosts: ::1 localhost
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O4 - HKLM\..\Run: [Dyawucucaqiqeje] rundll32.exe "C:\WINDOWS\avinimiqay.dll",Startup
    O4 - HKUS\S-1-5-18\..\Run: [notepad] rundll32.exe C:\DOCUME~1\LOCALS~1\ntload.dll,_IWMPEvents@0 (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [asg984jgkfmgasi8ug98jgkfgfb] C:\WINDOWS\TEMP\win.exe (User 'SYSTEM')


  • Press "Fix Checked"
  • Close Hijack This.

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Infected witn multiple...stuff!

Post by Hardykat on 31st December 2009, 6:13 pm

ComboFix 09-12-31.01 - Owner 12/31/2009 12:46:56.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.468 [GMT -5:00]
Running from: c:\documents and settings\Owner.YOUR-20CB7B5077\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-163167965-408290686-327467740-500
c:\windows\avinimiqay.dll
c:\windows\run.log
D:\Autorun.inf
J:\Autorun.inf

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IAS
-------\Legacy_WINSTS
-------\Service_Ias


((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-31 )))))))))))))))))))))))))))))))
.

2009-12-31 17:11 . 2009-12-31 17:11 -------- d-----w- c:\program files\TrendMicro
2009-12-31 05:29 . 2009-12-31 05:29 -------- d-----w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Recordpad
2009-12-15 10:41 . 2009-12-30 19:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-15 10:41 . 2009-12-31 05:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-15 10:41 . 2009-12-30 19:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-11 02:14 . 2009-12-11 02:14 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-12-11 02:14 . 2009-12-20 22:28 -------- d-----w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\skypePM
2009-12-11 02:11 . 2009-12-20 23:55 -------- d-----w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Skype
2009-12-11 02:10 . 2009-12-11 02:10 -------- d-----w- c:\program files\Common Files\Skype
2009-12-11 02:10 . 2009-12-11 02:11 -------- d-----r- c:\program files\Skype
2009-12-11 02:10 . 2009-12-11 02:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-12-05 02:01 . 2009-12-05 02:01 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-12-05 01:32 . 2009-12-05 01:32 237600 ----a-w- c:\windows\system32\drivers\str.sys.vir
2009-12-03 12:39 . 2009-12-03 12:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-12-03 12:07 . 2009-12-03 12:23 -------- d-----w- c:\program files\Enigma Software Group

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-31 18:04 . 2009-12-28 20:44 773120 ----a-w- c:\windows\system32\drivers\nunlj.sys
2009-12-31 17:11 . 2009-12-31 17:11 388096 ----a-r- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-31 14:59 . 2009-12-28 21:01 120 ----a-w- c:\windows\Vsakozoloce.dat
2009-12-31 06:23 . 2009-10-18 00:27 -------- d-----w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\FrostWire
2009-12-31 05:36 . 2009-12-31 05:36 5061520 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-31 05:24 . 2009-12-28 21:01 0 ----a-w- c:\windows\Ffazikuji.bin
2009-12-31 03:57 . 2009-12-31 03:52 -------- d-----w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\NCH Swift Sound
2009-12-31 03:53 . 2009-12-31 03:52 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-12-31 03:52 . 2009-12-18 01:50 -------- d-----w- c:\program files\NCH Swift Sound
2009-12-31 03:52 . 2009-12-31 03:52 -------- d-----w- c:\program files\NCH Software
2009-12-31 02:31 . 2009-10-25 02:51 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-22 01:31 . 2005-01-10 01:26 186704 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-16 23:46 . 2009-11-12 18:43 926 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\wklnhst.dat
2009-12-05 03:22 . 2009-10-18 01:37 -------- d-----w- c:\program files\McAfee
2009-12-05 03:22 . 2009-10-18 01:37 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-28 02:02 . 2009-10-24 00:37 -------- d-----w- c:\program files\Yahoo!
2009-11-28 02:01 . 2009-10-18 01:14 -------- d-----w- c:\program files\Google
2009-11-20 00:14 . 2009-11-20 00:14 726008 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\gotomypc_438.exe
2009-11-19 01:09 . 2009-10-18 23:14 -------- d-----w- c:\program files\FrostWire
2009-11-19 00:53 . 2009-11-19 00:53 -------- d-----w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\IsolatedStorage
2009-11-15 16:55 . 2009-11-15 16:48 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-15 16:52 . 2009-10-18 01:28 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-15 16:50 . 2009-11-15 16:50 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-15 16:49 . 2009-11-15 16:49 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-11-14 20:32 . 2009-11-14 20:32 -------- d-----w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Elluminate
2009-11-14 20:32 . 2009-11-14 20:32 74240 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Sun\Java\Deployment\cache\6.0\36\2c690564-5eecdd80-n\JINECELP.dll
2009-11-14 20:32 . 2009-11-14 20:32 73216 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Sun\Java\Deployment\cache\6.0\36\2c690564-5eecdd80-n\JIWAudio.dll
2009-11-14 20:32 . 2009-11-14 20:32 66048 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Sun\Java\Deployment\cache\6.0\36\2c690564-5eecdd80-n\JIWMixer.dll
2009-11-14 20:32 . 2009-11-14 20:32 65536 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Sun\Java\Deployment\cache\6.0\47\442eef-364e1f84-n\ICE_JNIRegistry.dll
2009-11-14 20:32 . 2009-11-14 20:32 60928 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Sun\Java\Deployment\cache\6.0\47\442eef-364e1f84-n\WinPlatform.dll
2009-11-13 03:17 . 2009-11-13 03:17 136 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2009-11-13 03:16 . 2009-11-13 03:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-11-13 01:15 . 2009-11-04 03:18 -------- d-----w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\DivX
2009-11-12 18:43 . 2009-11-12 18:43 -------- d-----w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Template
2009-11-10 02:54 . 2009-11-10 02:54 -------- d-----w- c:\program files\MSECache
2009-11-04 02:48 . 2009-10-25 02:45 -------- d-----w- c:\program files\Sony Setup
2009-11-04 02:39 . 2009-11-01 09:55 -------- d-----w- c:\program files\DivX
2009-11-04 02:39 . 2009-11-04 02:36 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-10-29 07:45 . 2006-09-30 03:36 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2006-09-30 03:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2006-09-30 03:30 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2006-09-30 03:30 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-18 23:43 . 2009-10-18 23:43 0 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
2009-10-18 23:13 . 2009-10-18 23:14 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-18 23:13 . 2009-10-18 23:13 152576 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-10-18 19:09 . 2005-01-10 01:10 86811 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-10-18 01:32 . 2009-10-18 02:05 49152 ----a-r- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut3_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-10-18 01:32 . 2009-10-18 02:05 45056 ----a-r- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut2_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-10-18 01:32 . 2009-10-18 02:05 45056 ----a-r- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut1_15377C3E9655400FB441E69F0A6BEAFE.exe
2009-10-18 01:32 . 2009-10-18 02:05 10134 ----a-r- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\ARPPRODUCTICON.exe
2009-10-18 01:32 . 2009-10-18 02:04 49152 ----a-r- c:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut3_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-10-18 01:32 . 2009-10-18 02:04 45056 ----a-r- c:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut2_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-10-18 01:32 . 2009-10-18 02:04 45056 ----a-r- c:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut1_15377C3E9655400FB441E69F0A6BEAFE.exe
2009-10-18 01:32 . 2009-10-18 02:04 10134 ----a-r- c:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\ARPPRODUCTICON.exe
2009-10-18 01:32 . 2009-10-18 01:32 49152 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut3_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-10-18 01:32 . 2009-10-18 01:32 45056 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut2_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-10-18 01:32 . 2009-10-18 01:32 45056 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut1_15377C3E9655400FB441E69F0A6BEAFE.exe
2009-10-18 01:32 . 2009-10-18 01:32 10134 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\ARPPRODUCTICON.exe
2009-10-18 01:31 . 2009-10-18 01:31 8552 ----a-w- c:\windows\system32\drivers\asctrm.sys
2009-10-18 01:30 . 2009-10-18 01:30 335 ----a-w- c:\windows\nsreg.dat
2009-10-18 01:28 . 2009-10-18 01:28 4 ----a-w- c:\windows\Pix11.dat
2009-10-17 23:18 . 2009-10-17 23:18 144 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\Local Settings\Application Data\fusioncache.dat
2009-10-13 10:30 . 2006-09-30 03:34 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2006-09-30 03:35 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2006-09-30 03:35 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-10 07:07 . 2009-11-15 16:50 38208 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2009-09-19 01:09 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2009-09-19 01:09 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2009-09-19 01:09 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-10-18 169984]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]
"RTHDCPL"="RTHDCPL.EXE" [2006-01-12 15961088]
"CHotkey"="zHotkey.exe" [2004-12-09 550912]
"HostManager"="c:\program files\Common Files\AOL\1255829409\EE\AOLHostManager.exe" [2004-11-03 125528]
"AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-19 79448]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 110592]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 1121792]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2009-07-09 5134864]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-10-18 98304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2009-09-19 670864]
"Recordpad"="c:\program files\NCH Swift Sound\Recordpad\recordpad.exe" [2009-12-31 913412]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

c:\documents and settings\Owner.YOUR-20CB7B5077\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz]
2005-06-01 21:05 368714 ----a-w- c:\progra~1\McAfee.com\Agent\mcregwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1255829409\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Toolbars\\Shared\\SkypeNames.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsshld.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

S3 ndisdrv;ndisdrv;\??\c:\windows\system32\ndisdrv.sys --> c:\windows\system32\ndisdrv.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - nunlj
.
Contents of the 'Scheduled Tasks' folder

2009-12-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1987120589-1196514716-1893015011-1006Core.job
- c:\documents and settings\Owner.YOUR-20CB7B5077\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-22 05:49]

2009-10-18 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-18 16:22]

2009-10-18 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-18 16:22]

2009-12-31 c:\windows\Tasks\User_Feed_Synchronization-{81066519-6634-4B8E-9960-EDDCCAEC4BB9}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Mozilla\Firefox\Profiles\12ryfjfj.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Owner.YOUR-20CB7B5077\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-VirusScan Online - \mcvsshld.exe
HKLM-Run-Dyawucucaqiqeje - c:\windows\avinimiqay.dll
SafeBoot-aawservice
MSConfigStartUp-notepad - c:\windows\system32\notepad.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-12-31 13:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nunlj]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,19,13,4e,3c,40,f6,28,40,98,53,a7,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,19,13,4e,3c,40,f6,28,40,98,53,a7,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(620)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3216)
c:\windows\system32\WININET.dll
c:\progra~1\McAfee\SPAMKI~1\mskoeplg.dll
c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
c:\program files\Google\Google Desktop Search\GoogleDesktopHyper.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Carbonite\Carbonite Backup\carboniteservice.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\windows\system32\Ati2evxx.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\progra~1\McAfee\SPAMKI~1\MSKSrvr.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\ehome\mcrdsvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\dllhost.exe
c:\windows\RTHDCPL.EXE
c:\windows\zHotkey.exe
c:\windows\eHome\ehmsas.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
c:\progra~1\COMMON~1\AOL\125582~1\EE\AOLHOS~1.EXE
c:\progra~1\COMMON~1\AOL\125582~1\EE\AOLServiceHost.exe
c:\program files\McAfee\MPF\MPFSrv.exe
.
**************************************************************************
.
Completion time: 2009-12-31 13:08:45 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-31 18:08

Pre-Run: 214,563,799,040 bytes free
Post-Run: 214,661,099,520 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 2CE3F5DA9852430610EA2A5B4742EFEA

Hardykat
Novice
Novice

Posts Posts : 28
Joined Joined : 2009-12-21
Gender Gender : Female
OS OS : Windows 7 Home Premium
Protection Protection : Norton 360,
Points Points : 25781
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected witn multiple...stuff!

Post by Belahzur on 31st December 2009, 6:25 pm


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    c:\windows\system32\drivers\str.sys.vir
    c:\windows\system32\drivers\nunlj.sys
    c:\windows\Vsakozoloce.dat
    c:\windows\Ffazikuji.bin

    Driver::
    ndisdrv
    nunlj

    Registry::
    [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nunlj]
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Infected witn multiple...stuff!

Post by Hardykat on 31st December 2009, 6:32 pm

Working on the next part.

Just to let you know, after Combofix did its thing and the computer restarted, I got a rundll error involving "avinimiqay.dll"


Last edited by Hardykat on 31st December 2009, 6:58 pm; edited 1 time in total

Hardykat
Novice
Novice

Posts Posts : 28
Joined Joined : 2009-12-21
Gender Gender : Female
OS OS : Windows 7 Home Premium
Protection Protection : Norton 360,
Points Points : 25781
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected witn multiple...stuff!

Post by Hardykat on 31st December 2009, 6:57 pm

ComboFix 09-12-31.01 - Owner 12/31/2009 13:34:15.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.398 [GMT -5:00]
Running from: c:\documents and settings\Owner.YOUR-20CB7B5077\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Owner.YOUR-20CB7B5077\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\Ffazikuji.bin"
"c:\windows\system32\drivers\nunlj.sys"
"c:\windows\system32\drivers\str.sys.vir"
"c:\windows\Vsakozoloce.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Ffazikuji.bin
c:\windows\system32\drivers\nunlj.sys
c:\windows\system32\drivers\str.sys.vir
c:\windows\Vsakozoloce.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NDISDRV
-------\Legacy_NUNLJ
-------\Service_ndisdrv
-------\Service_nunlj


((((((((((((((((((((((((( Files Created from 2009-11-28 to 2009-12-31 )))))))))))))))))))))))))))))))
.

2009-12-31 18:32 . 2009-12-31 18:32 -------- d-----w- C:\32788R22FWJFW
2009-12-31 17:11 . 2009-12-31 17:11 -------- d-----w- c:\program files\TrendMicro
2009-12-31 05:29 . 2009-12-31 05:29 -------- d-----w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Recordpad
2009-12-31 03:52 . 2009-12-31 03:52 -------- d-----w- c:\program files\NCH Software
2009-12-31 03:52 . 2009-12-31 03:57 -------- d-----w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\NCH Swift Sound
2009-12-31 03:52 . 2009-12-31 03:53 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-12-30 03:04 . 2009-12-30 03:04 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-12-28 21:40 . 2009-12-28 21:40 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-12-28 20:51 . 2009-12-28 20:51 -------- d-----w- C:\found.000
2009-12-18 01:50 . 2009-12-31 03:52 -------- d-----w- c:\program files\NCH Swift Sound
2009-12-15 10:41 . 2009-12-30 19:55 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-15 10:41 . 2009-12-31 05:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-15 10:41 . 2009-12-30 19:54 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-11 02:14 . 2009-12-11 02:14 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-12-11 02:14 . 2009-12-20 22:28 -------- d-----w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\skypePM
2009-12-11 02:11 . 2009-12-20 23:55 -------- d-----w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Skype
2009-12-11 02:10 . 2009-12-11 02:10 -------- d-----w- c:\program files\Common Files\Skype
2009-12-11 02:10 . 2009-12-11 02:11 -------- d-----r- c:\program files\Skype
2009-12-11 02:10 . 2009-12-11 02:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2009-12-05 02:01 . 2009-12-05 02:01 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-12-03 12:39 . 2009-12-03 12:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2009-12-03 12:07 . 2009-12-03 12:23 -------- d-----w- c:\program files\Enigma Software Group

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-31 17:11 . 2009-12-31 17:11 388096 ----a-r- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2009-12-31 06:23 . 2009-10-18 00:27 -------- d-----w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\FrostWire
2009-12-31 05:36 . 2009-12-31 05:36 5061520 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-12-31 02:31 . 2009-10-25 02:51 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-22 01:31 . 2005-01-10 01:26 186704 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-12-16 23:46 . 2009-11-12 18:43 926 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\wklnhst.dat
2009-12-05 03:22 . 2009-10-18 01:37 -------- d-----w- c:\program files\McAfee
2009-12-05 03:22 . 2009-10-18 01:37 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-28 02:02 . 2009-10-24 00:37 -------- d-----w- c:\program files\Yahoo!
2009-11-28 02:01 . 2009-10-18 01:14 -------- d-----w- c:\program files\Google
2009-11-20 00:14 . 2009-11-20 00:14 726008 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\gotomypc_438.exe
2009-11-19 01:09 . 2009-10-18 23:14 -------- d-----w- c:\program files\FrostWire
2009-11-19 00:53 . 2009-11-19 00:53 -------- d-----w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\IsolatedStorage
2009-11-15 16:55 . 2009-11-15 16:48 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-11-15 16:52 . 2009-10-18 01:28 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-15 16:50 . 2009-11-15 16:50 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-11-15 16:49 . 2009-11-15 16:49 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-11-14 20:32 . 2009-11-14 20:32 -------- d-----w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Elluminate
2009-11-14 20:32 . 2009-11-14 20:32 74240 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Sun\Java\Deployment\cache\6.0\36\2c690564-5eecdd80-n\JINECELP.dll
2009-11-14 20:32 . 2009-11-14 20:32 73216 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Sun\Java\Deployment\cache\6.0\36\2c690564-5eecdd80-n\JIWAudio.dll
2009-11-14 20:32 . 2009-11-14 20:32 66048 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Sun\Java\Deployment\cache\6.0\36\2c690564-5eecdd80-n\JIWMixer.dll
2009-11-14 20:32 . 2009-11-14 20:32 65536 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Sun\Java\Deployment\cache\6.0\47\442eef-364e1f84-n\ICE_JNIRegistry.dll
2009-11-14 20:32 . 2009-11-14 20:32 60928 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Sun\Java\Deployment\cache\6.0\47\442eef-364e1f84-n\WinPlatform.dll
2009-11-13 03:17 . 2009-11-13 03:17 136 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\fusioncache.dat
2009-11-13 03:16 . 2009-11-13 03:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-11-13 01:15 . 2009-11-04 03:18 -------- d-----w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\DivX
2009-11-12 18:43 . 2009-11-12 18:43 -------- d-----w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Template
2009-11-10 02:54 . 2009-11-10 02:54 -------- d-----w- c:\program files\MSECache
2009-11-04 02:48 . 2009-10-25 02:45 -------- d-----w- c:\program files\Sony Setup
2009-11-04 02:39 . 2009-11-01 09:55 -------- d-----w- c:\program files\DivX
2009-11-04 02:39 . 2009-11-04 02:36 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-10-29 07:45 . 2006-09-30 03:36 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2006-09-30 03:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2006-09-30 03:30 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2006-09-30 03:30 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-18 23:43 . 2009-10-18 23:43 0 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
2009-10-18 23:13 . 2009-10-18 23:14 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-18 23:13 . 2009-10-18 23:13 152576 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-10-18 19:09 . 2005-01-10 01:10 86811 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-10-18 01:32 . 2009-10-18 02:05 49152 ----a-r- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut3_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-10-18 01:32 . 2009-10-18 02:05 45056 ----a-r- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut2_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-10-18 01:32 . 2009-10-18 02:05 45056 ----a-r- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut1_15377C3E9655400FB441E69F0A6BEAFE.exe
2009-10-18 01:32 . 2009-10-18 02:05 10134 ----a-r- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\ARPPRODUCTICON.exe
2009-10-18 01:32 . 2009-10-18 02:04 49152 ----a-r- c:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut3_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-10-18 01:32 . 2009-10-18 02:04 45056 ----a-r- c:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut2_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-10-18 01:32 . 2009-10-18 02:04 45056 ----a-r- c:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut1_15377C3E9655400FB441E69F0A6BEAFE.exe
2009-10-18 01:32 . 2009-10-18 02:04 10134 ----a-r- c:\windows\system32\config\systemprofile\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\ARPPRODUCTICON.exe
2009-10-18 01:32 . 2009-10-18 01:32 49152 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut3_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-10-18 01:32 . 2009-10-18 01:32 45056 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut2_15377C3E9655400FB441E69F0A6BEAFE.EXE
2009-10-18 01:32 . 2009-10-18 01:32 45056 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\NewShortcut1_15377C3E9655400FB441E69F0A6BEAFE.exe
2009-10-18 01:32 . 2009-10-18 01:32 10134 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{15377C3E-9655-400F-B441-E69F0A6BEAFE}\ARPPRODUCTICON.exe
2009-10-18 01:31 . 2009-10-18 01:31 8552 ----a-w- c:\windows\system32\drivers\asctrm.sys
2009-10-18 01:30 . 2009-10-18 01:30 335 ----a-w- c:\windows\nsreg.dat
2009-10-18 01:28 . 2009-10-18 01:28 4 ----a-w- c:\windows\Pix11.dat
2009-10-17 23:18 . 2009-10-17 23:18 144 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\Local Settings\Application Data\fusioncache.dat
2009-10-13 10:30 . 2006-09-30 03:34 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2006-09-30 03:35 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2006-09-30 03:35 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-10 07:07 . 2009-11-15 16:50 38208 ----a-w- c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2009-09-19 01:09 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2009-09-19 01:09 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2009-09-19 01:09 574096 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-10-18 169984]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]
"RTHDCPL"="RTHDCPL.EXE" [2006-01-12 15961088]
"CHotkey"="zHotkey.exe" [2004-12-09 550912]
"HostManager"="c:\program files\Common Files\AOL\1255829409\EE\AOLHostManager.exe" [2004-11-03 125528]
"AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-19 79448]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"MSKAGENTEXE"="c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe" [2005-09-26 110592]
"MSKDetectorExe"="c:\progra~1\McAfee\SPAMKI~1\MSKDetct.exe" [2005-08-12 1121792]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"McAfee Backup"="c:\program files\McAfee\MBK\McAfeeDataBackup.exe" [2009-07-09 5134864]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-10-18 98304]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2009-09-19 670864]
"Recordpad"="c:\program files\NCH Swift Sound\Recordpad\recordpad.exe" [2009-12-31 913412]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

c:\documents and settings\Owner.YOUR-20CB7B5077\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz]
2005-06-01 21:05 368714 ----a-w- c:\progra~1\McAfee.com\Agent\mcregwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1255829409\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Toolbars\\Shared\\SkypeNames.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsshld.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

.
Contents of the 'Scheduled Tasks' folder

2009-12-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1987120589-1196514716-1893015011-1006Core.job
- c:\documents and settings\Owner.YOUR-20CB7B5077\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-10-22 05:49]

2009-10-18 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-18 16:22]

2009-10-18 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-18 16:22]

2009-12-31 c:\windows\Tasks\User_Feed_Synchronization-{81066519-6634-4B8E-9960-EDDCCAEC4BB9}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner.YOUR-20CB7B5077\Application Data\Mozilla\Firefox\Profiles\12ryfjfj.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - plugin: c:\documents and settings\Owner.YOUR-20CB7B5077\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\McAfee\Supportability\MVT\NPMVTPlugin.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-12-31 13:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,19,13,4e,3c,40,f6,28,40,98,53,a7,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,19,13,4e,3c,40,f6,28,40,98,53,a7,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(608)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3732)
c:\windows\system32\WININET.dll
c:\progra~1\McAfee\SPAMKI~1\mskoeplg.dll
c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
c:\program files\Google\Google Desktop Search\GoogleDesktopHyper.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\program files\Carbonite\Carbonite Backup\carboniteservice.exe
c:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\progra~1\McAfee\SPAMKI~1\MSKSrvr.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\RTHDCPL.EXE
c:\windows\zHotkey.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopIndex.exe
c:\windows\eHome\ehmsas.exe
c:\program files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
c:\progra~1\COMMON~1\AOL\125582~1\EE\AOLHOS~1.EXE
c:\progra~1\COMMON~1\AOL\125582~1\EE\AOLServiceHost.exe
c:\program files\McAfee\MPF\MPFSrv.exe
.
**************************************************************************
.
Completion time: 2009-12-31 13:50:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-31 18:50
ComboFix2.txt 2009-12-31 18:08

Pre-Run: 214,677,671,936 bytes free
Post-Run: 214,623,887,360 bytes free

- - End Of File - - 28BC2E73573A2147AFB4D5961FF6499F

Hardykat
Novice
Novice

Posts Posts : 28
Joined Joined : 2009-12-21
Gender Gender : Female
OS OS : Windows 7 Home Premium
Protection Protection : Norton 360,
Points Points : 25781
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected witn multiple...stuff!

Post by Belahzur on 31st December 2009, 7:04 pm

Okay, nearly done.

  • Open HijackThis.
  • When Hijack This opens, click "Open the Misc Tools section"
  • Then select "Open Uninstall Manager"
  • Click on "Save List..." (generates uninstall_list.txt)
  • Click Save, copy and paste the results in your next post.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Infected witn multiple...stuff!

Post by Hardykat on 31st December 2009, 7:08 pm

Acrobat.com
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 9.2
Adobe Stock Photos 1.0
Agere Systems PCI-SV92PP Soft Modem
America Online (Choose which version to remove)
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Connectivity Services
AOL Instant Messenger
AOL Spyware Protection
AOL You've Got Pictures Screensaver
ATI - Software Uninstall Utility
ATI Display Driver
ATI Parental Control & Encoder
Browser Address Error Redirector
Carbonite
Compatibility Pack for the 2007 Office system
Digital Media Reader
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Web Player
DVD Solution
FrostWire 4.18.4
Google Desktop
gtw_logo
High Definition Audio Driver Package - KB888111
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 10 (KB910393)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
J2SE Runtime Environment 5.0 Update 2
Java(TM) 6 Update 15
ljArchive
Macromedia Dreamweaver 8
Macromedia Extension Manager
Malwarebytes' Anti-Malware
McAfee SecurityCenter
McAfee Uninstall Wizard
McAfee Virtual Technician
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Digital Image Starter Edition 2006
Microsoft Money 2006
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works
middle_man
MixPad Audio Mixer
Mozilla Firefox (3.5.6)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Multimedia Keyboard Driver
Napster
Napster Burn Engine
Photo Story 3 for Windows
Power2Go 4.0
PowerDVD
Pure Networks Port Magic
QuickTime
RealPlayer Basic
Realtek High Definition Audio Driver
RecordPad Sound Recorder
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Skype web features
Skype™ 4.1
Sonic Encoders
Sony Vegas Pro 8.0
Switch Sound File Converter
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB973874)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows XP (KB951978)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
VC80CRTRedist - 8.0.50727.4053
Viewpoint Media Player
WavePad Sound Editor
Windows Backup Utility
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinRAR archiver
Yahoo! Messenger
Yahoo! Software Update
YouTube Downloader 2.5.3

Hardykat
Novice
Novice

Posts Posts : 28
Joined Joined : 2009-12-21
Gender Gender : Female
OS OS : Windows 7 Home Premium
Protection Protection : Norton 360,
Points Points : 25781
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected witn multiple...stuff!

Post by Belahzur on 31st December 2009, 7:12 pm

Hello.

I see that you are running Frostwire.
P2P(Peer to peer) applications are designed to help you easily share and distribute files between you and a group of people. But they can also be used to distribute malware, and thus are not considered safe.
The removal of these programs is optional, but highly recommended.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs.

    FrostWire 4.18.4
    J2SE Runtime Environment 5.0 Update 2
    Java(TM) 6 Update 15
    Viewpoint Media Player

Updating Java:

  • Download the latest version of [You must be registered and logged in to see this link.].
  • Select the second option where it says "This special release provides a few key fixes.".
  • Click the "Download" button to the right.
  • In the Window that opens, select your platform, check the "agree" box, and click Continue.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Then from your desktop double-click on jre-6u17-windows-i586.exe that you downloaded to install the newest version.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Infected witn multiple...stuff!

Post by Hardykat on 31st December 2009, 7:36 pm

It's running great now! Thank You!

Hardykat
Novice
Novice

Posts Posts : 28
Joined Joined : 2009-12-21
Gender Gender : Female
OS OS : Windows 7 Home Premium
Protection Protection : Norton 360,
Points Points : 25781
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Infected witn multiple...stuff!

Post by Belahzur on 31st December 2009, 7:46 pm

This should be fine now.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34918
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : 7 Home Premium x64
Points Points : 245091
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum