Virus?!

View previous topic View next topic Go down

Virus?!

Post by genericlee on 21st May 2009, 1:30 am

I have a virus help me!

genericlee
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-04-30
OS OS : Windows XP
Points Points : 27969
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus?!

Post by Origin on 21st May 2009, 1:52 am

Please download the current version of HijackThis from [You must be registered and logged in to see this link.]

  • Double click and run the installer.
  • It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  • After installing, you should get the user agreement, press accept and Hijack This will run.
  • Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31523
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus?!

Post by genericlee on 21st May 2009, 9:27 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:27:04 PM, on 5/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\AshEvtSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;
O2 - BHO: C:\WINDOWS\system32\afnoinkdsfe.dll - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - C:\WINDOWS\system32\afnoinkdsfe.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16
O4 - HKLM\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\916653139.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\916653139.exe
O4 - HKUS\S-1-5-18\..\Run: [Windows Resurections] C:\WINDOWS\TEMP\kauizyxbj.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\ghmu0v3pk3.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [uidenhiufgsduiazghs] C:\WINDOWS\TEMP\ghmu0v3pk3.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\3910344132.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autochk] rundll32.exe C:\DOCUME~1\LOCALS~1\protect.dll,_IWMPEvents@16 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [A00FE7CDC.exe] C:\WINDOWS\TEMP\_A00FE7CDC.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Windows Resurections] C:\WINDOWS\TEMP\kauizyxbj.exe (User 'Default user')
O4 - Startup: ChkDisk.dll
O4 - Startup: ChkDisk.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [You must be registered and logged in to see this link.]
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - [You must be registered and logged in to see this link.]
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: __c004C8A1 - C:\WINDOWS\system32\__c004C8A1.dat
O22 - SharedTaskScheduler: sdfsefsfdvdubgiungfuyd - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - C:\WINDOWS\system32\afnoinkdsfe.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AshEvtSvc - Unknown owner - C:\WINDOWS\System32\AshEvtSvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Fuse Service - Intuit - C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nakido - Unknown owner - C:\Program Files\Nakido\nakido.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 9535 bytes

genericlee
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-04-30
OS OS : Windows XP
Points Points : 27969
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus?!

Post by Origin on 22nd May 2009, 12:31 am


  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;
    O2 - BHO: C:\WINDOWS\system32\afnoinkdsfe.dll - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - C:\WINDOWS\system32\afnoinkdsfe.dll
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16
    O4 - HKLM\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\916653139.exe
    O4 - HKCU\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\916653139.exe
    O4 - HKUS\S-1-5-18\..\Run: [Windows Resurections] C:\WINDOWS\TEMP\kauizyxbj.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\ghmu0v3pk3.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [uidenhiufgsduiazghs] C:\WINDOWS\TEMP\ghmu0v3pk3.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\3910344132.exe (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [autochk] rundll32.exe C:\DOCUME~1\LOCALS~1\protect.dll,_IWMPEvents@16 (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [A00FE7CDC.exe] C:\WINDOWS\TEMP\_A00FE7CDC.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [Windows Resurections] C:\WINDOWS\TEMP\kauizyxbj.exe (User 'Default user')
    O4 - Startup: ChkDisk.dll
    O4 - Startup: ChkDisk.lnk = ?
    O20 - Winlogon Notify: __c004C8A1 - C:\WINDOWS\system32\__c004C8A1.dat
    O23 - Service: Nakido - Unknown owner - C:\Program Files\Nakido\nakido.exe (file missing)



  • Press "Fix Checked"
  • Close Hijack This.






Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31523
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus?!

Post by genericlee on 22nd May 2009, 1:31 am

Malwarebytes' Anti-Malware 1.32
Database version: 1647
Windows 5.1.2600 Service Pack 3

5/21/2009 6:25:04 PM
mbam-log-2009-05-21 (18-25-04).txt

Scan type: Quick Scan
Objects scanned: 76238
Time elapsed: 25 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\__c004C8A1.dat (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5e5efa8f-9f53-418e-b78e-44866667a404} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5e5efa8f-9f53-418e-b78e-44866667a404} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c004c8a1 (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f30b5e7e-cfbb-44fb-a947-226e5a7a4290} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f30b5e7e-cfbb-44fb-a947-226e5a7a4290} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\218538\218538.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c004C8A1.dat (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\p2hhr.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sft.res (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\_A00FE7CDC.exe (Trojan.Agent) -> Quarantined and deleted successfully.

genericlee
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-04-30
OS OS : Windows XP
Points Points : 27969
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus?!

Post by Origin on 22nd May 2009, 1:34 am


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • Double click DDS.scr to run.
  • When complete, two logs will open. Save both of the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31523
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus?!

Post by genericlee on 22nd May 2009, 1:55 am

DDS (Ver_09-05-14.01) - NTFSx86
Run by Eric Lee at 18:51:47.06 on Thu 05/21/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.87 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\AshEvtSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\LocalService\Application Data\916653139.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
\\?\globalroot\systemroot\system32\rundll32.exe
C:\Documents and Settings\Eric Lee\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
uSearch Bar = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
BHO: Microsoft copyright: {f30b5e7e-cfbb-44fb-a947-226e5a7a4290} - lklf32.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - No File
TB: {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {7C2FC77A-AF76-4A75-AC16-B02A13829F34} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: []
uRun: [Malware Doctor] c:\documents and settings\localservice\application data\916653139.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [Motive SmartBridge] c:\progra~1\sbcsel~1\smartb~1\MotiveSB.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [autochk] rundll32.exe c:\windows\system32\autochk.dll,_IWMPEvents@16
mRun: [Malware Doctor] c:\documents and settings\localservice\application data\916653139.exe
dRun: [svc] c:\program files\thunmail\testabd.exe
StartupFolder: c:\documents and settings\eric lee\start menu\programs\startup\ChkDisk.dll
StartupFolder: c:\docume~1\ericle~1\startm~1\programs\startup\chkdisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111t configuration utility\wlan111t.exe
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - [You must be registered and logged in to see this link.]
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - [You must be registered and logged in to see this link.]
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - [You must be registered and logged in to see this link.]
DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - [You must be registered and logged in to see this link.]
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - [You must be registered and logged in to see this link.]
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\thunmail\testabd.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: {C2BA40A1-74F3-42BD-F434-12345A2C8953} - No File
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ericle~1\applic~1\mozilla\firefox\profiles\3s4ldz7t.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.enabled - false
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\eric lee\application data\mozilla\firefox\profiles\3s4ldz7t.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-9-28 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-9-28 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-9-28 108552]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\A5AGU.sys [2004-10-6 283904]
S3 ATHFMWDL;NETGEAR WG111T bootloader driver;c:\windows\system32\drivers\Athfmwdl.sys [2004-10-4 43392]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2005-11-19 17149]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-05-21 18:28 708 a------- c:\windows\system32\sft.res
2009-05-21 18:28 29,184 a------- c:\windows\system32\lklf32.dll
2009-05-21 17:53 29,184 a------- c:\windows\system32\jhxm32.dll
2009-05-21 14:50 136 a------- c:\windows\system32\vp_setup.exe.bat
2009-05-21 14:49 --dshr-- c:\program files\ThunMail
2009-05-21 14:49 61,440 a------- c:\windows\system32\vp_setup.exe
2009-05-21 14:26 --d----- c:\program files\Trend Micro
2009-05-20 18:37 --d----- c:\documents and settings\eric lee\.SunDownloadManager
2009-05-20 14:50 29,184 a------- c:\windows\system32\stfa.dll
2009-05-20 14:50 32,768 a------- c:\windows\system32\AshEvtSvc.exe
2009-05-20 14:50 32,768 a------- c:\windows\system32\service-466.exe
2009-05-19 18:43 28,672 a------- c:\windows\system32\lmn_setup.exe
2009-05-18 14:56 37,376 a------- c:\windows\system32\glsetup.exe
2009-05-17 09:59 15,000 a------- c:\windows\system32\afnoinkdsfe.dll
2009-05-14 19:29 24,064 a--sh--- c:\windows\system32\autochk.dll
2009-05-12 21:00 118 a------- c:\windows\system32\MRT.INI
2009-05-12 16:41 --d----- c:\windows\system32\218538
2009-05-10 21:09 --d----- c:\windows\system32\NtmsData
2009-05-10 10:21 --d----- c:\windows\system32\199638
2009-05-09 13:00 2 ----h--- c:\windows\t55ft2668f44.dat
2009-05-09 13:00 1 ----h--- c:\windows\f23567.dat
2009-05-07 15:50 1 a------- c:\windows\9g2234wesdf3dfgjf23
2009-05-07 15:50 2 ----h--- c:\windows\t55ft2692f44.dat
2009-05-07 15:50 --d----- c:\windows\system32\796525
2009-05-06 16:02 24,064 a--sh--- c:\documents and settings\eric lee\protect.dll
2009-05-03 14:43 23,040 a------- c:\windows\system32\ak1.exe
2009-04-29 18:26 263 a------- C:\xcrashdump.dat
2009-04-27 20:15 439 a------- c:\windows\system32\win32hlp.cnf
2009-04-27 20:14 1 a------- c:\windows\system32\uniq.tll
2009-04-27 19:44 --d----- c:\docume~1\ericle~1\applic~1\pidle

==================== Find3M ====================

2009-05-20 14:40 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-20 14:40 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-20 14:40 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-04-27 20:14 104,960 a------- c:\windows\system32\userinit.exe
2009-03-21 12:30 78,050 ac------ c:\windows\War3Unin.dat
2009-03-21 07:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 07:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-03-02 17:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 17:18 826,368 -------- c:\windows\system32\dllcache\wininet.dll
2009-02-27 21:54 636,072 a------- c:\windows\system32\dllcache\iexplore.exe
2009-02-25 20:26 33,728 ac------ c:\docume~1\ericle~1\applic~1\GDIPFONTCACHEV1.DAT
2003-06-20 04:05 138,288 ac------ c:\windows\inf\usbport.sys
2003-06-20 04:05 49,776 ac------ c:\windows\inf\usbhub20.sys
2003-06-20 04:05 24,752 ac------ c:\windows\inf\hidclass.sys
2003-06-20 04:05 20,688 ac------ c:\windows\inf\usbd.sys
2003-06-20 04:05 19,728 ac------ c:\windows\inf\usbehci.sys

============= FINISH: 18:54:24.87 ===============

genericlee
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-04-30
OS OS : Windows XP
Points Points : 27969
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus?!

Post by Origin on 22nd May 2009, 2:03 am


  • Download combofix from here
    [You must be registered and logged in to see this link.]
    [You must be registered and logged in to see this link.]
  • We need to disable your local AV (Anti-virus) before running Combofix.
  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.



  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes



  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31523
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus?!

Post by genericlee on 22nd May 2009, 3:02 am

The log was too big so i put it in as two posts
Part1


ComboFix 09-05-21.01 - Eric Lee 05/21/2009 19:43.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.227 [GMT -7:00]
Running from: c:\documents and settings\Eric Lee\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Eric Lee\Application Data\pidle
c:\documents and settings\Eric Lee\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\Eric Lee\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
c:\documents and settings\Eric Lee\protect.dll
c:\documents and settings\Eric Lee\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\Eric Lee\Start Menu\Programs\Startup\ChkDisk.lnk
c:\documents and settings\Johnny Lee\protect.dll
c:\documents and settings\Johnny Lee\Start Menu\Programs\Startup\ChkDisk.lnk
c:\documents and settings\LocalService\Application Data\916653139.exe
c:\documents and settings\LocalService\protect.dll
C:\install.exe
c:\program files\ThunMail
c:\program files\ThunMail\testabd.dll
c:\program files\ThunMail\testabd.exe
c:\windows\f23567.dat
c:\windows\system32\199638
c:\windows\system32\218538
c:\windows\system32\afnoinkdsfe.dll
c:\windows\system32\ak1.exe
c:\windows\system32\AshEvtSvc.exe
c:\windows\system32\autochk.dll
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\drivers\ovfsthbobeltykhojgksymwllhrqjlatvkxdpj.sys
c:\windows\system32\glsetup.exe
c:\windows\system32\lmn_setup.exe
c:\windows\system32\ovfsthboxedpnqvvdjxthoteoakcrqubiajdvd.dll
c:\windows\system32\ovfsthgqjnsrpbwtpkrukyakjtvpyqgyivmavr.dll
c:\windows\system32\ovfsthhlacgftbketaiqnsmmpcdjldtlknttln.dll
c:\windows\system32\ovfsthlydrcbhdfufkabuenhegtsnwemvtgurp.dat
c:\windows\system32\ovfsthvybfswmmjqbavlkoalfodvuhhwglvmpq.dat
c:\windows\system32\service-466.exe
c:\windows\system32\sft.res
c:\windows\system32\stfa.dll
c:\windows\system32\uniq.tll
c:\windows\system32\win32hlp.cnf
c:\windows\t55ft2668f44.dat
c:\windows\t55ft2692f44.dat
c:\windows\Tasks\zpkuvebq.job
c:\windows\Temp\2134612342.exe
c:\windows\Temp\3797687882.exe
c:\windows\Temp\3798625382.exe
c:\windows\Temp\3910344132.exe
c:\windows\Temp\853620328.exe
c:\windows\Temp\857682828.exe
c:\windows\Temp\950339078.exe
C:\xcrashdump.dat

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\i386\userinit.exe


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthruxjcrvmpimboewtvxettqowkmxduyvo
-------\Legacy_ASHEVTSVC
-------\Service_AshEvtSvc


((((((((((((((((((((((((( Files Created from 2009-04-22 to 2009-05-22 )))))))))))))))))))))))))))))))
.

2009-05-22 01:28 . 2009-05-22 01:28 29184 ----a-w c:\windows\system32\lklf32.dll
2009-05-22 00:53 . 2009-05-22 02:41 29184 ----a-w c:\windows\system32\jhxm32.dll
2009-05-21 21:50 . 2009-05-21 21:50 136 ----a-w c:\windows\system32\vp_setup.exe.bat
2009-05-21 21:49 . 2009-05-21 21:49 61440 ----a-w c:\windows\system32\vp_setup.exe
2009-05-21 21:26 . 2009-05-21 21:26 -------- d-----w c:\program files\Trend Micro
2009-05-21 01:37 . 2009-05-21 01:47 -------- d-----w c:\documents and settings\Eric Lee\.SunDownloadManager
2009-05-17 17:07 . 2009-05-17 17:07 57344 ----a-w c:\windows\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\50\5b902232-617f6391-n\Decora-SSE.dll
2009-05-17 17:07 . 2009-05-17 17:07 24064 ----a-w c:\windows\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-3b9e0c04-n\Decora-D3D.dll
2009-05-17 17:07 . 2009-05-17 17:07 315392 ----a-w c:\windows\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-7807a711-n\jogl.dll
2009-05-17 17:07 . 2009-05-17 17:07 20480 ----a-w c:\windows\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-7807a711-n\jogl_awt.dll
2009-05-17 17:07 . 2009-05-17 17:07 114688 ----a-w c:\windows\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-7807a711-n\jogl_cg.dll
2009-05-17 17:07 . 2009-05-17 17:07 20480 ----a-w c:\windows\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-3fa7a4ae-n\gluegen-rt.dll
2009-05-17 17:07 . 2009-05-17 17:07 499712 ----a-w c:\windows\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-2289dad4-n\msvcp71.dll
2009-05-17 17:07 . 2009-05-17 17:07 499712 ----a-w c:\windows\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-2289dad4-n\jmc.dll
2009-05-17 17:07 . 2009-05-17 17:07 348160 ----a-w c:\windows\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-2289dad4-n\msvcr71.dll
2009-05-17 17:01 . 2009-05-17 17:01 -------- d--h--r c:\windows\system32\config\systemprofile\Application Data\yahoo!
2009-05-11 04:09 . 2009-05-11 04:09 -------- d-----w c:\windows\system32\NtmsData
2009-05-07 22:50 . 2009-05-13 03:13 -------- d-----w c:\windows\system32\796525
2009-05-04 21:42 . 2009-05-04 21:42 152576 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\jre1.6.0_13\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-21 21:20 . 2008-11-28 09:42 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-05-20 21:40 . 2008-09-28 17:17 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-20 21:40 . 2008-09-28 17:17 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-20 21:40 . 2008-09-28 17:17 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-20 21:40 . 2008-09-28 17:16 27784 ----a-w c:\windows\system32\drivers\avgmfx86.sys
2009-05-19 05:49 . 2009-01-11 17:49 99960 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-05-15 00:03 . 2008-08-31 06:13 -------- d-----w c:\program files\Warcraft III
2009-05-14 19:45 . 2008-08-31 07:18 -------- d-----w c:\program files\Garena
2009-05-07 04:02 . 2009-03-12 01:45 -------- d-----w c:\program files\TokBox
2009-05-04 21:44 . 2009-03-22 17:04 -------- d-----w c:\program files\Java
2009-04-30 01:55 . 2008-09-28 17:16 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-11 16:15 . 2008-09-28 01:07 -------- d-----w c:\program files\Cheat Engine
2009-04-07 12:01 . 2009-04-07 12:01 57344 ----a-w c:\documents and settings\Johnny Lee\Application Data\Sun\Java\Deployment\cache\6.0\50\5b902232-66f2e556-n\Decora-SSE.dll
2009-04-07 12:01 . 2009-04-07 12:01 315392 ----a-w c:\documents and settings\Johnny Lee\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-40228384-n\jogl.dll
2009-04-07 12:01 . 2009-04-07 12:01 24064 ----a-w c:\documents and settings\Johnny Lee\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-4ed91c8e-n\Decora-D3D.dll
2009-04-07 12:01 . 2009-04-07 12:01 20480 ----a-w c:\documents and settings\Johnny Lee\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-40228384-n\jogl_awt.dll
2009-04-07 12:01 . 2009-04-07 12:01 114688 ----a-w c:\documents and settings\Johnny Lee\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-40228384-n\jogl_cg.dll
2009-04-07 12:01 . 2009-04-07 12:01 499712 ----a-w c:\documents and settings\Johnny Lee\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-55d528c1-n\msvcp71.dll
2009-04-07 12:01 . 2009-04-07 12:01 499712 ----a-w c:\documents and settings\Johnny Lee\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-55d528c1-n\jmc.dll
2009-04-07 12:01 . 2009-04-07 12:01 348160 ----a-w c:\documents and settings\Johnny Lee\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-55d528c1-n\msvcr71.dll
2009-04-07 12:01 . 2009-04-07 12:01 20480 ----a-w c:\documents and settings\Johnny Lee\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-447178f8-n\gluegen-rt.dll
2009-03-31 04:22 . 2009-03-31 04:22 57344 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\50\5b902232-3c034b17-n\Decora-SSE.dll
2009-03-31 04:22 . 2009-03-31 04:22 24064 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-5fe78b5e-n\Decora-D3D.dll
2009-03-31 04:22 . 2009-03-31 04:22 499712 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-706e4058-n\msvcp71.dll
2009-03-31 04:22 . 2009-03-31 04:22 499712 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-706e4058-n\jmc.dll
2009-03-31 04:22 . 2009-03-31 04:22 348160 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-706e4058-n\msvcr71.dll
2009-03-22 17:05 . 2009-03-22 17:05 57344 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\37\3976f065-21839c58-n\Decora-SSE.dll
2009-03-22 17:05 . 2009-03-22 17:05 315392 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-4e18cb6e-n\jogl.dll
2009-03-22 17:05 . 2009-03-22 17:05 24064 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\37\2c4a0065-67a90f01-n\Decora-D3D.dll
2009-03-22 17:05 . 2009-03-22 17:05 20480 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-4e18cb6e-n\jogl_awt.dll
2009-03-22 17:05 . 2009-03-22 17:05 114688 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-4e18cb6e-n\jogl_cg.dll
2009-03-22 17:05 . 2009-03-22 17:05 20480 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-358707b0-n\gluegen-rt.dll
2009-03-22 17:05 . 2009-03-22 17:05 503808 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-7bc3a207-n\msvcp71.dll
2009-03-22 17:05 . 2009-03-22 17:05 499712 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-7bc3a207-n\jmc.dll
2009-03-22 17:05 . 2009-03-22 17:05 348160 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-7bc3a207-n\msvcr71.dll
2009-03-22 17:03 . 2009-03-22 17:03 152576 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\jre1.6.0_12\lzma.dll
2009-03-21 19:30 . 2008-08-31 06:25 78050 -c--a-w c:\windows\War3Unin.dat
2009-03-09 12:19 . 2009-01-10 01:55 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-10 17:51 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-10 17:51 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-24 22:36 . 2008-11-26 02:40 38208 ----a-w c:\documents and settings\Eric Lee\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
.

genericlee
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-04-30
OS OS : Windows XP
Points Points : 27969
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus?!

Post by genericlee on 22nd May 2009, 3:02 am

Part2



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F30B5E7E-CFBB-44fb-A947-226E5A7A4290}]
2009-05-22 02:41 29184 ----a-w c:\windows\system32\jhxm32.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 380928]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-20 1947928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
NETGEAR WG111T Smart Wizard.lnk - c:\program files\NETGEAR\WG111T Configuration Utility\wlan111t.exe [2005-11-19 483412]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-20 21:40 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"LDM"=c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" -autorun
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
"Search Protection"=c:\program files\Yahoo!\Search Protection\SearchProtection.exe
"YSearchProtection"=c:\program files\Yahoo!\Search Protection\SearchProtection.exe
"Aim6"="c:\program files\AIM6\aim6.exe" /d locale=en-US [You must be registered and logged in to see this link.]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"YBrowser"=c:\program files\Yahoo!\browser\ybrwicon.exe
"LogitechVideoRepair"=c:\program files\Logitech\Video\ISStart.exe
"LogitechImageStudioTray"=c:\program files\Logitech\ImageStudio\LogiTray.exe
"LogitechVideoTray"=c:\program files\Logitech\Video\LogiTray.exe
"LogitechGalleryRepair"=c:\program files\Logitech\ImageStudio\ISStart.exe
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe"
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe"
"LVCOMSX"=c:\windows\system32\LVCOMSX.EXE
"dla"=c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"=
"c:\\WINDOWS\\system32\\CIMSVR.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\sexybeast1992\\condition zero\\hl.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fredthekid\\counter-strike\\hl.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"=
"c:\\Program Files\\Microsoft Office\\Office10\\WINWORD.EXE"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/28/2008 10:17 AM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/28/2008 10:17 AM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/28/2008 10:16 AM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/28/2008 10:16 AM 298776]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\A5AGU.sys [10/6/2004 11:39 AM 283904]
S3 ATHFMWDL;NETGEAR WG111T bootloader driver;c:\windows\system32\drivers\Athfmwdl.sys [10/4/2004 7:28 AM 43392]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [11/19/2005 10:19 PM 17149]
S3 Intuit Fuse Service;Intuit Fuse Service;c:\program files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe [11/6/2005 5:23 PM 69632]
S3 Ndinop;Ndinop; [x]
S4 Nakido;Nakido;c:\program files\Nakido\nakido.exe --> c:\program files\Nakido\nakido.exe [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-05-22 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 16:09]

2009-05-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-05-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-28 01:07]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-svc - c:\program files\ThunMail\testabd.exe
SharedTaskScheduler-{C2BA40A1-74F3-42BD-F434-12345A2C8953} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Eric Lee\Application Data\Mozilla\Firefox\Profiles\3s4ldz7t.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.enabled - false
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Eric Lee\Application Data\Mozilla\Firefox\Profiles\3s4ldz7t.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-05-21 19:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2216)
c:\progra~1\SBCSEL~1\SMARTB~1\SBHook.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-22 19:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-22 02:57

Pre-Run: 6,773,055,488 bytes free
Post-Run: 7,850,160,128 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
311 --- E O F --- 2009-05-13 04:00

genericlee
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-04-30
OS OS : Windows XP
Points Points : 27969
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus?!

Post by Origin on 22nd May 2009, 3:07 am

Now open a new notepad file.
Input this into the notepad file:

Driver::
ovfsthruxjcrvmpimboewtvxettqowkmxduyvo
ASHEVTSVC
AshEvtSvc

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31523
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus?!

Post by genericlee on 22nd May 2009, 3:34 am

Part1



ComboFix 09-05-21.01 - Eric Lee 05/21/2009 20:21.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.79 [GMT -7:00]
Running from: c:\documents and settings\Eric Lee\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Eric Lee\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-04-22 to 2009-05-22 )))))))))))))))))))))))))))))))
.

2009-05-22 01:28 . 2009-05-22 01:28 29184 ----a-w c:\windows\system32\lklf32.dll
2009-05-22 00:53 . 2009-05-22 02:41 29184 ----a-w c:\windows\system32\jhxm32.dll
2009-05-21 21:50 . 2009-05-21 21:50 136 ----a-w c:\windows\system32\vp_setup.exe.bat
2009-05-21 21:49 . 2009-05-21 21:49 61440 ----a-w c:\windows\system32\vp_setup.exe
2009-05-21 21:26 . 2009-05-21 21:26 -------- d-----w c:\program files\Trend Micro
2009-05-21 01:37 . 2009-05-21 01:47 -------- d-----w c:\documents and settings\Eric Lee\.SunDownloadManager
2009-05-17 17:07 . 2009-05-17 17:07 57344 ----a-w c:\windows\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\50\5b902232-617f6391-n\Decora-SSE.dll
2009-05-17 17:07 . 2009-05-17 17:07 24064 ----a-w c:\windows\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-3b9e0c04-n\Decora-D3D.dll
2009-05-17 17:07 . 2009-05-17 17:07 315392 ----a-w c:\windows\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-7807a711-n\jogl.dll
2009-05-17 17:07 . 2009-05-17 17:07 20480 ----a-w c:\windows\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-7807a711-n\jogl_awt.dll
2009-05-17 17:07 . 2009-05-17 17:07 114688 ----a-w c:\windows\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-7807a711-n\jogl_cg.dll
2009-05-17 17:07 . 2009-05-17 17:07 20480 ----a-w c:\windows\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-3fa7a4ae-n\gluegen-rt.dll
2009-05-17 17:07 . 2009-05-17 17:07 499712 ----a-w c:\windows\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-2289dad4-n\msvcp71.dll
2009-05-17 17:07 . 2009-05-17 17:07 499712 ----a-w c:\windows\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-2289dad4-n\jmc.dll
2009-05-17 17:07 . 2009-05-17 17:07 348160 ----a-w c:\windows\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-2289dad4-n\msvcr71.dll
2009-05-17 17:01 . 2009-05-17 17:01 -------- d--h--r c:\windows\system32\config\systemprofile\Application Data\yahoo!
2009-05-11 04:09 . 2009-05-11 04:09 -------- d-----w c:\windows\system32\NtmsData
2009-05-07 22:50 . 2009-05-13 03:13 -------- d-----w c:\windows\system32\796525
2009-05-04 21:42 . 2009-05-04 21:42 152576 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\jre1.6.0_13\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-21 21:20 . 2008-11-28 09:42 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-05-20 21:40 . 2008-09-28 17:17 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-20 21:40 . 2008-09-28 17:17 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-20 21:40 . 2008-09-28 17:17 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-20 21:40 . 2008-09-28 17:16 27784 ----a-w c:\windows\system32\drivers\avgmfx86.sys
2009-05-19 05:49 . 2009-01-11 17:49 99960 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-05-15 00:03 . 2008-08-31 06:13 -------- d-----w c:\program files\Warcraft III
2009-05-14 19:45 . 2008-08-31 07:18 -------- d-----w c:\program files\Garena
2009-05-07 04:02 . 2009-03-12 01:45 -------- d-----w c:\program files\TokBox
2009-05-04 21:44 . 2009-03-22 17:04 -------- d-----w c:\program files\Java
2009-04-30 01:55 . 2008-09-28 17:16 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-11 16:15 . 2008-09-28 01:07 -------- d-----w c:\program files\Cheat Engine
2009-04-07 12:01 . 2009-04-07 12:01 57344 ----a-w c:\documents and settings\Johnny Lee\Application Data\Sun\Java\Deployment\cache\6.0\50\5b902232-66f2e556-n\Decora-SSE.dll
2009-04-07 12:01 . 2009-04-07 12:01 315392 ----a-w c:\documents and settings\Johnny Lee\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-40228384-n\jogl.dll
2009-04-07 12:01 . 2009-04-07 12:01 24064 ----a-w c:\documents and settings\Johnny Lee\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-4ed91c8e-n\Decora-D3D.dll
2009-04-07 12:01 . 2009-04-07 12:01 20480 ----a-w c:\documents and settings\Johnny Lee\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-40228384-n\jogl_awt.dll
2009-04-07 12:01 . 2009-04-07 12:01 114688 ----a-w c:\documents and settings\Johnny Lee\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-40228384-n\jogl_cg.dll
2009-04-07 12:01 . 2009-04-07 12:01 499712 ----a-w c:\documents and settings\Johnny Lee\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-55d528c1-n\msvcp71.dll
2009-04-07 12:01 . 2009-04-07 12:01 499712 ----a-w c:\documents and settings\Johnny Lee\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-55d528c1-n\jmc.dll
2009-04-07 12:01 . 2009-04-07 12:01 348160 ----a-w c:\documents and settings\Johnny Lee\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-55d528c1-n\msvcr71.dll
2009-04-07 12:01 . 2009-04-07 12:01 20480 ----a-w c:\documents and settings\Johnny Lee\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-447178f8-n\gluegen-rt.dll
2009-03-31 04:22 . 2009-03-31 04:22 57344 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\50\5b902232-3c034b17-n\Decora-SSE.dll
2009-03-31 04:22 . 2009-03-31 04:22 24064 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-5fe78b5e-n\Decora-D3D.dll
2009-03-31 04:22 . 2009-03-31 04:22 499712 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-706e4058-n\msvcp71.dll
2009-03-31 04:22 . 2009-03-31 04:22 499712 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-706e4058-n\jmc.dll
2009-03-31 04:22 . 2009-03-31 04:22 348160 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-706e4058-n\msvcr71.dll
2009-03-22 17:05 . 2009-03-22 17:05 57344 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\37\3976f065-21839c58-n\Decora-SSE.dll
2009-03-22 17:05 . 2009-03-22 17:05 315392 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-4e18cb6e-n\jogl.dll
2009-03-22 17:05 . 2009-03-22 17:05 24064 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\37\2c4a0065-67a90f01-n\Decora-D3D.dll
2009-03-22 17:05 . 2009-03-22 17:05 20480 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-4e18cb6e-n\jogl_awt.dll
2009-03-22 17:05 . 2009-03-22 17:05 114688 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-4e18cb6e-n\jogl_cg.dll
2009-03-22 17:05 . 2009-03-22 17:05 20480 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-358707b0-n\gluegen-rt.dll
2009-03-22 17:05 . 2009-03-22 17:05 503808 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-7bc3a207-n\msvcp71.dll
2009-03-22 17:05 . 2009-03-22 17:05 499712 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-7bc3a207-n\jmc.dll
2009-03-22 17:05 . 2009-03-22 17:05 348160 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-7bc3a207-n\msvcr71.dll
2009-03-22 17:03 . 2009-03-22 17:03 152576 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\jre1.6.0_12\lzma.dll
2009-03-21 19:30 . 2008-08-31 06:25 78050 -c--a-w c:\windows\War3Unin.dat
2009-03-09 12:19 . 2009-01-10 01:55 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-10 17:51 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-10 17:51 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-24 22:36 . 2008-11-26 02:40 38208 ----a-w c:\documents and settings\Eric Lee\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
.

genericlee
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-04-30
OS OS : Windows XP
Points Points : 27969
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus?!

Post by genericlee on 22nd May 2009, 3:34 am

Part2



((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F30B5E7E-CFBB-44fb-A947-226E5A7A4290}]
2009-05-22 02:41 29184 ----a-w c:\windows\system32\jhxm32.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 380928]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-20 1947928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
NETGEAR WG111T Smart Wizard.lnk - c:\program files\NETGEAR\WG111T Configuration Utility\wlan111t.exe [2005-11-19 483412]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-20 21:40 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"LDM"=c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" -autorun
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
"Search Protection"=c:\program files\Yahoo!\Search Protection\SearchProtection.exe
"YSearchProtection"=c:\program files\Yahoo!\Search Protection\SearchProtection.exe
"Aim6"="c:\program files\AIM6\aim6.exe" /d locale=en-US [You must be registered and logged in to see this link.]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"YBrowser"=c:\program files\Yahoo!\browser\ybrwicon.exe
"LogitechVideoRepair"=c:\program files\Logitech\Video\ISStart.exe
"LogitechImageStudioTray"=c:\program files\Logitech\ImageStudio\LogiTray.exe
"LogitechVideoTray"=c:\program files\Logitech\Video\LogiTray.exe
"LogitechGalleryRepair"=c:\program files\Logitech\ImageStudio\ISStart.exe
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe"
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe"
"LVCOMSX"=c:\windows\system32\LVCOMSX.EXE
"dla"=c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"=
"c:\\WINDOWS\\system32\\CIMSVR.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\sexybeast1992\\condition zero\\hl.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fredthekid\\counter-strike\\hl.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"=
"c:\\Program Files\\Microsoft Office\\Office10\\WINWORD.EXE"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/28/2008 10:17 AM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/28/2008 10:17 AM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/28/2008 10:16 AM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/28/2008 10:16 AM 298776]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\A5AGU.sys [10/6/2004 11:39 AM 283904]
S3 ATHFMWDL;NETGEAR WG111T bootloader driver;c:\windows\system32\drivers\Athfmwdl.sys [10/4/2004 7:28 AM 43392]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [11/19/2005 10:19 PM 17149]
S3 Intuit Fuse Service;Intuit Fuse Service;c:\program files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe [11/6/2005 5:23 PM 69632]
S3 Ndinop;Ndinop; [x]
S4 Nakido;Nakido;c:\program files\Nakido\nakido.exe --> c:\program files\Nakido\nakido.exe [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-05-22 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 16:09]

2009-05-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-05-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-28 01:07]
.
.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Eric Lee\Application Data\Mozilla\Firefox\Profiles\3s4ldz7t.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.enabled - false
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Eric Lee\Application Data\Mozilla\Firefox\Profiles\3s4ldz7t.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-05-21 20:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2856)
c:\progra~1\SBCSEL~1\SMARTB~1\SBHook.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-22 20:32
ComboFix-quarantined-files.txt 2009-05-22 03:31
ComboFix2.txt 2009-05-22 02:57

Pre-Run: 7,831,334,912 bytes free
Post-Run: 7,789,420,544 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
234 --- E O F --- 2009-05-13 04:00

genericlee
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-04-30
OS OS : Windows XP
Points Points : 27969
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus?!

Post by Origin on 22nd May 2009, 3:58 am

Now open a new notepad file.
Input this into the notepad file:

File::
c:\windows\system32\lklf32.dll
c:\windows\system32\jhxm32.dll
c:\windows\system32\vp_setup.exe.bat
c:\windows\system32\vp_setup.exe


Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31523
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus?!

Post by genericlee on 23rd May 2009, 6:18 pm

Part1



ComboFix 09-05-22.08 - Eric Lee 05/23/2009 10:46.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.84 [GMT -7:00]
Running from: c:\documents and settings\Eric Lee\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Eric Lee\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
c:\windows\system32\jhxm32.dll
c:\windows\system32\lklf32.dll
c:\windows\system32\vp_setup.exe
c:\windows\system32\vp_setup.exe.bat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\jhxm32.dll
c:\windows\system32\lklf32.dll
c:\windows\system32\vp_setup.exe
c:\windows\system32\vp_setup.exe.bat

.
((((((((((((((((((((((((( Files Created from 2009-04-23 to 2009-05-23 )))))))))))))))))))))))))))))))
.

2009-05-21 21:26 . 2009-05-21 21:26 -------- d-----w c:\program files\Trend Micro
2009-05-21 01:37 . 2009-05-21 01:47 -------- d-----w c:\documents and settings\Eric Lee\.SunDownloadManager
2009-05-11 04:09 . 2009-05-11 04:09 -------- d-----w c:\windows\system32\NtmsData
2009-05-07 22:50 . 2009-05-13 03:13 -------- d-----w c:\windows\system32\796525
2009-05-04 21:42 . 2009-05-04 21:42 152576 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\jre1.6.0_13\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-23 17:24 . 2008-11-28 09:42 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-05-20 21:40 . 2008-09-28 17:17 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-20 21:40 . 2008-09-28 17:17 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-20 21:40 . 2008-09-28 17:17 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-20 21:40 . 2008-09-28 17:16 27784 ----a-w c:\windows\system32\drivers\avgmfx86.sys
2009-05-19 05:49 . 2009-01-11 17:49 99960 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-05-15 00:03 . 2008-08-31 06:13 -------- d-----w c:\program files\Warcraft III
2009-05-14 19:45 . 2008-08-31 07:18 -------- d-----w c:\program files\Garena
2009-05-07 04:02 . 2009-03-12 01:45 -------- d-----w c:\program files\TokBox
2009-05-04 21:44 . 2009-03-22 17:04 -------- d-----w c:\program files\Java
2009-04-30 01:55 . 2008-09-28 17:16 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-11 16:15 . 2008-09-28 01:07 -------- d-----w c:\program files\Cheat Engine
2009-04-07 12:01 . 2009-04-07 12:01 57344 ----a-w c:\documents and settings\Johnny Lee\Application Data\Sun\Java\Deployment\cache\6.0\50\5b902232-66f2e556-n\Decora-SSE.dll
2009-04-07 12:01 . 2009-04-07 12:01 315392 ----a-w c:\documents and settings\Johnny Lee\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-40228384-n\jogl.dll
2009-04-07 12:01 . 2009-04-07 12:01 24064 ----a-w c:\documents and settings\Johnny Lee\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-4ed91c8e-n\Decora-D3D.dll
2009-04-07 12:01 . 2009-04-07 12:01 20480 ----a-w c:\documents and settings\Johnny Lee\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-40228384-n\jogl_awt.dll
2009-04-07 12:01 . 2009-04-07 12:01 114688 ----a-w c:\documents and settings\Johnny Lee\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-40228384-n\jogl_cg.dll
2009-04-07 12:01 . 2009-04-07 12:01 499712 ----a-w c:\documents and settings\Johnny Lee\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-55d528c1-n\msvcp71.dll
2009-04-07 12:01 . 2009-04-07 12:01 499712 ----a-w c:\documents and settings\Johnny Lee\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-55d528c1-n\jmc.dll
2009-04-07 12:01 . 2009-04-07 12:01 348160 ----a-w c:\documents and settings\Johnny Lee\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-55d528c1-n\msvcr71.dll
2009-04-07 12:01 . 2009-04-07 12:01 20480 ----a-w c:\documents and settings\Johnny Lee\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-447178f8-n\gluegen-rt.dll
2009-03-31 04:22 . 2009-03-31 04:22 57344 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\50\5b902232-3c034b17-n\Decora-SSE.dll
2009-03-31 04:22 . 2009-03-31 04:22 24064 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-5fe78b5e-n\Decora-D3D.dll
2009-03-31 04:22 . 2009-03-31 04:22 499712 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-706e4058-n\msvcp71.dll
2009-03-31 04:22 . 2009-03-31 04:22 499712 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-706e4058-n\jmc.dll
2009-03-31 04:22 . 2009-03-31 04:22 348160 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-706e4058-n\msvcr71.dll
2009-03-22 17:05 . 2009-03-22 17:05 57344 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\37\3976f065-21839c58-n\Decora-SSE.dll
2009-03-22 17:05 . 2009-03-22 17:05 315392 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-4e18cb6e-n\jogl.dll
2009-03-22 17:05 . 2009-03-22 17:05 24064 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\37\2c4a0065-67a90f01-n\Decora-D3D.dll
2009-03-22 17:05 . 2009-03-22 17:05 20480 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-4e18cb6e-n\jogl_awt.dll
2009-03-22 17:05 . 2009-03-22 17:05 114688 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-4e18cb6e-n\jogl_cg.dll
2009-03-22 17:05 . 2009-03-22 17:05 20480 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-358707b0-n\gluegen-rt.dll
2009-03-22 17:05 . 2009-03-22 17:05 503808 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-7bc3a207-n\msvcp71.dll
2009-03-22 17:05 . 2009-03-22 17:05 499712 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-7bc3a207-n\jmc.dll
2009-03-22 17:05 . 2009-03-22 17:05 348160 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-7bc3a207-n\msvcr71.dll
2009-03-22 17:03 . 2009-03-22 17:03 152576 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\jre1.6.0_12\lzma.dll
2009-03-21 19:30 . 2008-08-31 06:25 78050 -c--a-w c:\windows\War3Unin.dat
2009-03-09 12:19 . 2009-01-10 01:55 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-10 17:51 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-10 17:51 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-24 22:36 . 2008-11-26 02:40 38208 ----a-w c:\documents and settings\Eric Lee\Application Data\Macromedia\Flash Player\[You must be registered and logged in to see this link.]
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-23 17:24 . 2009-05-23 17:24 16384 c:\windows\Temp\Perflib_Perfdata_730.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 380928]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-20 1947928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
NETGEAR WG111T Smart Wizard.lnk - c:\program files\NETGEAR\WG111T Configuration Utility\wlan111t.exe [2005-11-19 483412]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-20 21:40 11952 ----a-w c:\windows\system32\avgrsstx.dll

genericlee
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-04-30
OS OS : Windows XP
Points Points : 27969
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus?!

Post by genericlee on 23rd May 2009, 6:18 pm

Part2



[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"LDM"=c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" -autorun
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
"Search Protection"=c:\program files\Yahoo!\Search Protection\SearchProtection.exe
"YSearchProtection"=c:\program files\Yahoo!\Search Protection\SearchProtection.exe
"Aim6"="c:\program files\AIM6\aim6.exe" /d locale=en-US [You must be registered and logged in to see this link.]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"YBrowser"=c:\program files\Yahoo!\browser\ybrwicon.exe
"LogitechVideoRepair"=c:\program files\Logitech\Video\ISStart.exe
"LogitechImageStudioTray"=c:\program files\Logitech\ImageStudio\LogiTray.exe
"LogitechVideoTray"=c:\program files\Logitech\Video\LogiTray.exe
"LogitechGalleryRepair"=c:\program files\Logitech\ImageStudio\ISStart.exe
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe"
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe"
"LVCOMSX"=c:\windows\system32\LVCOMSX.EXE
"dla"=c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"=
"c:\\WINDOWS\\system32\\CIMSVR.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\sexybeast1992\\condition zero\\hl.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fredthekid\\counter-strike\\hl.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"=
"c:\\Program Files\\Microsoft Office\\Office10\\WINWORD.EXE"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/28/2008 10:17 AM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/28/2008 10:17 AM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/28/2008 10:16 AM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/28/2008 10:16 AM 298776]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\A5AGU.sys [10/6/2004 11:39 AM 283904]
S3 ATHFMWDL;NETGEAR WG111T bootloader driver;c:\windows\system32\drivers\Athfmwdl.sys [10/4/2004 7:28 AM 43392]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [11/19/2005 10:19 PM 17149]
S3 Intuit Fuse Service;Intuit Fuse Service;c:\program files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe [11/6/2005 5:23 PM 69632]
S3 Ndinop;Ndinop; [x]

--- Other Services/Drivers In Memory ---

*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - PolicyAgent
*Deregistered* - ProtectedStorage
*Deregistered* - RasMan
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - Spooler
*Deregistered* - srservice
*Deregistered* - stisvc
*Deregistered* - TapiSrv
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - TuneUp.Defrag
*Deregistered* - UxTuneUp
*Deregistered* - w32time
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-05-23 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 16:09]

2009-05-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-05-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-28 01:07]
.
- - - - ORPHANS REMOVED - - - -

BHO-{F30B5E7E-CFBB-44fb-A947-226E5A7A4290} - jhxm32.dll
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = [You must be registered and logged in to see this link.]
uSearchMigratedDefaultURL = [You must be registered and logged in to see this link.]
mSearch Bar = [You must be registered and logged in to see this link.]
uInternet Connection Wizard,ShellNext = [You must be registered and logged in to see this link.]
uSearchURL,(Default) = [You must be registered and logged in to see this link.]
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: Microsoft XML Parser for Java - [You must be registered and logged in to see this link.]
FF - ProfilePath - c:\documents and settings\Eric Lee\Application Data\Mozilla\Firefox\Profiles\3s4ldz7t.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.enabled - false
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Eric Lee\Application Data\Mozilla\Firefox\Profiles\3s4ldz7t.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2009-05-23 10:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\7d699a9c-85ee-4411-9c08-8bd821a91e07.tmp 0 bytes


**************************************************************************
.
Completion time: 2009-05-23 10:57
ComboFix-quarantined-files.txt 2009-05-23 17:56
ComboFix2.txt 2009-05-22 03:32
ComboFix3.txt 2009-05-22 02:57

Pre-Run: 7,831,867,392 bytes free
Post-Run: 7,800,057,856 bytes free

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
259 --- E O F --- 2009-05-13 04:00

genericlee
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-04-30
OS OS : Windows XP
Points Points : 27969
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus?!

Post by Origin on 23rd May 2009, 6:37 pm

Download [You must be registered and logged in to see this link.] by screen317 and save it to your Desktop.

  • Unzip SecurityCheck.zip and a folder named Security Check should appear.
  • Open the Security Check folder and double-click Security Check.bat
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Note: if a security program requests permission from dig.exe to access the Internet, allow it to do so.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31523
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus?!

Post by genericlee on 23rd May 2009, 8:30 pm

Results of screen317's Security Check version 0.98.3
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````

Windows Firewall Enabled!
AVGFree8.5
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````

Malwarebytes' Anti-Malware
HijackThis 2.0.2
TuneUp Utilities 2008
Java(TM) 6 Update 13
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````

AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
AVG avgemc.exe
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````

GREAT! (Very random)

Scan took 14 seconds.
`````````End of Log```````````

genericlee
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-04-30
OS OS : Windows XP
Points Points : 27969
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus?!

Post by Origin on 23rd May 2009, 8:33 pm

Hello, thsi doesn't look like the checkup.txt log, can you please scan again with Security Check and post the results here.


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31523
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus?!

Post by genericlee on 25th May 2009, 7:39 pm

I scanned it again, but it looks like the samething


Results of screen317's Security Check version 0.98.3
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````

Windows Firewall Enabled!
AVGFree8.5
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````

Malwarebytes' Anti-Malware
HijackThis 2.0.2
TuneUp Utilities 2008
Java(TM) 6 Update 13
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````

AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
AVG avgemc.exe
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````

GREAT! (Very random)

Scan took 21 seconds.
`````````End of Log```````````

genericlee
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-04-30
OS OS : Windows XP
Points Points : 27969
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus?!

Post by Origin on 25th May 2009, 7:42 pm

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31523
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus?!

Post by genericlee on 25th May 2009, 7:47 pm

Good Thanks!

genericlee
Novice
Novice

Posts Posts : 25
Joined Joined : 2009-04-30
OS OS : Windows XP
Points Points : 27969
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Virus?!

Post by Origin on 25th May 2009, 7:49 pm

Glad we could help Wink


We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
[You must be registered and logged in to see this link.]

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found [You must be registered and logged in to see this link.].

Hopefully this should take care of your problems! Good luck. Big Grin


While my help is always free, please consider donating to keep this site alive: [You must be registered and logged in to see this link.]

[You must be registered and logged in to see this link.]

Origin
Master
Master

Posts Posts : 2685
Joined Joined : 2009-05-05
Gender Gender : Male
OS OS : Windows Xp Sp3
Points Points : 31523
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum