Virus?!

**genericlee** · **genericlee** on 21st May 2009, 1:30 am

I have a virus help me!

**Origin** · **Origin** on 21st May 2009, 1:52 am

Please download the current version of HijackThis from HERE

Double click and run the installer.
It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
After installing, you should get the user agreement, press accept and Hijack This will run.
Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.

**genericlee** · **genericlee** on 21st May 2009, 9:27 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:27:04 PM, on 5/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\AshEvtSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;
O2 - BHO: C:\WINDOWS\system32\afnoinkdsfe.dll - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - C:\WINDOWS\system32\afnoinkdsfe.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16
O4 - HKLM\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\916653139.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\916653139.exe
O4 - HKUS\S-1-5-18\..\Run: [Windows Resurections] C:\WINDOWS\TEMP\kauizyxbj.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\ghmu0v3pk3.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [uidenhiufgsduiazghs] C:\WINDOWS\TEMP\ghmu0v3pk3.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\3910344132.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autochk] rundll32.exe C:\DOCUME~1\LOCALS~1\protect.dll,_IWMPEvents@16 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [A00FE7CDC.exe] C:\WINDOWS\TEMP\_A00FE7CDC.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Windows Resurections] C:\WINDOWS\TEMP\kauizyxbj.exe (User 'Default user')
O4 - Startup: ChkDisk.dll
O4 - Startup: ChkDisk.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG111T Smart Wizard.lnk = ?
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: __c004C8A1 - C:\WINDOWS\system32\__c004C8A1.dat
O22 - SharedTaskScheduler: sdfsefsfdvdubgiungfuyd - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - C:\WINDOWS\system32\afnoinkdsfe.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AshEvtSvc - Unknown owner - C:\WINDOWS\System32\AshEvtSvc.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Fuse Service - Intuit - C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nakido - Unknown owner - C:\Program Files\Nakido\nakido.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 9535 bytes

**Origin** · **Origin** on 22nd May 2009, 12:31 am

Open HijackThis
Choose "Do a system scan only"
Check the boxes in front of these lines:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;
O2 - BHO: C:\WINDOWS\system32\afnoinkdsfe.dll - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - C:\WINDOWS\system32\afnoinkdsfe.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [autochk] rundll32.exe C:\WINDOWS\system32\autochk.dll,_IWMPEvents@16
O4 - HKLM\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\916653139.exe
O4 - HKCU\..\Run: [Malware Doctor] C:\Documents and Settings\LocalService\Application Data\916653139.exe
O4 - HKUS\S-1-5-18\..\Run: [Windows Resurections] C:\WINDOWS\TEMP\kauizyxbj.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\ghmu0v3pk3.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [uidenhiufgsduiazghs] C:\WINDOWS\TEMP\ghmu0v3pk3.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\3910344132.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autochk] rundll32.exe C:\DOCUME~1\LOCALS~1\protect.dll,_IWMPEvents@16 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [A00FE7CDC.exe] C:\WINDOWS\TEMP\_A00FE7CDC.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Windows Resurections] C:\WINDOWS\TEMP\kauizyxbj.exe (User 'Default user')
O4 - Startup: ChkDisk.dll
O4 - Startup: ChkDisk.lnk = ?
O20 - Winlogon Notify: __c004C8A1 - C:\WINDOWS\system32\__c004C8A1.dat
O23 - Service: Nakido - Unknown owner - C:\Program Files\Nakido\nakido.exe (file missing)
Press "Fix Checked"
Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

**genericlee** · **genericlee** on 22nd May 2009, 1:31 am

Malwarebytes' Anti-Malware 1.32
Database version: 1647
Windows 5.1.2600 Service Pack 3

5/21/2009 6:25:04 PM
mbam-log-2009-05-21 (18-25-04).txt

Scan type: Quick Scan
Objects scanned: 76238
Time elapsed: 25 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\__c004C8A1.dat (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{f7d09218-46d7-4d3d-9b7f-315204cd0836} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e63648f7-3933-440e-b4f6-a8584dd7b7eb} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5e5efa8f-9f53-418e-b78e-44866667a404} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5e5efa8f-9f53-418e-b78e-44866667a404} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c004c8a1 (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f30b5e7e-cfbb-44fb-a947-226e5a7a4290} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f30b5e7e-cfbb-44fb-a947-226e5a7a4290} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\218538\218538.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c004C8A1.dat (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\p2hhr.bat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sft.res (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\_A00FE7CDC.exe (Trojan.Agent) -> Quarantined and deleted successfully.

**Origin** · **Origin** on 22nd May 2009, 1:34 am

Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
Link 1
Link 2
Double click DDS.scr to run.
When complete, two logs will open. Save both of the report to your Desktop.
Copy and paste DDS.txt back here, I don't need to see attach.txt.

**genericlee** · **genericlee** on 22nd May 2009, 1:55 am

DDS (Ver_09-05-14.01) - NTFSx86
Run by Eric Lee at 18:51:47.06 on Thu 05/21/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.87 [GMT -7:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\AshEvtSvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\LocalService\Application Data\916653139.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG111T Configuration Utility\wlan111t.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
\\?\globalroot\systemroot\system32\rundll32.exe
C:\Documents and Settings\Eric Lee\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://www.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/bin/search?p={searchTerms}
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
BHO: Microsoft copyright: {f30b5e7e-cfbb-44fb-a947-226e5a7a4290} - lklf32.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
TB: {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - No File
TB: {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No File
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: {32099AAC-C132-4136-9E9A-4E364A424E17} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {7C2FC77A-AF76-4A75-AC16-B02A13829F34} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: []
uRun: [Malware Doctor] c:\documents and settings\localservice\application data\916653139.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [Motive SmartBridge] c:\progra~1\sbcsel~1\smartb~1\MotiveSB.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [YSearchProtection] "c:\program files\yahoo!\search protection\SearchProtection.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [autochk] rundll32.exe c:\windows\system32\autochk.dll,_IWMPEvents@16
mRun: [Malware Doctor] c:\documents and settings\localservice\application data\916653139.exe
dRun: [svc] c:\program files\thunmail\testabd.exe
StartupFolder: c:\documents and settings\eric lee\start menu\programs\startup\ChkDisk.dll
StartupFolder: c:\docume~1\ericle~1\startm~1\programs\startup\chkdisk.lnk - c:\windows\system32\rundll32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111t configuration utility\wlan111t.exe
uPolicies-system: DisableRegistryTools = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} - hxxp://download.yahoo.com/dl/installs/ymail/ymmapi.dll
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\thunmail\testabd.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: {C2BA40A1-74F3-42BD-F434-12345A2C8953} - No File
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ericle~1\applic~1\mozilla\firefox\profiles\3s4ldz7t.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com
FF - prefs.js: keyword.enabled - false
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\eric lee\application data\mozilla\firefox\profiles\3s4ldz7t.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-9-28 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-9-28 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-9-28 108552]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\A5AGU.sys [2004-10-6 283904]
S3 ATHFMWDL;NETGEAR WG111T bootloader driver;c:\windows\system32\drivers\Athfmwdl.sys [2004-10-4 43392]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2005-11-19 17149]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-05-21 18:28 708 a------- c:\windows\system32\sft.res
2009-05-21 18:28 29,184 a------- c:\windows\system32\lklf32.dll
2009-05-21 17:53 29,184 a------- c:\windows\system32\jhxm32.dll
2009-05-21 14:50 136 a------- c:\windows\system32\vp_setup.exe.bat
2009-05-21 14:49 --dshr-- c:\program files\ThunMail
2009-05-21 14:49 61,440 a------- c:\windows\system32\vp_setup.exe
2009-05-21 14:26 --d----- c:\program files\Trend Micro
2009-05-20 18:37 --d----- c:\documents and settings\eric lee\.SunDownloadManager
2009-05-20 14:50 29,184 a------- c:\windows\system32\stfa.dll
2009-05-20 14:50 32,768 a------- c:\windows\system32\AshEvtSvc.exe
2009-05-20 14:50 32,768 a------- c:\windows\system32\service-466.exe
2009-05-19 18:43 28,672 a------- c:\windows\system32\lmn_setup.exe
2009-05-18 14:56 37,376 a------- c:\windows\system32\glsetup.exe
2009-05-17 09:59 15,000 a------- c:\windows\system32\afnoinkdsfe.dll
2009-05-14 19:29 24,064 a--sh--- c:\windows\system32\autochk.dll
2009-05-12 21:00 118 a------- c:\windows\system32\MRT.INI
2009-05-12 16:41 --d----- c:\windows\system32\218538
2009-05-10 21:09 --d----- c:\windows\system32\NtmsData
2009-05-10 10:21 --d----- c:\windows\system32\199638
2009-05-09 13:00 2 ----h--- c:\windows\t55ft2668f44.dat
2009-05-09 13:00 1 ----h--- c:\windows\f23567.dat
2009-05-07 15:50 1 a------- c:\windows\9g2234wesdf3dfgjf23
2009-05-07 15:50 2 ----h--- c:\windows\t55ft2692f44.dat
2009-05-07 15:50 --d----- c:\windows\system32\796525
2009-05-06 16:02 24,064 a--sh--- c:\documents and settings\eric lee\protect.dll
2009-05-03 14:43 23,040 a------- c:\windows\system32\ak1.exe
2009-04-29 18:26 263 a------- C:\xcrashdump.dat
2009-04-27 20:15 439 a------- c:\windows\system32\win32hlp.cnf
2009-04-27 20:14 1 a------- c:\windows\system32\uniq.tll
2009-04-27 19:44 --d----- c:\docume~1\ericle~1\applic~1\pidle

==================== Find3M ====================

2009-05-20 14:40 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-20 14:40 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-05-20 14:40 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-04-27 20:14 104,960 a------- c:\windows\system32\userinit.exe
2009-03-21 12:30 78,050 ac------ c:\windows\War3Unin.dat
2009-03-21 07:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 07:22 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-03-02 17:18 826,368 a------- c:\windows\system32\wininet.dll
2009-03-02 17:18 826,368 -------- c:\windows\system32\dllcache\wininet.dll
2009-02-27 21:54 636,072 a------- c:\windows\system32\dllcache\iexplore.exe
2009-02-25 20:26 33,728 ac------ c:\docume~1\ericle~1\applic~1\GDIPFONTCACHEV1.DAT
2003-06-20 04:05 138,288 ac------ c:\windows\inf\usbport.sys
2003-06-20 04:05 49,776 ac------ c:\windows\inf\usbhub20.sys
2003-06-20 04:05 24,752 ac------ c:\windows\inf\hidclass.sys
2003-06-20 04:05 20,688 ac------ c:\windows\inf\usbd.sys
2003-06-20 04:05 19,728 ac------ c:\windows\inf\usbehci.sys

============= FINISH: 18:54:24.87 ===============

**Origin** · **Origin** on 22nd May 2009, 2:03 am

Download combofix from here
Link 1
Link 2
We need to disable your local AV (Anti-virus) before running Combofix.
See HERE for how to disable your AV.
Double click on ComboFix.exe.
Follow the prompts. NOTE:
ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
Allow ComboFix to download the Recovery Console.
Accept the End-User License Agreement.
The Recovery Console will be installed.
You will then get this next prompt that asks if you want to continue the malware scan, select yes
Allow combofix to run
Post C:\combofix.txt back here.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

**genericlee** · **genericlee** on 22nd May 2009, 3:02 am

The log was too big so i put it in as two posts
Part1

ComboFix 09-05-21.01 - Eric Lee 05/21/2009 19:43.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.227 [GMT -7:00]
Running from: c:\documents and settings\Eric Lee\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Eric Lee\Application Data\pidle
c:\documents and settings\Eric Lee\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\Eric Lee\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
c:\documents and settings\Eric Lee\protect.dll
c:\documents and settings\Eric Lee\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\Eric Lee\Start Menu\Programs\Startup\ChkDisk.lnk
c:\documents and settings\Johnny Lee\protect.dll
c:\documents and settings\Johnny Lee\Start Menu\Programs\Startup\ChkDisk.lnk
c:\documents and settings\LocalService\Application Data\916653139.exe
c:\documents and settings\LocalService\protect.dll
C:\install.exe
c:\program files\ThunMail
c:\program files\ThunMail\testabd.dll
c:\program files\ThunMail\testabd.exe
c:\windows\f23567.dat
c:\windows\system32\199638
c:\windows\system32\218538
c:\windows\system32\afnoinkdsfe.dll
c:\windows\system32\ak1.exe
c:\windows\system32\AshEvtSvc.exe
c:\windows\system32\autochk.dll
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\drivers\ovfsthbobeltykhojgksymwllhrqjlatvkxdpj.sys
c:\windows\system32\glsetup.exe
c:\windows\system32\lmn_setup.exe
c:\windows\system32\ovfsthboxedpnqvvdjxthoteoakcrqubiajdvd.dll
c:\windows\system32\ovfsthgqjnsrpbwtpkrukyakjtvpyqgyivmavr.dll
c:\windows\system32\ovfsthhlacgftbketaiqnsmmpcdjldtlknttln.dll
c:\windows\system32\ovfsthlydrcbhdfufkabuenhegtsnwemvtgurp.dat
c:\windows\system32\ovfsthvybfswmmjqbavlkoalfodvuhhwglvmpq.dat
c:\windows\system32\service-466.exe
c:\windows\system32\sft.res
c:\windows\system32\stfa.dll
c:\windows\system32\uniq.tll
c:\windows\system32\win32hlp.cnf
c:\windows\t55ft2668f44.dat
c:\windows\t55ft2692f44.dat
c:\windows\Tasks\zpkuvebq.job
c:\windows\Temp\2134612342.exe
c:\windows\Temp\3797687882.exe
c:\windows\Temp\3798625382.exe
c:\windows\Temp\3910344132.exe
c:\windows\Temp\853620328.exe
c:\windows\Temp\857682828.exe
c:\windows\Temp\950339078.exe
C:\xcrashdump.dat

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\i386\userinit.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthruxjcrvmpimboewtvxettqowkmxduyvo
-------\Legacy_ASHEVTSVC
-------\Service_AshEvtSvc

((((((((((((((((((((((((( Files Created from 2009-04-22 to 2009-05-22 )))))))))))))))))))))))))))))))
.

2009-05-22 01:28 . 2009-05-22 01:28 29184 ----a-w c:\windows\system32\lklf32.dll
2009-05-22 00:53 . 2009-05-22 02:41 29184 ----a-w c:\windows\system32\jhxm32.dll
2009-05-21 21:50 . 2009-05-21 21:50 136 ----a-w c:\windows\system32\vp_setup.exe.bat
2009-05-21 21:49 . 2009-05-21 21:49 61440 ----a-w c:\windows\system32\vp_setup.exe
2009-05-21 21:26 . 2009-05-21 21:26 -------- d-----w c:\program files\Trend Micro
2009-05-21 01:37 . 2009-05-21 01:47 -------- d-----w c:\documents and settings\Eric Lee\.SunDownloadManager
2009-05-17 17:07 . 2009-05-17 17:07 57344 ----a-w c:\windows\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\50\5b902232-617f6391-n\Decora-SSE.dll
2009-05-17 17:07 . 2009-05-17 17:07 24064 ----a-w c:\windows\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-3b9e0c04-n\Decora-D3D.dll
2009-05-17 17:07 . 2009-05-17 17:07 315392 ----a-w c:\windows\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-7807a711-n\jogl.dll
2009-05-17 17:07 . 2009-05-17 17:07 20480 ----a-w c:\windows\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-7807a711-n\jogl_awt.dll
2009-05-17 17:07 . 2009-05-17 17:07 114688 ----a-w c:\windows\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-7807a711-n\jogl_cg.dll
2009-05-17 17:07 . 2009-05-17 17:07 20480 ----a-w c:\windows\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-3fa7a4ae-n\gluegen-rt.dll
2009-05-17 17:07 . 2009-05-17 17:07 499712 ----a-w c:\windows\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-2289dad4-n\msvcp71.dll
2009-05-17 17:07 . 2009-05-17 17:07 499712 ----a-w c:\windows\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-2289dad4-n\jmc.dll
2009-05-17 17:07 . 2009-05-17 17:07 348160 ----a-w c:\windows\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-2289dad4-n\msvcr71.dll
2009-05-17 17:01 . 2009-05-17 17:01 -------- d--h--r c:\windows\system32\config\systemprofile\Application Data\yahoo!
2009-05-11 04:09 . 2009-05-11 04:09 -------- d-----w c:\windows\system32\NtmsData
2009-05-07 22:50 . 2009-05-13 03:13 -------- d-----w c:\windows\system32\796525
2009-05-04 21:42 . 2009-05-04 21:42 152576 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\jre1.6.0_13\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-21 21:20 . 2008-11-28 09:42 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-05-20 21:40 . 2008-09-28 17:17 11952 ----a-w c:\windows\system32\avgrsstx.dll
2009-05-20 21:40 . 2008-09-28 17:17 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-05-20 21:40 . 2008-09-28 17:17 325896 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-05-20 21:40 . 2008-09-28 17:16 27784 ----a-w c:\windows\system32\drivers\avgmfx86.sys
2009-05-19 05:49 . 2009-01-11 17:49 99960 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-05-15 00:03 . 2008-08-31 06:13 -------- d-----w c:\program files\Warcraft III
2009-05-14 19:45 . 2008-08-31 07:18 -------- d-----w c:\program files\Garena
2009-05-07 04:02 . 2009-03-12 01:45 -------- d-----w c:\program files\TokBox
2009-05-04 21:44 . 2009-03-22 17:04 -------- d-----w c:\program files\Java
2009-04-30 01:55 . 2008-09-28 17:16 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-11 16:15 . 2008-09-28 01:07 -------- d-----w c:\program files\Cheat Engine
2009-04-07 12:01 . 2009-04-07 12:01 57344 ----a-w c:\documents and settings\Johnny Lee\Application Data\Sun\Java\Deployment\cache\6.0\50\5b902232-66f2e556-n\Decora-SSE.dll
2009-04-07 12:01 . 2009-04-07 12:01 315392 ----a-w c:\documents and settings\Johnny Lee\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-40228384-n\jogl.dll
2009-04-07 12:01 . 2009-04-07 12:01 24064 ----a-w c:\documents and settings\Johnny Lee\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-4ed91c8e-n\Decora-D3D.dll
2009-04-07 12:01 . 2009-04-07 12:01 20480 ----a-w c:\documents and settings\Johnny Lee\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-40228384-n\jogl_awt.dll
2009-04-07 12:01 . 2009-04-07 12:01 114688 ----a-w c:\documents and settings\Johnny Lee\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-40228384-n\jogl_cg.dll
2009-04-07 12:01 . 2009-04-07 12:01 499712 ----a-w c:\documents and settings\Johnny Lee\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-55d528c1-n\msvcp71.dll
2009-04-07 12:01 . 2009-04-07 12:01 499712 ----a-w c:\documents and settings\Johnny Lee\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-55d528c1-n\jmc.dll
2009-04-07 12:01 . 2009-04-07 12:01 348160 ----a-w c:\documents and settings\Johnny Lee\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-55d528c1-n\msvcr71.dll
2009-04-07 12:01 . 2009-04-07 12:01 20480 ----a-w c:\documents and settings\Johnny Lee\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-447178f8-n\gluegen-rt.dll
2009-03-31 04:22 . 2009-03-31 04:22 57344 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\50\5b902232-3c034b17-n\Decora-SSE.dll
2009-03-31 04:22 . 2009-03-31 04:22 24064 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\15\4e09eacf-5fe78b5e-n\Decora-D3D.dll
2009-03-31 04:22 . 2009-03-31 04:22 499712 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-706e4058-n\msvcp71.dll
2009-03-31 04:22 . 2009-03-31 04:22 499712 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-706e4058-n\jmc.dll
2009-03-31 04:22 . 2009-03-31 04:22 348160 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\33\258cea61-706e4058-n\msvcr71.dll
2009-03-22 17:05 . 2009-03-22 17:05 57344 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\37\3976f065-21839c58-n\Decora-SSE.dll
2009-03-22 17:05 . 2009-03-22 17:05 315392 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-4e18cb6e-n\jogl.dll
2009-03-22 17:05 . 2009-03-22 17:05 24064 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\37\2c4a0065-67a90f01-n\Decora-D3D.dll
2009-03-22 17:05 . 2009-03-22 17:05 20480 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-4e18cb6e-n\jogl_awt.dll
2009-03-22 17:05 . 2009-03-22 17:05 114688 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\62\6baea4fe-4e18cb6e-n\jogl_cg.dll
2009-03-22 17:05 . 2009-03-22 17:05 20480 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\45\4f710eed-358707b0-n\gluegen-rt.dll
2009-03-22 17:05 . 2009-03-22 17:05 503808 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-7bc3a207-n\msvcp71.dll
2009-03-22 17:05 . 2009-03-22 17:05 499712 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-7bc3a207-n\jmc.dll
2009-03-22 17:05 . 2009-03-22 17:05 348160 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-7bc3a207-n\msvcr71.dll
2009-03-22 17:03 . 2009-03-22 17:03 152576 ----a-w c:\documents and settings\Eric Lee\Application Data\Sun\Java\jre1.6.0_12\lzma.dll
2009-03-21 19:30 . 2008-08-31 06:25 78050 -c--a-w c:\windows\War3Unin.dat
2009-03-09 12:19 . 2009-01-10 01:55 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-06 14:22 . 2004-08-10 17:51 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-10 17:51 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-24 22:36 . 2008-11-26 02:40 38208 ----a-w c:\documents and settings\Eric Lee\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
.

**genericlee** · **genericlee** on 22nd May 2009, 3:02 am

Part2

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F30B5E7E-CFBB-44fb-A947-226E5A7A4290}]
2009-05-22 02:41 29184 ----a-w c:\windows\system32\jhxm32.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]
"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-11 368706]
"Motive SmartBridge"="c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 380928]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2008-10-07 111856]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-20 1947928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
NETGEAR WG111T Smart Wizard.lnk - c:\program files\NETGEAR\WG111T Configuration Utility\wlan111t.exe [2005-11-19 483412]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-20 21:40 11952 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"LDM"=c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" /background
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" -autorun
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
"Search Protection"=c:\program files\Yahoo!\Search Protection\SearchProtection.exe
"YSearchProtection"=c:\program files\Yahoo!\Search Protection\SearchProtection.exe
"Aim6"="c:\program files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"YBrowser"=c:\program files\Yahoo!\browser\ybrwicon.exe
"LogitechVideoRepair"=c:\program files\Logitech\Video\ISStart.exe
"LogitechImageStudioTray"=c:\program files\Logitech\ImageStudio\LogiTray.exe
"LogitechVideoTray"=c:\program files\Logitech\Video\LogiTray.exe
"LogitechGalleryRepair"=c:\program files\Logitech\ImageStudio\ISStart.exe
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe"
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe"
"LVCOMSX"=c:\windows\system32\LVCOMSX.EXE
"dla"=c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\yserver.exe"=
"c:\\WINDOWS\\system32\\CIMSVR.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\sexybeast1992\\condition zero\\hl.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\fredthekid\\counter-strike\\hl.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Garena\\Garena.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"=
"c:\\Program Files\\Microsoft Office\\Office10\\WINWORD.EXE"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [9/28/2008 10:17 AM 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [9/28/2008 10:17 AM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [9/28/2008 10:16 AM 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/28/2008 10:16 AM 298776]
S3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\drivers\A5AGU.sys [10/6/2004 11:39 AM 283904]
S3 ATHFMWDL;NETGEAR WG111T bootloader driver;c:\windows\system32\drivers\Athfmwdl.sys [10/4/2004 7:28 AM 43392]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [11/19/2005 10:19 PM 17149]
S3 Intuit Fuse Service;Intuit Fuse Service;c:\program files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe [11/6/2005 5:23 PM 69632]
S3 Ndinop;Ndinop; [x]
S4 Nakido;Nakido;c:\program files\Nakido\nakido.exe --> c:\program files\Nakido\nakido.exe [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-05-22 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 16:09]

2009-05-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-05-22 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-11-28 01:07]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-svc - c:\program files\ThunMail\testabd.exe
SharedTaskScheduler-{C2BA40A1-74F3-42BD-F434-12345A2C8953} - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/bin/search?p={searchTerms}
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywaybiz
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Eric Lee\Application Data\Mozilla\Firefox\Profiles\3s4ldz7t.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.aol.com/aolcom/search?invocationType=tbff50ie7&query=
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com
FF - prefs.js: keyword.enabled - false
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 7171
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Eric Lee\Application Data\Mozilla\Firefox\Profiles\3s4ldz7t.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-21 19:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2216)
c:\progra~1\SBCSEL~1\SMARTB~1\SBHook.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-05-22 19:57 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-22 02:57

Pre-Run: 6,773,055,488 bytes free
Post-Run: 7,850,160,128 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=2 Default=2 Failed=1 LastKnownGood=4 Sets=1,2,3,4
311 --- E O F --- 2009-05-13 04:00