Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys

View previous topic View next topic Go down

Virus Packed.Protector.C Windowssystem32dllcashecdrom.sys

Post by rktoby on Sat Jan 23, 2010 12:41 am

I have a viruses
Packed.Protector.C
Windows\system32\dllcache\cdrom.sys
System Volume Information\_restore{C43C72E6-B5D5-4A2B-822E-A58C130FF25A}\RP473\A0065681.sys

Trojan horse injector.EZ
Windows\system32\imPlayok.exe

Trojan horse BackDoor.Generic12.GOG.dropper
Windows\system32\264577.exe
\474222.exe
\523963.exe
\602369.exe
\88793.exe

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:14:18 PM, on 1/22/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\ofps.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG9\avgui.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Rick Toby\Desktop\winlogon.scr

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\Rick Toby\budmcut.exe \s
O1 - Hosts: ::1 localhost
O1 - Hosts: 209.44.111.62 antispy.microsoft.com
O1 - Hosts: 209.44.111.62 antiaware-pro.com
O1 - Hosts: 209.44.111.62 [You must be registered and logged in to see this link.]
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [cjhd] C:\WINDOWS\system32\cjhd.exe \u
O4 - HKLM\..\Run: [imPlayok] C:\WINDOWS\system32\imPlayok.exe
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [tovedadok] Rundll32.exe "c:\windows\system32\mikusedi.dll",a
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [imPlayok] C:\Documents and Settings\Rick Toby\imPlayok.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - [You must be registered and logged in to see this link.]
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - [You must be registered and logged in to see this link.]
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {F89EF74A-956B-4BD3-A066-4F23DF891982} (Drag and Drop Uploader Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - [You must be registered and logged in to see this link.]
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0BEB0F8-FBA3-4394-A65F-9C4F453152D4}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\0023.DLL c:\windows\system32\mikusedi.dll,yerodovo.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: johayuket - {8e676256-6709-4cc7-a694-15d64ce2b01e} - c:\windows\system32\mikusedi.dll
O22 - SharedTaskScheduler: jugezatag - {8e676256-6709-4cc7-a694-15d64ce2b01e} - c:\windows\system32\mikusedi.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Update Service (gupdate1ca11eb9c8a20f) (gupdate1ca11eb9c8a20f) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Kodak AiO Network Discovery Service - Unknown owner - C:\Program Files\Kodak\Printer\Center\EKDiscovery.exe (file missing)
O23 - Service: Kodak AiO Device Service (KodakSvc) - Eastman Kodak Company - C:\Program Files\Kodak\printer\center\KodakSvc.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Unknown owner - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (file missing)
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: OmniForm Printer - Unknown owner - C:\WINDOWS\system32\ofps.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

--
End of file - 9831 bytes

rktoby
Novice
Novice

Status :
Online
Offline

Posts : 6
Joined : 2010-01-22
Gender : Male
OS : windows xp

View user profile

Back to top Go down

Re: Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys

Post by Belahzur on Sat Jan 23, 2010 1:43 am

Hello.

  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]

    1. If you are using Firefox, make sure that your download settings are as follows:

    * Tools->Options->Main tab
    * Set to "Always ask me where to Save the files".

    2. During the download, rename Combofix to Combo-Fix as follows:





    3. It is important you rename Combofix during the download, but not after.
    4. Please do not rename Combofix to other names, but only to the one indicated.
    5. Close any open browsers.
    6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys

Post by rktoby on Sat Jan 23, 2010 2:51 am

ComboFix 10-01-21.08 - Rick Toby 01/22/2010 20:31:25.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.607 [GMT -6:00]
Running from: c:\documents and settings\Rick Toby\Desktop\Combo-Fix.exe
FW: ActiveArmor Firewall *enabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\ozewaxu.inf
c:\documents and settings\All Users\Documents\kyhit.vbs
c:\documents and settings\All Users\Documents\owab.reg
c:\documents and settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\documents and settings\Rick Toby\Local Settings\Application Data\ulydoto.bat
c:\documents and settings\Rick Toby\My Documents\ZbThumbnail.info
c:\documents and settings\Rick Toby\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\program files\Common Files\zyqimi.bat
c:\program files\driver
c:\windows\010112010146118114.dat
c:\windows\system32\797114.exe
c:\windows\system32\fidebipi.dll
c:\windows\system32\isocolygu.vbs
c:\windows\system32\mikusedi.dll
c:\windows\system32\muzapp.exe
c:\windows\system32\nevikegu.dll
c:\windows\system32\ntnet.drv
c:\windows\system32\orybabujy.vbs
c:\windows\system32\setihuni.dll
c:\windows\system32\terrapof32
c:\windows\system32\terrapof32\efwef23.gds
c:\windows\system32\terrapof32\g45hged.gdp
c:\windows\system32\yerodovo.dll
c:\windows\Tasks.\AntiSpywareBot Scheduled Scan.job
c:\windows\Tasks\smumiqbz.job
c:\windows\Tasks.\AntispywareBot Scheduled Scan.job . . . . failed to delete

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :p
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ONESTEP_SEARCH_SERVICE


((((((((((((((((((((((((( Files Created from 2009-12-23 to 2010-01-23 )))))))))))))))))))))))))))))))
.

2010-01-23 02:36 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2010-01-23 02:36 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2010-01-22 18:03 . 2010-01-22 18:03 -------- d-----w- c:\documents and settings\Rick Toby\Application Data\Simple Star
2010-01-22 17:48 . 2004-05-14 15:12 1916928 ------w- c:\windows\UNNVEContent.exe
2010-01-22 17:48 . 2004-05-14 15:12 1916928 ------w- c:\windows\UNAheadManual.exe
2010-01-22 17:47 . 2004-11-11 11:50 2433024 ------w- c:\windows\UNNMP.exe
2010-01-22 15:27 . 2010-01-22 15:30 -------- d-----w- C:\$AVG
2010-01-22 15:25 . 2010-01-22 15:25 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-01-22 05:23 . 2010-01-22 05:23 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe
2010-01-21 20:10 . 2010-01-21 20:11 -------- d-----w- c:\program files\MeadCo Neptune
2010-01-21 15:17 . 2010-01-21 15:17 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2010-01-21 00:30 . 2010-01-21 00:30 -------- d-----w- c:\documents and settings\Rick Toby\Application Data\Canneverbe_Limited
2010-01-21 00:30 . 2010-01-21 00:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Canneverbe Limited
2010-01-20 02:59 . 2010-01-21 15:46 -------- d-----w- c:\documents and settings\Rick Toby\Local Settings\Application Data\mpuoul
2010-01-15 14:09 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-23 00:10 . 2007-01-22 03:23 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-22 18:16 . 2007-04-13 21:49 -------- d-----w- c:\program files\Ahead
2010-01-22 18:03 . 2007-04-13 21:51 -------- d-----w- c:\documents and settings\Rick Toby\Application Data\Ahead
2010-01-22 17:55 . 2010-01-22 17:55 61 ----a-w- c:\windows\system32\drivers\OLD135.tmp
2010-01-22 15:26 . 2007-01-22 01:52 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-01-22 15:26 . 2008-05-14 16:47 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-22 15:26 . 2008-05-14 16:47 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-22 15:26 . 2008-05-14 16:47 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-22 15:25 . 2008-05-14 16:47 -------- d-----w- c:\program files\AVG
2010-01-22 01:51 . 2004-08-04 02:59 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-01-21 19:49 . 2009-06-29 16:24 -------- d-----w- c:\documents and settings\Rick Toby\Application Data\SlimBrowser
2010-01-14 17:12 . 2009-10-05 04:24 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-11 17:15 . 2007-04-10 16:40 234112 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-01-11 15:49 . 2007-01-27 17:09 -------- d-----w- c:\program files\DivX
2010-01-11 15:27 . 2007-01-22 02:41 -------- d-----w- c:\program files\SlimBrowser
2009-12-22 05:21 . 2004-08-04 04:56 667136 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:20 . 2009-06-26 18:48 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-11 22:33 . 2009-12-11 22:33 -------- d-----w- c:\documents and settings\All Users\Application Data\TomTom
2009-12-11 22:32 . 2009-12-11 22:32 -------- d-----w- c:\documents and settings\Rick Toby\Application Data\TomTom
2009-12-11 22:32 . 2009-12-11 22:32 -------- d-----w- c:\program files\TomTom International B.V
2009-12-11 22:32 . 2009-12-11 22:31 -------- d-----w- c:\program files\TomTom HOME 2
2009-12-11 22:31 . 2009-12-11 22:31 -------- d-----w- c:\program files\TomTom DesktopSuite
2009-12-02 02:45 . 2009-12-02 02:45 -------- d-----w- c:\documents and settings\Rick Toby\Application Data\magellangps.com
2009-12-02 02:45 . 2009-12-02 02:45 -------- d-----w- c:\program files\Magellan
2009-11-21 15:51 . 2004-08-04 04:56 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-08-27 21:35 . 2009-08-27 21:35 11673 ----a-w- c:\program files\Common Files\wajonuse.pif
2009-08-27 15:33 . 2009-08-27 15:33 16136 ----a-w- c:\program files\Common Files\kodykyrige.sys
2009-08-27 14:13 . 2009-08-27 14:13 13798 ----a-w- c:\program files\Common Files\iluqu.dat
2009-08-27 14:13 . 2009-08-27 14:13 13509 ----a-w- c:\program files\Common Files\ucydady.pif
2009-08-27 14:13 . 2009-08-27 14:13 10924 ----a-w- c:\program files\Common Files\yjukum.bin
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
1601-01-01 00:03 . 1601-01-01 00:03 55296 --sha-w- c:\windows\system32\gedofano.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03 51712 --sha-w- c:\windows\system32\gibuzufo.dll
1601-01-01 00:03 . 1601-01-01 00:03 55296 --sha-w- c:\windows\system32\jelukahu.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03 51712 --sha-w- c:\windows\system32\kupuweyo.dll
1601-01-01 00:03 . 1601-01-01 00:03 55296 --sha-w- c:\windows\system32\suhireje.dll.tmp
1601-01-01 00:03 . 1601-01-01 00:03 61952 --sha-w- c:\windows\system32\tidowove.dll
1601-01-01 00:03 . 1601-01-01 00:03 96256 --sha-w- c:\windows\system32\vupivino.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 19:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bee58bc8-335e-4df7-88e5-bf0f41fd44a3}]
1601-01-01 00:03 51712 --sha-w- c:\windows\system32\kupuweyo.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cjhd"="c:\windows\system32\cjhd.exe \u" [X]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"SoundMan"="SOUNDMAN.EXE" [2006-03-02 577536]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-01-22 2033432]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-01-22 15:26 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=sysaudio.sys

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Rick Toby^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2006-10-17 01:40 1197648 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EKIJ5000StatusMonitor]
2008-10-22 13:54 1310720 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2004-11-26 12:42 1349120 ------w- c:\program files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 16:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSTray]
2007-12-14 22:19 132624 ------w- c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2006-03-02 12:22 577536 ----a-w- c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2009-11-13 11:31 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0\bin\jusched.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"Camera Detector"=c:\progra~1\ACDSYS~1\ACDSee\CAMDET~1.EXE
"InstantAccess"=c:\progra~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
"RegisterDropHandler"=c:\progra~1\TEXTBR~1.0\Bin\REGIST~1.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SlimBrowser\\sbrowser.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9322:TCP"= 9322:TCP:EKDiscovery

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/14/2008 10:47 AM 333192]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/14/2008 10:47 AM 360584]
R1 BS_I2cIo;BS_I2cIo;c:\windows\system32\drivers\BS_I2cIo.sys [1/21/2007 9:17 PM 8192]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [1/22/2010 9:25 AM 285392]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\Printer\Center\KodakSvc.exe [9/10/2008 1:44 PM 28672]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [11/13/2009 5:31 AM 92008]
S2 gupdate1ca11eb9c8a20f;Google Update Service (gupdate1ca11eb9c8a20f);c:\program files\Google\Update\GoogleUpdate.exe [7/31/2009 8:27 AM 133104]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\Printer\Center\EKDiscovery.exe --> c:\program files\Kodak\Printer\Center\EKDiscovery.exe [?]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 pmxscan;USB ScanModule V5.1 Driver;c:\windows\system32\drivers\usbscan.sys [4/7/2007 2:47 PM 15104]
S3 tgiul50;tgiul50;c:\windows\system32\drivers\tgiulnt5.sys [1/22/2007 3:14 AM 138528]
.
Contents of the 'Scheduled Tasks' folder

2009-09-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-01-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-31 14:26]

2010-01-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-31 14:26]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uInternet Settings,ProxyOverride =
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Open Picture in &Microsoft PhotoDraw - c:\progra~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
TCP: {C0BEB0F8-FBA3-4394-A65F-9C4F453152D4} = 208.67.220.220,208.67.222.222
DPF: {F89EF74A-956B-4BD3-A066-4F23DF891982} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Rick Toby\Application Data\Mozilla\Firefox\Profiles\6r4i4ned.default\
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\progra~1\MEADCO~1\npmeadax.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-imPlayok - c:\documents and settings\Rick Toby\imPlayok.exe
HKCU-Run-PhotoShow Deluxe Media Manager - c:\progra~1\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
HKLM-Run-imPlayok - c:\windows\system32\imPlayok.exe
HKLM-Run-NWEReboot - (no file)
HKLM-Run-tovedadok - c:\windows\system32\mikusedi.dll
HKLM-Run-wehidanayo - setihuni.dll
SharedTaskScheduler-{8e676256-6709-4cc7-a694-15d64ce2b01e} - c:\windows\system32\mikusedi.dll
SSODL-johayuket-{8e676256-6709-4cc7-a694-15d64ce2b01e} - c:\windows\system32\mikusedi.dll
AddRemove-HijackThis - c:\documents and settings\Rick Toby\Desktop\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-01-22 20:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(560)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3244)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Ahead\InCD\InCDsrv.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Executive Software\Diskeeper\DkService.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-01-22 20:48:53 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-23 02:48

Pre-Run: 53,689,765,888 bytes free
Post-Run: 53,753,991,168 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 59843159AFE3C79104A17C6AC9330045

rktoby
Novice
Novice

Status :
Online
Offline

Posts : 6
Joined : 2010-01-22
Gender : Male
OS : windows xp

View user profile

Back to top Go down

Re: Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys

Post by Belahzur on Sat Jan 23, 2010 11:50 pm

Hello.


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    File::
    c:\windows\system32\drivers\OLD135.tmp
    c:\program files\Common Files\wajonuse.pif
    c:\program files\Common Files\kodykyrige.sys
    c:\program files\Common Files\iluqu.dat
    c:\program files\Common Files\ucydady.pif
    c:\program files\Common Files\yjukum.bin
    c:\windows\system32\gedofano.dll.tmp
    c:\windows\system32\gibuzufo.dll
    c:\windows\system32\jelukahu.dll.tmp
    c:\windows\system32\kupuweyo.dll
    c:\windows\system32\suhireje.dll.tmp
    c:\windows\system32\tidowove.dll
    c:\windows\system32\vupivino.dll

    Folder::
    c:\documents and settings\Rick Toby\Local Settings\Application Data\mpuoul

    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bee58bc8-335e-4df7-88e5-bf0f41fd44a3}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "cjhd"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=wdmaud.drv

    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5555
    uInternet Settings,ProxyOverride =
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys

Post by rktoby on Sun Jan 24, 2010 4:13 am

Thanks for all the Help so far!!!!

ComboFix 10-01-21.08 - Rick Toby 01/23/2010 21:56:12.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.443 [GMT -6:00]
Running from: c:\documents and settings\Rick Toby\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Rick Toby\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ActiveArmor Firewall *enabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}

FILE ::
"c:\program files\Common Files\iluqu.dat"
"c:\program files\Common Files\kodykyrige.sys"
"c:\program files\Common Files\ucydady.pif"
"c:\program files\Common Files\wajonuse.pif"
"c:\program files\Common Files\yjukum.bin"
"c:\windows\system32\drivers\OLD135.tmp"
"c:\windows\system32\gedofano.dll.tmp"
"c:\windows\system32\gibuzufo.dll"
"c:\windows\system32\jelukahu.dll.tmp"
"c:\windows\system32\kupuweyo.dll"
"c:\windows\system32\suhireje.dll.tmp"
"c:\windows\system32\tidowove.dll"
"c:\windows\system32\vupivino.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Rick Toby\Local Settings\Application Data\mpuoul
c:\program files\Common Files\iluqu.dat
c:\program files\Common Files\kodykyrige.sys
c:\program files\Common Files\ucydady.pif
c:\program files\Common Files\wajonuse.pif
c:\program files\Common Files\yjukum.bin
c:\windows\system32\drivers\OLD135.tmp
c:\windows\system32\gedofano.dll.tmp
c:\windows\system32\gibuzufo.dll
c:\windows\system32\jelukahu.dll.tmp
c:\windows\system32\kupuweyo.dll
c:\windows\system32\suhireje.dll.tmp
c:\windows\system32\tidowove.dll
c:\windows\system32\vupivino.dll

.
((((((((((((((((((((((((( Files Created from 2009-12-24 to 2010-01-24 )))))))))))))))))))))))))))))))
.

2010-01-23 02:36 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2010-01-23 02:36 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2010-01-22 18:03 . 2010-01-22 18:03 -------- d-----w- c:\documents and settings\Rick Toby\Application Data\Simple Star
2010-01-22 17:48 . 2004-05-14 15:12 1916928 ------w- c:\windows\UNNVEContent.exe
2010-01-22 17:48 . 2004-05-14 15:12 1916928 ------w- c:\windows\UNAheadManual.exe
2010-01-22 17:47 . 2004-11-11 11:50 2433024 ------w- c:\windows\UNNMP.exe
2010-01-22 15:27 . 2010-01-22 15:30 -------- d-----w- C:\$AVG
2010-01-22 15:25 . 2010-01-22 15:25 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-01-22 05:23 . 2010-01-22 05:23 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe
2010-01-21 20:10 . 2010-01-21 20:11 -------- d-----w- c:\program files\MeadCo Neptune
2010-01-21 15:17 . 2010-01-21 15:17 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2010-01-21 00:30 . 2010-01-21 00:30 -------- d-----w- c:\documents and settings\Rick Toby\Application Data\Canneverbe_Limited
2010-01-21 00:30 . 2010-01-21 00:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Canneverbe Limited
2010-01-15 14:09 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-23 00:10 . 2007-01-22 03:23 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-22 18:16 . 2007-04-13 21:49 -------- d-----w- c:\program files\Ahead
2010-01-22 18:03 . 2007-04-13 21:51 -------- d-----w- c:\documents and settings\Rick Toby\Application Data\Ahead
2010-01-22 15:26 . 2007-01-22 01:52 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-01-22 15:26 . 2008-05-14 16:47 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-22 15:26 . 2008-05-14 16:47 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-22 15:26 . 2008-05-14 16:47 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-22 15:25 . 2008-05-14 16:47 -------- d-----w- c:\program files\AVG
2010-01-22 01:51 . 2004-08-04 02:59 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-01-21 19:49 . 2009-06-29 16:24 -------- d-----w- c:\documents and settings\Rick Toby\Application Data\SlimBrowser
2010-01-14 17:12 . 2009-10-05 04:24 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-11 17:15 . 2007-04-10 16:40 234112 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-01-11 15:49 . 2007-01-27 17:09 -------- d-----w- c:\program files\DivX
2010-01-11 15:27 . 2007-01-22 02:41 -------- d-----w- c:\program files\SlimBrowser
2009-12-22 05:21 . 2004-08-04 04:56 667136 ------w- c:\windows\system32\wininet.dll
2009-12-22 05:20 . 2009-06-26 18:48 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-11 22:33 . 2009-12-11 22:33 -------- d-----w- c:\documents and settings\All Users\Application Data\TomTom
2009-12-11 22:32 . 2009-12-11 22:32 -------- d-----w- c:\documents and settings\Rick Toby\Application Data\TomTom
2009-12-11 22:32 . 2009-12-11 22:32 -------- d-----w- c:\program files\TomTom International B.V
2009-12-11 22:32 . 2009-12-11 22:31 -------- d-----w- c:\program files\TomTom HOME 2
2009-12-11 22:31 . 2009-12-11 22:31 -------- d-----w- c:\program files\TomTom DesktopSuite
2009-12-02 02:45 . 2009-12-02 02:45 -------- d-----w- c:\documents and settings\Rick Toby\Application Data\magellangps.com
2009-12-02 02:45 . 2009-12-02 02:45 -------- d-----w- c:\program files\Magellan
2009-11-21 15:51 . 2004-08-04 04:56 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-23 15:41 . 2010-01-23 15:41 16384 c:\windows\Temp\Perflib_Perfdata_7bc.dat
+ 2010-01-24 04:03 . 2010-01-24 04:03 16384 c:\windows\Temp\Perflib_Perfdata_778.dat
+ 2001-08-22 20:00 . 2010-01-23 02:43 71904 c:\windows\system32\perfc009.dat
- 2001-08-22 20:00 . 2009-12-10 17:01 71904 c:\windows\system32\perfc009.dat
+ 2001-08-22 20:00 . 2010-01-23 02:43 444028 c:\windows\system32\perfh009.dat
- 2001-08-22 20:00 . 2009-12-10 17:01 444028 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 19:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"SoundMan"="SOUNDMAN.EXE" [2006-03-02 577536]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-01-22 2033432]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"wehidanayo"="setihuni.dll" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-01-22 15:26 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=sysaudio.sys

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Rick Toby^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2006-10-17 01:40 1197648 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EKIJ5000StatusMonitor]
2008-10-22 13:54 1310720 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2004-11-26 12:42 1349120 ------w- c:\program files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 16:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSTray]
2007-12-14 22:19 132624 ------w- c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2006-03-02 12:22 577536 ----a-w- c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2009-11-13 11:31 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0\bin\jusched.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"Camera Detector"=c:\progra~1\ACDSYS~1\ACDSee\CAMDET~1.EXE
"InstantAccess"=c:\progra~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
"RegisterDropHandler"=c:\progra~1\TEXTBR~1.0\Bin\REGIST~1.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SlimBrowser\\sbrowser.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgtray.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9322:TCP"= 9322:TCP:EKDiscovery

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/14/2008 10:47 AM 333192]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/14/2008 10:47 AM 360584]
R1 BS_I2cIo;BS_I2cIo;c:\windows\system32\drivers\BS_I2cIo.sys [1/21/2007 9:17 PM 8192]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [1/22/2010 9:25 AM 285392]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\Printer\Center\KodakSvc.exe [9/10/2008 1:44 PM 28672]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [11/13/2009 5:31 AM 92008]
S2 gupdate1ca11eb9c8a20f;Google Update Service (gupdate1ca11eb9c8a20f);c:\program files\Google\Update\GoogleUpdate.exe [7/31/2009 8:27 AM 133104]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\Printer\Center\EKDiscovery.exe --> c:\program files\Kodak\Printer\Center\EKDiscovery.exe [?]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 pmxscan;USB ScanModule V5.1 Driver;c:\windows\system32\drivers\usbscan.sys [4/7/2007 2:47 PM 15104]
S3 tgiul50;tgiul50;c:\windows\system32\drivers\tgiulnt5.sys [1/22/2007 3:14 AM 138528]
.
Contents of the 'Scheduled Tasks' folder

2009-09-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-01-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-31 14:26]

2010-01-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-31 14:26]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Open Picture in &Microsoft PhotoDraw - c:\progra~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
TCP: {C0BEB0F8-FBA3-4394-A65F-9C4F453152D4} = 208.67.220.220,208.67.222.222
DPF: {F89EF74A-956B-4BD3-A066-4F23DF891982} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Rick Toby\Application Data\Mozilla\Firefox\Profiles\6r4i4ned.default\
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\progra~1\MEADCO~1\npmeadax.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-01-23 22:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(488)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3804)
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Ahead\InCD\InCDsrv.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Executive Software\Diskeeper\DkService.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
c:\windows\system32\HPZipm12.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-01-23 22:07:35 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-24 04:07
ComboFix2.txt 2010-01-23 02:48

Pre-Run: 52,093,620,224 bytes free
Post-Run: 52,046,442,496 bytes free

- - End Of File - - E52D19131B3BEC7304027CD4B2B5EBE4

rktoby
Novice
Novice

Status :
Online
Offline

Posts : 6
Joined : 2010-01-22
Gender : Male
OS : windows xp

View user profile

Back to top Go down

Re: Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys

Post by Belahzur on Sun Jan 24, 2010 6:00 pm

Hmm.


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:

    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "wehidanayo"=-

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "aux"=-
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys

Post by rktoby on Mon Jan 25, 2010 1:17 am

Here is the combofix log.

ComboFix 10-01-21.08 - Rick Toby 01/24/2010 18:23:38.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.556 [GMT -6:00]
Running from: c:\documents and settings\Rick Toby\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Rick Toby\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ActiveArmor Firewall *enabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}
.

((((((((((((((((((((((((( Files Created from 2009-12-25 to 2010-01-25 )))))))))))))))))))))))))))))))
.

2010-01-23 02:36 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2010-01-23 02:36 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2010-01-22 18:03 . 2010-01-22 18:03 -------- d-----w- c:\documents and settings\Rick Toby\Application Data\Simple Star
2010-01-22 17:48 . 2004-05-14 15:12 1916928 ------w- c:\windows\UNNVEContent.exe
2010-01-22 17:48 . 2004-05-14 15:12 1916928 ------w- c:\windows\UNAheadManual.exe
2010-01-22 17:47 . 2004-11-11 11:50 2433024 ------w- c:\windows\UNNMP.exe
2010-01-22 15:27 . 2010-01-22 15:30 -------- d-----w- C:\$AVG
2010-01-22 15:25 . 2010-01-22 15:25 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-01-22 05:23 . 2010-01-22 05:23 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Adobe
2010-01-21 20:10 . 2010-01-21 20:11 -------- d-----w- c:\program files\MeadCo Neptune
2010-01-21 15:17 . 2010-01-21 15:17 -------- d-s---w- c:\windows\system32\config\systemprofile\UserData
2010-01-21 00:30 . 2010-01-21 00:30 -------- d-----w- c:\documents and settings\Rick Toby\Application Data\Canneverbe_Limited
2010-01-21 00:30 . 2010-01-21 00:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Canneverbe Limited
2010-01-15 14:09 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-01-23 00:10 . 2007-01-22 03:23 -------- d-----w- c:\program files\Common Files\Adobe
2010-01-22 18:16 . 2007-04-13 21:49 -------- d-----w- c:\program files\Ahead
2010-01-22 18:03 . 2007-04-13 21:51 -------- d-----w- c:\documents and settings\Rick Toby\Application Data\Ahead
2010-01-22 15:26 . 2007-01-22 01:52 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-01-22 15:26 . 2008-05-14 16:47 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-01-22 15:26 . 2008-05-14 16:47 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-01-22 15:26 . 2008-05-14 16:47 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-01-22 15:25 . 2008-05-14 16:47 -------- d-----w- c:\program files\AVG
2010-01-22 01:51 . 2004-08-04 02:59 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-01-21 19:49 . 2009-06-29 16:24 -------- d-----w- c:\documents and settings\Rick Toby\Application Data\SlimBrowser
2010-01-14 17:12 . 2009-10-05 04:24 181120 ------w- c:\windows\system32\MpSigStub.exe
2010-01-11 17:15 . 2007-04-10 16:40 234112 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2010-01-11 15:49 . 2007-01-27 17:09 -------- d-----w- c:\program files\DivX
2010-01-11 15:27 . 2007-01-22 02:41 -------- d-----w- c:\program files\SlimBrowser
2009-12-22 05:21 . 2004-08-04 04:56 667136 ------w- c:\windows\system32\wininet.dll
2009-12-22 05:20 . 2009-06-26 18:48 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-11 22:33 . 2009-12-11 22:33 -------- d-----w- c:\documents and settings\All Users\Application Data\TomTom
2009-12-11 22:32 . 2009-12-11 22:32 -------- d-----w- c:\documents and settings\Rick Toby\Application Data\TomTom
2009-12-11 22:32 . 2009-12-11 22:32 -------- d-----w- c:\program files\TomTom International B.V
2009-12-11 22:32 . 2009-12-11 22:31 -------- d-----w- c:\program files\TomTom HOME 2
2009-12-11 22:31 . 2009-12-11 22:31 -------- d-----w- c:\program files\TomTom DesktopSuite
2009-12-02 02:45 . 2009-12-02 02:45 -------- d-----w- c:\documents and settings\Rick Toby\Application Data\magellangps.com
2009-12-02 02:45 . 2009-12-02 02:45 -------- d-----w- c:\program files\Magellan
2009-11-21 15:51 . 2004-08-04 04:56 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-01-24 23:53 . 2010-01-24 23:53 16384 c:\windows\Temp\Perflib_Perfdata_7d0.dat
+ 2001-08-22 20:00 . 2010-01-23 02:43 71904 c:\windows\system32\perfc009.dat
- 2001-08-22 20:00 . 2009-12-10 17:01 71904 c:\windows\system32\perfc009.dat
+ 2001-08-22 20:00 . 2010-01-23 02:43 444028 c:\windows\system32\perfh009.dat
- 2001-08-22 20:00 . 2009-12-10 17:01 444028 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 19:01 1230080 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"SoundMan"="SOUNDMAN.EXE" [2006-03-02 577536]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-01-22 2033432]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-23 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-01-22 15:26 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Rick Toby^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
backup=c:\windows\pss\Microsoft Works Calendar Reminders.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2006-10-17 01:40 1197648 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EKIJ5000StatusMonitor]
2008-10-22 13:54 1310720 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2004-11-26 12:42 1349120 ------w- c:\program files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 16:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSTray]
2007-12-14 22:19 132624 ------w- c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2006-03-02 12:22 577536 ----a-w- c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2009-11-13 11:31 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0\bin\jusched.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"Camera Detector"=c:\progra~1\ACDSYS~1\ACDSee\CAMDET~1.EXE
"InstantAccess"=c:\progra~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
"RegisterDropHandler"=c:\progra~1\TEXTBR~1.0\Bin\REGIST~1.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SlimBrowser\\sbrowser.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgtray.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9322:TCP"= 9322:TCP:EKDiscovery

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/14/2008 10:47 AM 333192]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [5/14/2008 10:47 AM 360584]
R1 BS_I2cIo;BS_I2cIo;c:\windows\system32\drivers\BS_I2cIo.sys [1/21/2007 9:17 PM 8192]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [1/22/2010 9:25 AM 285392]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\Printer\Center\KodakSvc.exe [9/10/2008 1:44 PM 28672]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [11/13/2009 5:31 AM 92008]
S2 gupdate1ca11eb9c8a20f;Google Update Service (gupdate1ca11eb9c8a20f);c:\program files\Google\Update\GoogleUpdate.exe [7/31/2009 8:27 AM 133104]
S2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\Printer\Center\EKDiscovery.exe --> c:\program files\Kodak\Printer\Center\EKDiscovery.exe [?]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 6:19 PM 13592]
S3 pmxscan;USB ScanModule V5.1 Driver;c:\windows\system32\drivers\usbscan.sys [4/7/2007 2:47 PM 15104]
S3 tgiul50;tgiul50;c:\windows\system32\drivers\tgiulnt5.sys [1/22/2007 3:14 AM 138528]
.
Contents of the 'Scheduled Tasks' folder

2009-09-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-01-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-31 14:26]

2010-01-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-31 14:26]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uSearchAssistant = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: Open Picture in &Microsoft PhotoDraw - c:\progra~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
TCP: {C0BEB0F8-FBA3-4394-A65F-9C4F453152D4} = 208.67.220.220,208.67.222.222
DPF: {F89EF74A-956B-4BD3-A066-4F23DF891982} - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Rick Toby\Application Data\Mozilla\Firefox\Profiles\6r4i4ned.default\
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG9\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\progra~1\MEADCO~1\npmeadax.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - hȋdden: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2010-01-24 18:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(552)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2728)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-01-24 18:31:03
ComboFix-quarantined-files.txt 2010-01-25 00:31
ComboFix2.txt 2010-01-24 04:07
ComboFix3.txt 2010-01-23 02:48

Pre-Run: 52,134,498,304 bytes free
Post-Run: 52,087,984,128 bytes free

- - End Of File - - EEDCA53095123D0E41522E9A79328B8F

rktoby
Novice
Novice

Status :
Online
Offline

Posts : 6
Joined : 2010-01-22
Gender : Male
OS : windows xp

View user profile

Back to top Go down

Re: Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys

Post by Belahzur on Mon Jan 25, 2010 1:35 am

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

How is the machine running now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys

Post by rktoby on Mon Jan 25, 2010 4:16 pm

Everything seems to be running just fine. I will do a complete virus scan of the computer. If there are any problems I will post them in a reply in this post. If everything is OK, I would like to thank you for all your help. I could not have fixed this on my own. Where did you receive the training for this? You guys are great. Thanks Belahzur!!!

rktoby
Novice
Novice

Status :
Online
Offline

Posts : 6
Joined : 2010-01-22
Gender : Male
OS : windows xp

View user profile

Back to top Go down

Re: Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys

Post by Belahzur on Mon Jan 25, 2010 9:59 pm

I was trained at an online forum, but we also now have our own online school, we are offering anyone a chance to learn this too.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Status :
Online
Offline

Posts : 34916
Joined : 2008-08-03
Gender : Male
OS : XP SP3 Media Centre

View user profile

Back to top Go down

Re: Virus Packed.Protector.C Windows\system32\dllcashe\cdrom.sys

Post by rktoby on Mon Jan 25, 2010 11:35 pm

Thanks Belahzur problem solved. I will check on that training.

rktoby
Novice
Novice

Status :
Online
Offline

Posts : 6
Joined : 2010-01-22
Gender : Male
OS : windows xp

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum