Jump to content

Trojans Do Not Remove


Recommended Posts

I clicked on a website yesterday and since then the first few times I click on a webpage in IE another page comes up with an advertisement. When the right page comes up it's a new browser, which should not happen. My computer works fine in AOL. I have run Malwarebytes several times and it says I have trojans, can not be removed now, but will be removed when my computer is rebooted. Upon reboot the trojans are still there. Here are the results of a scan:

Malwarebytes' Anti-Malware 1.34

Database version: 1887

Windows 5.1.2600

3/23/2009 6:17:03 PM

mbam-log-2009-03-23 (18-17-03).txt

Scan type: Quick Scan

Objects scanned: 85177

Time elapsed: 27 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 2

Registry Values Infected: 4

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINNT\system32\cewmdmq.dll (Trojan.Downloader) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{458b9d54-91fd-4161-9a7e-4a50b9a53cbf} (Trojan.Downloader) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{458b9d54-91fd-4161-9a7e-4a50b9a53cbf} (Trojan.Downloader) -> Delete on reboot.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINNT\system32\cewmdmq.dll (Trojan.Downloader) -> Delete on reboot.

Can anyone tell me how to fix this?

Link to post
Share on other sites

  • Staff

Hi,

First of all, please update MalwareBytes, because the databaseversion is outdated.

  • Start MalwareBytes and click the Update tab. There click "Check for updates"
  • Once the updates are downloaded, perform a full scan again.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

Thank you for your prompt reply. I updated MalewareBytes and did a complete scan:

Malwarebytes' Anti-Malware 1.34

Database version: 1890

Windows 5.1.2600

3/23/2009 11:02:45 PM

mbam-log-2009-03-23 (23-02-45).txt

Scan type: Full Scan (C:\|)

Objects scanned: 124724

Time elapsed: 1 hour(s), 40 minute(s), 0 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 2

Registry Values Infected: 4

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINNT\system32\cewmdmq.dll (Trojan.Downloader) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{458b9d54-91fd-4161-9a7e-4a50b9a53cbf} (Trojan.Downloader) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{458b9d54-91fd-4161-9a7e-4a50b9a53cbf} (Trojan.Downloader) -> Delete on reboot.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINNT\system32\cewmdmq.dll (Trojan.Downloader) -> Delete on reboot.

Hi,

First of all, please update MalwareBytes, because the databaseversion is outdated.

  • Start MalwareBytes and click the Update tab. There click "Check for updates"
  • Once the updates are downloaded, perform a full scan again.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

  • Staff

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

I tried to download ComboFix three times and a box came up saying something like "OS not compatible. Only Windows 2000 or XP". I have XP. Then another little box came up and says something like "You can't change ComboFix to ComboFix(1)". Is there anything else I can do?

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

Link to post
Share on other sites

I downloaded itComboFix 09-03-23.01 - 137 2009-03-24 14:31:35.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.0.1252.1.1033.18.254.86 [GMT -5:00]

Running from: c:\documents and settings\137\ComboFix.exe

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\137\Cookies\ajif.reg

c:\documents and settings\137\Cookies\avar.dll

c:\documents and settings\137\Cookies\hosilenox.dll

c:\documents and settings\137\Cookies\ihyjemonov.bat

c:\documents and settings\137\Cookies\nizetuvizu.bat

c:\documents and settings\137\Cookies\ozyzaxunoq.lib

c:\documents and settings\137\Cookies\pybyxucef.bat

c:\documents and settings\137\Cookies\pyhux.bin

c:\documents and settings\137\Cookies\ysagyzu.vbs

c:\documents and settings\137\Local Settings\Temporary Internet Files\adowewure._sy

c:\documents and settings\137\Local Settings\Temporary Internet Files\fage._dl

c:\documents and settings\137\Local Settings\Temporary Internet Files\lelyd.dat

c:\documents and settings\137\Local Settings\Temporary Internet Files\opef.inf

c:\documents and settings\137\Local Settings\Temporary Internet Files\tagopih._dl

c:\documents and settings\137\Local Settings\Temporary Internet Files\xuneniwu.reg

c:\documents and settings\137\Start Menu\Programs\Startup\.lnk

c:\winnt\dcpnz.dat

c:\winnt\dubrz.dat

c:\winnt\IA

c:\winnt\pfpru.dat

c:\winnt\system32\404Fix.exe

c:\winnt\system32\addaf32.dll

c:\winnt\system32\addai.dll

c:\winnt\system32\addak.dll

c:\winnt\system32\adday.dll

c:\winnt\system32\addbf.dll

c:\winnt\system32\addbk.dll

c:\winnt\system32\addbw32.dll

c:\winnt\system32\addby.dll

c:\winnt\system32\addcf.dll

c:\winnt\system32\addcq.dll

c:\winnt\system32\addcr.dll

c:\winnt\system32\addcv32.dll

c:\winnt\system32\adddb32.dll

c:\winnt\system32\adddh32.dll

c:\winnt\system32\addek32.dll

c:\winnt\system32\addfc32.dll

c:\winnt\system32\addfk.dll

c:\winnt\system32\addfm32.dll

c:\winnt\system32\addho32.dll

c:\winnt\system32\addij32.dll

c:\winnt\system32\addiz.dll

c:\winnt\system32\addjr32.dll

c:\winnt\system32\addkg32.dll

c:\winnt\system32\addkl32.dll

c:\winnt\system32\addkn32.dll

c:\winnt\system32\addkt.dll

c:\winnt\system32\addll32.dll

c:\winnt\system32\addls.dll

c:\winnt\system32\addmt.dll

c:\winnt\system32\addnq32.dll

c:\winnt\system32\addny.dll

c:\winnt\system32\addpa.dll

c:\winnt\system32\addpn.dll

c:\winnt\system32\addqj.dll

c:\winnt\system32\addqo.dll

c:\winnt\system32\addrm32.dll

c:\winnt\system32\addrt.dll

c:\winnt\system32\addsi32.dll

c:\winnt\system32\addsq32.dll

c:\winnt\system32\addtd32.dll

c:\winnt\system32\addto.dll

c:\winnt\system32\addty.dll

c:\winnt\system32\adduo32.dll

c:\winnt\system32\addvv.dll

c:\winnt\system32\addvw.dll

c:\winnt\system32\addwu32.dll

c:\winnt\system32\addwy.dll

c:\winnt\system32\addwy32.dll

c:\winnt\system32\addxm.dll

c:\winnt\system32\addzt.dll

c:\winnt\system32\addzx.dll

c:\winnt\system32\addzy.dll

c:\winnt\system32\Agent.OMZ.Fix.exe

c:\winnt\system32\apiai.dll

c:\winnt\system32\apian32.dll

c:\winnt\system32\apibj32.dll

c:\winnt\system32\apibs.dll

c:\winnt\system32\apibs32.dll

c:\winnt\system32\apicf.dll

c:\winnt\system32\apicn.dll

c:\winnt\system32\apicn32.dll

c:\winnt\system32\apidr32.dll

c:\winnt\system32\apidy.dll

c:\winnt\system32\apieb.dll

c:\winnt\system32\apiej32.dll

c:\winnt\system32\apiex.dll

c:\winnt\system32\apigd.dll

c:\winnt\system32\apign32.dll

c:\winnt\system32\apigt32.dll

c:\winnt\system32\apigu.dll

c:\winnt\system32\apihe32.dll

c:\winnt\system32\apihg32.dll

c:\winnt\system32\apihi32.dll

c:\winnt\system32\apijm.dll

c:\winnt\system32\apild32.dll

c:\winnt\system32\apils32.dll

c:\winnt\system32\apimb.dll

c:\winnt\system32\apimp.dll

c:\winnt\system32\apimq32.dll

c:\winnt\system32\apimt32.dll

c:\winnt\system32\apint32.dll

c:\winnt\system32\apioa.dll

c:\winnt\system32\apiok32.dll

c:\winnt\system32\apiqq32.dll

c:\winnt\system32\apiqt32.dll

c:\winnt\system32\apiqw32.dll

c:\winnt\system32\apirn32.dll

c:\winnt\system32\apirw.dll

c:\winnt\system32\apism.dll

c:\winnt\system32\apisz.dll

c:\winnt\system32\apisz32.dll

c:\winnt\system32\apity32.dll

c:\winnt\system32\apiuf.dll

c:\winnt\system32\apiun32.dll

c:\winnt\system32\apivt32.dll

c:\winnt\system32\apixg32.dll

c:\winnt\system32\apixj.dll

c:\winnt\system32\apixj32.dll

c:\winnt\system32\apiyb.dll

c:\winnt\system32\apiyd.dll

c:\winnt\system32\apiyf.dll

c:\winnt\system32\apiyi.dll

c:\winnt\system32\apiys32.dll

c:\winnt\system32\apize32.dll

c:\winnt\system32\appae32.dll

c:\winnt\system32\appbj.dll

c:\winnt\system32\appbv32.dll

c:\winnt\system32\appcf.dll

c:\winnt\system32\appcr.dll

c:\winnt\system32\appcr32.dll

c:\winnt\system32\appdq32.dll

c:\winnt\system32\appdy32.dll

c:\winnt\system32\appfr.dll

c:\winnt\system32\appgn.dll

c:\winnt\system32\appgw32.dll

c:\winnt\system32\apphe.dll

c:\winnt\system32\apphj32.dll

c:\winnt\system32\appho.dll

c:\winnt\system32\appkg.dll

c:\winnt\system32\applo32.dll

c:\winnt\system32\applq.dll

c:\winnt\system32\appmo.dll

c:\winnt\system32\appnv32.dll

c:\winnt\system32\appos32.dll

c:\winnt\system32\apppa.dll

c:\winnt\system32\appqe32.dll

c:\winnt\system32\appsk32.dll

c:\winnt\system32\appso.dll

c:\winnt\system32\appso32.dll

c:\winnt\system32\appsp.dll

c:\winnt\system32\appsw32.dll

c:\winnt\system32\appts.dll

c:\winnt\system32\apptx.dll

c:\winnt\system32\appuh.dll

c:\winnt\system32\appve32.dll

c:\winnt\system32\appvg32.dll

c:\winnt\system32\appvq32.dll

c:\winnt\system32\appvz.dll

c:\winnt\system32\appwk.dll

c:\winnt\system32\appxd.dll

c:\winnt\system32\appyt32.dll

c:\winnt\system32\appzd32.dll

c:\winnt\system32\appzh.dll

c:\winnt\system32\appzk.dll

c:\winnt\system32\atlao.dll

c:\winnt\system32\atlao32.dll

c:\winnt\system32\atldj32.dll

c:\winnt\system32\atlei32.dll

c:\winnt\system32\atlfh.dll

c:\winnt\system32\atlgx.dll

c:\winnt\system32\atlhd32.dll

c:\winnt\system32\atlhi.dll

c:\winnt\system32\atlid32.dll

c:\winnt\system32\atlie.dll

c:\winnt\system32\atlir32.dll

c:\winnt\system32\atljj.dll

c:\winnt\system32\atljq.dll

c:\winnt\system32\atllb.dll

c:\winnt\system32\atllh32.dll

c:\winnt\system32\atlli.dll

c:\winnt\system32\atlod32.dll

c:\winnt\system32\atloq32.dll

c:\winnt\system32\atlos32.dll

c:\winnt\system32\atlot.dll

c:\winnt\system32\atlpe32.dll

c:\winnt\system32\atlph32.dll

c:\winnt\system32\atlpt32.dll

c:\winnt\system32\atlpx32.dll

c:\winnt\system32\atlqt32.dll

c:\winnt\system32\atlqw32.dll

c:\winnt\system32\atlrb.dll

c:\winnt\system32\atlrc.dll

c:\winnt\system32\atlrf32.dll

c:\winnt\system32\atlrt.dll

c:\winnt\system32\atlrx.dll

c:\winnt\system32\atlsw.dll

c:\winnt\system32\atlsx.dll

c:\winnt\system32\atltz.dll

c:\winnt\system32\atluc32.dll

c:\winnt\system32\atlui.dll

c:\winnt\system32\atluu32.dll

c:\winnt\system32\atlwn32.dll

c:\winnt\system32\atlxp32.dll

c:\winnt\system32\atlxz32.dll

c:\winnt\system32\atlyu32.dll

c:\winnt\system32\atlze.dll

c:\winnt\system32\atlzi.dll

c:\winnt\system32\atlzr.dll

c:\winnt\system32\Cache

c:\winnt\system32\cdmeb.dll

c:\winnt\system32\crah32.dll

c:\winnt\system32\crai32.dll

c:\winnt\system32\cran32.dll

c:\winnt\system32\crbk32.dll

c:\winnt\system32\crca.dll

c:\winnt\system32\crdw32.dll

c:\winnt\system32\crei.dll

c:\winnt\system32\creq.dll

c:\winnt\system32\crfp.dll

c:\winnt\system32\crgd32.dll

c:\winnt\system32\crge32.dll

c:\winnt\system32\crgn32.dll

c:\winnt\system32\crgv.dll

c:\winnt\system32\crhd.dll

c:\winnt\system32\crhg32.dll

c:\winnt\system32\crhm32.dll

c:\winnt\system32\crie.dll

c:\winnt\system32\cril.dll

c:\winnt\system32\crip.dll

c:\winnt\system32\criu32.dll

c:\winnt\system32\criv32.dll

c:\winnt\system32\crjy32.dll

c:\winnt\system32\crkb32.dll

c:\winnt\system32\crkk32.dll

c:\winnt\system32\crko32.dll

c:\winnt\system32\crkr32.dll

c:\winnt\system32\crme32.dll

c:\winnt\system32\crmq32.dll

c:\winnt\system32\crmu.dll

c:\winnt\system32\crns.dll

c:\winnt\system32\croa32.dll

c:\winnt\system32\crou.dll

c:\winnt\system32\crou32.dll

c:\winnt\system32\croz.dll

c:\winnt\system32\crpf32.dll

c:\winnt\system32\crpj.dll

c:\winnt\system32\crpp.dll

c:\winnt\system32\crpr32.dll

c:\winnt\system32\crpt.dll

c:\winnt\system32\crqp.dll

c:\winnt\system32\crqu.dll

c:\winnt\system32\crrv.dll

c:\winnt\system32\crsd.dll

c:\winnt\system32\crte.dll

c:\winnt\system32\crte32.dll

c:\winnt\system32\crtk32.dll

c:\winnt\system32\crtp.dll

c:\winnt\system32\crui.dll

c:\winnt\system32\cruw.dll

c:\winnt\system32\cruz.dll

c:\winnt\system32\crvp32.dll

c:\winnt\system32\crvs32.dll

c:\winnt\system32\crvt32.dll

c:\winnt\system32\crwz32.dll

c:\winnt\system32\crxm32.dll

c:\winnt\system32\crxs32.dll

c:\winnt\system32\cryi.dll

c:\winnt\system32\crzd.dll

c:\winnt\system32\crzl32.dll

c:\winnt\system32\d3aa32.dll

c:\winnt\system32\d3ad32.dll

c:\winnt\system32\d3ap32.dll

c:\winnt\system32\d3bj.dll

c:\winnt\system32\d3bs32.dll

c:\winnt\system32\d3cn32.dll

c:\winnt\system32\d3cp.dll

c:\winnt\system32\d3cw.dll

c:\winnt\system32\d3da32.dll

c:\winnt\system32\d3eh32.dll

c:\winnt\system32\d3em32.dll

c:\winnt\system32\d3er.dll

c:\winnt\system32\d3ev32.dll

c:\winnt\system32\d3ex.dll

c:\winnt\system32\d3fc.dll

c:\winnt\system32\d3fo32.dll

c:\winnt\system32\d3gb.dll

c:\winnt\system32\d3gr32.dll

c:\winnt\system32\d3hw32.dll

c:\winnt\system32\d3in.dll

c:\winnt\system32\d3is32.dll

c:\winnt\system32\d3it32.dll

c:\winnt\system32\d3iv32.dll

c:\winnt\system32\d3ji.dll

c:\winnt\system32\d3jo.dll

c:\winnt\system32\d3kl32.dll

c:\winnt\system32\d3ko.dll

c:\winnt\system32\d3lr.dll

c:\winnt\system32\d3lx.dll

c:\winnt\system32\d3ni.dll

c:\winnt\system32\d3nl32.dll

c:\winnt\system32\d3ow32.dll

c:\winnt\system32\d3pc.dll

c:\winnt\system32\d3pm.dll

c:\winnt\system32\d3pm32.dll

c:\winnt\system32\d3po.dll

c:\winnt\system32\d3qa32.dll

c:\winnt\system32\d3qh32.dll

c:\winnt\system32\d3rb.dll

c:\winnt\system32\d3rz32.dll

c:\winnt\system32\d3sf32.dll

c:\winnt\system32\d3sp32.dll

c:\winnt\system32\d3sr32.dll

c:\winnt\system32\d3sz32.dll

c:\winnt\system32\d3un32.dll

c:\winnt\system32\d3uo32.dll

c:\winnt\system32\d3wn32.dll

c:\winnt\system32\d3xt32.dll

c:\winnt\system32\d3yf32.dll

c:\winnt\system32\d3zr32.dll

c:\winnt\system32\d3zy32.dll

c:\winnt\system32\diexm.dat

c:\winnt\system32\dumphive.exe

c:\winnt\system32\fsmgmt.dll

c:\winnt\system32\fvzat.dat

c:\winnt\system32\gkicj.dll

c:\winnt\system32\ieaf32.dll

c:\winnt\system32\iebc.dll

c:\winnt\system32\iebh32.dll

c:\winnt\system32\iebi.dll

c:\winnt\system32\iebl.dll

c:\winnt\system32\iede32.dll

c:\winnt\system32\IEDFix.C.exe

c:\winnt\system32\IEDFix.exe

c:\winnt\system32\ieds.dll

c:\winnt\system32\ieeb32.dll

c:\winnt\system32\ieef.dll

c:\winnt\system32\ieek32.dll

c:\winnt\system32\iees.dll

c:\winnt\system32\iefb32.dll

c:\winnt\system32\iegp.dll

c:\winnt\system32\iegs32.dll

c:\winnt\system32\iegw.dll

c:\winnt\system32\iehf32.dll

c:\winnt\system32\ieis.dll

c:\winnt\system32\iejf.dll

c:\winnt\system32\iejv32.dll

c:\winnt\system32\iekt32.dll

c:\winnt\system32\ielb32.dll

c:\winnt\system32\ielf.dll

c:\winnt\system32\iemn32.dll

c:\winnt\system32\iemv.dll

c:\winnt\system32\ienc.dll

c:\winnt\system32\ienf32.dll

c:\winnt\system32\ieos.dll

c:\winnt\system32\iepi.dll

c:\winnt\system32\iepq.dll

c:\winnt\system32\ieqm32.dll

c:\winnt\system32\ieqn32.dll

c:\winnt\system32\ieqq.dll

c:\winnt\system32\ierc32.dll

c:\winnt\system32\ierr32.dll

c:\winnt\system32\iesi32.dll

c:\winnt\system32\iesw.dll

c:\winnt\system32\ietf32.dll

c:\winnt\system32\ieul.dll

c:\winnt\system32\iewu.dll

c:\winnt\system32\iexp.dll

c:\winnt\system32\ieyn.dll

c:\winnt\system32\ieyu32.dll

c:\winnt\system32\iezg32.dll

c:\winnt\system32\ipba.dll

c:\winnt\system32\ipbn32.dll

c:\winnt\system32\ipbt32.dll

c:\winnt\system32\ipbw32.dll

c:\winnt\system32\ipcl32.dll

c:\winnt\system32\ipcs32.dll

c:\winnt\system32\ipdr.dll

c:\winnt\system32\ipds32.dll

c:\winnt\system32\ipek32.dll

c:\winnt\system32\ipel.dll

c:\winnt\system32\ipfa32.dll

c:\winnt\system32\ipfi.dll

c:\winnt\system32\ipft32.dll

c:\winnt\system32\ipgj32.dll

c:\winnt\system32\ipgl32.dll

c:\winnt\system32\ipgr.dll

c:\winnt\system32\ipgs.dll

c:\winnt\system32\iphj32.dll

c:\winnt\system32\ipht32.dll

c:\winnt\system32\ipin32.dll

c:\winnt\system32\ipis.dll

c:\winnt\system32\ipjb.dll

c:\winnt\system32\ipjv32.dll

c:\winnt\system32\ipkj.dll

c:\winnt\system32\ipli32.dll

c:\winnt\system32\ipmg.dll

c:\winnt\system32\ipmu32.dll

c:\winnt\system32\ipnt32.dll

c:\winnt\system32\ipnw.dll

c:\winnt\system32\ipol32.dll

c:\winnt\system32\ipop32.dll

c:\winnt\system32\ippm32.dll

c:\winnt\system32\ipqn32.dll

c:\winnt\system32\ipqp.dll

c:\winnt\system32\ipqp32.dll

c:\winnt\system32\iprs.dll

c:\winnt\system32\iprv.dll

c:\winnt\system32\ipst32.dll

c:\winnt\system32\iptb32.dll

c:\winnt\system32\iptj32.dll

c:\winnt\system32\ipts32.dll

c:\winnt\system32\ipud.dll

c:\winnt\system32\ipuh32.dll

c:\winnt\system32\ipui.dll

c:\winnt\system32\ipvz.dll

c:\winnt\system32\ipwr.dll

c:\winnt\system32\ipwv.dll

c:\winnt\system32\ipww32.dll

c:\winnt\system32\ipxp.dll

c:\winnt\system32\ipxv.dll

c:\winnt\system32\ipyf.dll

c:\winnt\system32\ipyj32.dll

c:\winnt\system32\ipzi.dll

c:\winnt\system32\javaad.dll

c:\winnt\system32\javaan32.dll

c:\winnt\system32\javabf32.dll

c:\winnt\system32\javaci.dll

c:\winnt\system32\javacq32.dll

c:\winnt\system32\javadf32.dll

c:\winnt\system32\javadm32.dll

c:\winnt\system32\javaef32.dll

c:\winnt\system32\javaek32.dll

c:\winnt\system32\javaev32.dll

c:\winnt\system32\javafh.dll

c:\winnt\system32\javafi.dll

c:\winnt\system32\javagv32.dll

c:\winnt\system32\javaid32.dll

c:\winnt\system32\javajf.dll

c:\winnt\system32\javajg.dll

c:\winnt\system32\javajs32.dll

c:\winnt\system32\javajz.dll

c:\winnt\system32\javaki32.dll

c:\winnt\system32\javalb.dll

c:\winnt\system32\javalo32.dll

c:\winnt\system32\javamq32.dll

c:\winnt\system32\javamv32.dll

c:\winnt\system32\javamx32.dll

c:\winnt\system32\javant32.dll

c:\winnt\system32\javaot.dll

c:\winnt\system32\javapf32.dll

c:\winnt\system32\javaqo32.dll

c:\winnt\system32\javash.dll

c:\winnt\system32\javasj.dll

c:\winnt\system32\javasm32.dll

c:\winnt\system32\javasu32.dll

c:\winnt\system32\javasv32.dll

c:\winnt\system32\javasw.dll

c:\winnt\system32\javavk32.dll

c:\winnt\system32\javavo.dll

c:\winnt\system32\javavr32.dll

c:\winnt\system32\javavv.dll

c:\winnt\system32\javavw.dll

c:\winnt\system32\javawq.dll

c:\winnt\system32\javaxi.dll

c:\winnt\system32\javaxw32.dll

c:\winnt\system32\javayd32.dll

c:\winnt\system32\javayr.dll

c:\winnt\system32\javazb.dll

c:\winnt\system32\javazd.dll

c:\winnt\system32\javazf32.dll

c:\winnt\system32\javazi32.dll

c:\winnt\system32\javazj32.dll

c:\winnt\system32\javazz32.dll

c:\winnt\system32\jqhbs.dll

c:\winnt\system32\mfcal.dll

c:\winnt\system32\mfcap.dll

c:\winnt\system32\mfcaq.dll

c:\winnt\system32\mfcbe.dll

c:\winnt\system32\mfcbj32.dll

c:\winnt\system32\mfcde.dll

c:\winnt\system32\mfcef.dll

c:\winnt\system32\mfcei32.dll

c:\winnt\system32\mfcgi.dll

c:\winnt\system32\mfcgj32.dll

c:\winnt\system32\mfcgt32.dll

c:\winnt\system32\mfcio32.dll

c:\winnt\system32\mfcjf32.dll

c:\winnt\system32\mfcji32.dll

c:\winnt\system32\mfclk32.dll

c:\winnt\system32\mfclm.dll

c:\winnt\system32\mfclm32.dll

c:\winnt\system32\mfcln32.dll

c:\winnt\system32\mfclo32.dll

c:\winnt\system32\mfcls32.dll

c:\winnt\system32\mfclz32.dll

c:\winnt\system32\mfcma32.dll

c:\winnt\system32\mfcml32.dll

c:\winnt\system32\mfcmw.dll

c:\winnt\system32\mfcnf.dll

c:\winnt\system32\mfcnn.dll

c:\winnt\system32\mfcny32.dll

c:\winnt\system32\mfcqt.dll

c:\winnt\system32\mfcrk.dll

c:\winnt\system32\mfcrv.dll

c:\winnt\system32\mfcsp.dll

c:\winnt\system32\mfctn32.dll

c:\winnt\system32\mfcuj.dll

c:\winnt\system32\mfcvs32.dll

c:\winnt\system32\mfcwf.dll

c:\winnt\system32\mfcxh.dll

c:\winnt\system32\mfcxi32.dll

c:\winnt\system32\mfcxv32.dll

c:\winnt\system32\mfcyf.dll

c:\winnt\system32\mfcyx32.dll

c:\winnt\system32\msad.dll

c:\winnt\system32\msay32.dll

c:\winnt\system32\msbd32.dll

c:\winnt\system32\msbf32.dll

c:\winnt\system32\msbo32.dll

c:\winnt\system32\msbp32.dll

c:\winnt\system32\msbv32.dll

c:\winnt\system32\mscf.dll

c:\winnt\system32\msck.dll

c:\winnt\system32\mscp.dll

c:\winnt\system32\msdc32.dll

c:\winnt\system32\msdf32.dll

c:\winnt\system32\msdj32.dll

c:\winnt\system32\msdn32.dll

c:\winnt\system32\msem.dll

c:\winnt\system32\msga32.dll

c:\winnt\system32\msgy32.dll

c:\winnt\system32\msho.dll

c:\winnt\system32\msir32.dll

c:\winnt\system32\msiw32.dll

c:\winnt\system32\msjb32.dll

c:\winnt\system32\msko.dll

c:\winnt\system32\msln32.dll

c:\winnt\system32\mslo.dll

c:\winnt\system32\mslu.dll

c:\winnt\system32\msmw32.dll

c:\winnt\system32\msop.dll

c:\winnt\system32\msox.dll

c:\winnt\system32\msqg.dll

c:\winnt\system32\msql.dll

c:\winnt\system32\msqw32.dll

c:\winnt\system32\msri32.dll

c:\winnt\system32\msrm32.dll

c:\winnt\system32\msse.dll

c:\winnt\system32\mssn32.dll

c:\winnt\system32\msta.dll

c:\winnt\system32\mstf32.dll

c:\winnt\system32\mstj.dll

c:\winnt\system32\msui32.dll

c:\winnt\system32\msus.dll

c:\winnt\system32\msve.dll

c:\winnt\system32\mszl32.dll

c:\winnt\system32\mszt.dll

c:\winnt\system32\mszy32.dll

c:\winnt\system32\netad32.dll

c:\winnt\system32\netak32.dll

c:\winnt\system32\netau.dll

c:\winnt\system32\netaz32.dll

c:\winnt\system32\netba32.dll

c:\winnt\system32\netco.dll

c:\winnt\system32\netcs.dll

c:\winnt\system32\netet32.dll

c:\winnt\system32\netez32.dll

c:\winnt\system32\netfa32.dll

c:\winnt\system32\netfd32.dll

c:\winnt\system32\netgt32.dll

c:\winnt\system32\netgu32.dll

c:\winnt\system32\netgy.dll

c:\winnt\system32\nethg32.dll

c:\winnt\system32\netig32.dll

c:\winnt\system32\netiw.dll

c:\winnt\system32\netjl.dll

c:\winnt\system32\netjm32.dll

c:\winnt\system32\netjv32.dll

c:\winnt\system32\netkb.dll

c:\winnt\system32\netkh32.dll

c:\winnt\system32\netlv32.dll

c:\winnt\system32\netmb.dll

c:\winnt\system32\netod.dll

c:\winnt\system32\netos32.dll

c:\winnt\system32\netoz32.dll

c:\winnt\system32\netql.dll

c:\winnt\system32\netrj32.dll

c:\winnt\system32\netrn32.dll

c:\winnt\system32\netsi.dll

c:\winnt\system32\netss32.dll

c:\winnt\system32\netst32.dll

c:\winnt\system32\netsw.dll

c:\winnt\system32\nettb32.dll

c:\winnt\system32\netth.dll

c:\winnt\system32\nettr.dll

c:\winnt\system32\nettx32.dll

c:\winnt\system32\netud32.dll

c:\winnt\system32\netuh.dll

c:\winnt\system32\netuh32.dll

c:\winnt\system32\netus.dll

c:\winnt\system32\netwg32.dll

c:\winnt\system32\netwo.dll

c:\winnt\system32\netwv32.dll

c:\winnt\system32\netxg.dll

c:\winnt\system32\ntag.dll

c:\winnt\system32\ntbc32.dll

c:\winnt\system32\ntbi.dll

c:\winnt\system32\ntbk32.dll

c:\winnt\system32\ntcm32.dll

c:\winnt\system32\ntcn32.dll

c:\winnt\system32\ntct32.dll

c:\winnt\system32\ntdp32.dll

c:\winnt\system32\ntdw.dll

c:\winnt\system32\ntei32.dll

c:\winnt\system32\ntel32.exe

c:\winnt\system32\ntez.dll

c:\winnt\system32\ntfg32.exe

c:\winnt\system32\ntgd32.dll

c:\winnt\system32\ntgk.dll

c:\winnt\system32\ntgn32.dll

c:\winnt\system32\ntgr32.dll

c:\winnt\system32\ntgt32.dll

c:\winnt\system32\ntin.dll

c:\winnt\system32\ntio.dll

c:\winnt\system32\ntjo32.dll

c:\winnt\system32\ntjv32.dll

c:\winnt\system32\ntke32.dll

c:\winnt\system32\ntlb32.dll

c:\winnt\system32\ntll32.dll

c:\winnt\system32\ntmj.dll

c:\winnt\system32\ntna32.dll

c:\winnt\system32\ntni.dll

c:\winnt\system32\ntno.dll

c:\winnt\system32\ntoz32.dll

c:\winnt\system32\ntpj.dll

c:\winnt\system32\ntpp32.dll

c:\winnt\system32\ntpq.dll

c:\winnt\system32\ntpy.dll

c:\winnt\system32\ntqv32.dll

c:\winnt\system32\ntqx32.dll

c:\winnt\system32\ntru32.dll

c:\winnt\system32\ntut32.dll

c:\winnt\system32\ntvy.dll

c:\winnt\system32\ntws32.dll

c:\winnt\system32\ntwy.dll

c:\winnt\system32\ntxd32.dll

c:\winnt\system32\ntxw32.dll

c:\winnt\system32\ntyy.dll

c:\winnt\system32\ntzl32.dll

c:\winnt\system32\o4Patch.exe

c:\winnt\system32\Process.exe

c:\winnt\system32\ruujm.dat

c:\winnt\system32\sdkab.dll

c:\winnt\system32\sdkbb.dll

c:\winnt\system32\sdkbc.dll

c:\winnt\system32\sdkbv.dll

c:\winnt\system32\sdkcs.dll

c:\winnt\system32\sdkcu32.dll

c:\winnt\system32\sdkcv.dll

c:\winnt\system32\sdkdl32.dll

c:\winnt\system32\sdkef.dll

c:\winnt\system32\sdkel.dll

c:\winnt\system32\sdkep32.dll

c:\winnt\system32\sdkew.dll

c:\winnt\system32\sdkew32.dll

c:\winnt\system32\sdkgm32.dll

c:\winnt\system32\sdkgo32.dll

c:\winnt\system32\sdkgw.dll

c:\winnt\system32\sdkgx32.dll

c:\winnt\system32\sdkhb.dll

c:\winnt\system32\sdkid.dll

c:\winnt\system32\sdkir32.dll

c:\winnt\system32\sdkjg32.dll

c:\winnt\system32\sdkkv.dll

c:\winnt\system32\sdkky.dll

c:\winnt\system32\sdkky32.dll

c:\winnt\system32\sdkkz32.dll

c:\winnt\system32\sdklf32.dll

c:\winnt\system32\sdkly.dll

c:\winnt\system32\sdkmp.dll

c:\winnt\system32\sdkmq32.dll

c:\winnt\system32\sdkne32.dll

c:\winnt\system32\sdkon.dll

c:\winnt\system32\sdkpc32.dll

c:\winnt\system32\sdkpq32.dll

c:\winnt\system32\sdkqf32.dll

c:\winnt\system32\sdksn.dll

c:\winnt\system32\sdksr32.dll

c:\winnt\system32\sdktb32.dll

c:\winnt\system32\sdktf.dll

c:\winnt\system32\sdkth32.dll

c:\winnt\system32\sdktt.dll

c:\winnt\system32\sdkty.dll

c:\winnt\system32\sdkux.dll

c:\winnt\system32\sdkux32.dll

c:\winnt\system32\sdkve32.dll

c:\winnt\system32\sdkvo32.dll

c:\winnt\system32\sdkvt32.dll

c:\winnt\system32\sdkvw32.dll

c:\winnt\system32\sdkwx.dll

c:\winnt\system32\sdkwz32.dll

c:\winnt\system32\sdkxc.dll

c:\winnt\system32\sdkxi32.dll

c:\winnt\system32\sdkxv.dll

c:\winnt\system32\sdkxy.dll

c:\winnt\system32\sdkyw.dll

c:\winnt\system32\SrchSTS.exe

c:\winnt\system32\sysab32.dll

c:\winnt\system32\sysai32.dll

c:\winnt\system32\sysbd32.dll

c:\winnt\system32\sysbq32.dll

c:\winnt\system32\sysbs32.dll

c:\winnt\system32\sysbv32.dll

c:\winnt\system32\syscf32.dll

c:\winnt\system32\sysdu.dll

c:\winnt\system32\syseh32.dll

c:\winnt\system32\sysey32.dll

c:\winnt\system32\sysff.dll

c:\winnt\system32\sysfp.dll

c:\winnt\system32\sysfy32.dll

c:\winnt\system32\sysgh32.dll

c:\winnt\system32\sysgi32.dll

c:\winnt\system32\sysgm.dll

c:\winnt\system32\syshr32.dll

c:\winnt\system32\syshu32.dll

c:\winnt\system32\sysir.dll

c:\winnt\system32\sysjm.dll

c:\winnt\system32\sysjq.dll

c:\winnt\system32\syskn32.dll

c:\winnt\system32\syskp32.dll

c:\winnt\system32\syskx32.dll

c:\winnt\system32\sysli32.dll

c:\winnt\system32\syslj32.dll

c:\winnt\system32\syslt.dll

c:\winnt\system32\sysmh32.dll

c:\winnt\system32\sysms32.dll

c:\winnt\system32\sysnb32.dll

c:\winnt\system32\sysnh.dll

c:\winnt\system32\sysoc32.dll

c:\winnt\system32\sysof.dll

c:\winnt\system32\syspa32.dll

c:\winnt\system32\syspo.dll

c:\winnt\system32\sysqd.dll

c:\winnt\system32\sysqh32.dll

c:\winnt\system32\sysrc.dll

c:\winnt\system32\sysri32.dll

c:\winnt\system32\sysrr32.dll

c:\winnt\system32\syssd.dll

c:\winnt\system32\syssu.dll

c:\winnt\system32\sysug.dll

c:\winnt\system32\sysum32.dll

c:\winnt\system32\sysut.dll

c:\winnt\system32\syswe.dll

c:\winnt\system32\syswt32.dll

c:\winnt\system32\sysxs32.dll

c:\winnt\system32\sysyk32.dll

c:\winnt\system32\sysyq.dll

c:\winnt\system32\syszx32.dll

c:\winnt\system32\tmp.reg

c:\winnt\system32\tvuny.dat

c:\winnt\system32\utlsa.dll

c:\winnt\system32\VACFix.exe

c:\winnt\system32\VCCLSID.exe

c:\winnt\system32\vdycn.dat

c:\winnt\system32\vmss

c:\winnt\system32\werweg.exe

c:\winnt\system32\winaa32.dll

c:\winnt\system32\winaq32.dll

c:\winnt\system32\winat.dll

c:\winnt\system32\winba.dll

c:\winnt\system32\winbm32.dll

c:\winnt\system32\winbq32.dll

c:\winnt\system32\wincg32.dll

c:\winnt\system32\wincl32.dll

c:\winnt\system32\wincn.dll

c:\winnt\system32\winco32.dll

c:\winnt\system32\wincp.dll

c:\winnt\system32\wineb.dll

c:\winnt\system32\wingi32.dll

c:\winnt\system32\wingk.dll

c:\winnt\system32\winhh.dll

c:\winnt\system32\winhh32.dll

c:\winnt\system32\winib32.dll

c:\winnt\system32\winih32.dll

c:\winnt\system32\winij32.dll

c:\winnt\system32\winiq.dll

c:\winnt\system32\winiq32.dll

c:\winnt\system32\winiv.dll

c:\winnt\system32\winiy32.dll

c:\winnt\system32\winja.dll

c:\winnt\system32\winja32.dll

c:\winnt\system32\winjm.dll

c:\winnt\system32\winjn32.dll

c:\winnt\system32\winjq32.dll

c:\winnt\system32\winme32.dll

c:\winnt\system32\winnd32.dll

c:\winnt\system32\winne32.dll

c:\winnt\system32\winnh.dll

c:\winnt\system32\winnj32.dll

c:\winnt\system32\winnk.dll

c:\winnt\system32\winnn32.dll

c:\winnt\system32\winnq.dll

c:\winnt\system32\winos.dll

c:\winnt\system32\winpd32.dll

c:\winnt\system32\winpj32.dll

c:\winnt\system32\winqa.dll

c:\winnt\system32\winqc.dll

c:\winnt\system32\winqd.dll

c:\winnt\system32\winqn.dll

c:\winnt\system32\winrb.dll

c:\winnt\system32\winrl.dll

c:\winnt\system32\winsf32.dll

c:\winnt\system32\winsr32.dll

c:\winnt\system32\winss.dll

c:\winnt\system32\winth.dll

c:\winnt\system32\wintr.dll

c:\winnt\system32\winvd32.dll

c:\winnt\system32\winvf.dll

c:\winnt\system32\winvu.dll

c:\winnt\system32\winvz.dll

c:\winnt\system32\winwu.dll

c:\winnt\system32\winyc.dll

c:\winnt\system32\winyd32.dll

c:\winnt\system32\winyk32.dll

c:\winnt\system32\winzc32.dll

c:\winnt\system32\winzq.dll

c:\winnt\system32\wquig.dat

c:\winnt\system32\WS2Fix.exe

c:\winnt\system32\wvouf.dll

c:\winnt\tcivg.dat

c:\winnt\ukinm.dat

c:\winnt\vtwhv.dat

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NTIO256

-------\Legacy_OHCIUSB

-------\Service_ohciusb

((((((((((((((((((((((((( Files Created from 2009-02-24 to 2009-03-24 )))))))))))))))))))))))))))))))

.

2009-03-24 14:23 . 2009-03-24 14:24 2,934,667 -ra------ c:\documents and settings\137\ComboFix.exe

2009-03-22 03:52 . 2009-03-22 03:52 21,632 --a------ c:\winnt\system32\drivers\gjn9637.sys

2009-03-22 03:51 . 2005-01-28 12:44 101,376 --a------ c:\winnt\system32\cewmdmq.dll

2009-03-01 19:57 . 2009-03-01 20:40 <DIR> d-------- c:\documents and settings\137\always_data

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-02-19 04:45 --------- d-----w c:\program files\FreeRIP3

2009-02-19 04:45 --------- d-----w c:\documents and settings\All Users\Application Data\FreeRIP

2009-02-12 04:32 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-02-12 04:03 --------- d-----w c:\program files\America Online 7.0

2009-02-12 04:00 --------- d-----w c:\program files\Uniblue

2009-02-12 04:00 --------- d-----w c:\documents and settings\137\Application Data\Uniblue

2009-02-11 19:30 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-02-11 15:19 38,496 ----a-w c:\winnt\system32\drivers\mbamswissarmy.sys

2009-02-11 15:19 15,504 ----a-w c:\winnt\system32\drivers\mbam.sys

2008-10-11 21:05 19,981 ----a-w c:\program files\Common Files\gegyp.vbs

2008-10-11 21:05 19,403 ----a-w c:\documents and settings\137\Application Data\awanonoreq.scr

2008-10-11 21:05 18,503 ----a-w c:\documents and settings\137\Application Data\ytyfeda.reg

2008-10-11 21:05 17,550 ----a-w c:\program files\Common Files\kujuvexopi.inf

2008-10-11 21:05 16,944 ----a-w c:\documents and settings\All Users\Application Data\efazec.sys

2008-10-11 21:05 16,382 ----a-w c:\documents and settings\137\Application Data\fapojehuny.exe

2008-10-11 21:05 13,962 ----a-w c:\program files\Common Files\sekulux.vbs

2008-10-11 21:00 19,976 ----a-w c:\program files\Common Files\idywym.db

2008-10-11 21:00 19,194 ----a-w c:\program files\Common Files\hugaziso.reg

2008-10-11 21:00 18,555 ----a-w c:\documents and settings\All Users\Application Data\alohub.reg

2008-10-11 21:00 16,392 ----a-w c:\documents and settings\All Users\Application Data\elebujufyh.vbs

2008-10-11 21:00 13,467 ----a-w c:\documents and settings\All Users\Application Data\ewego.bat

2008-10-11 21:00 11,539 ----a-w c:\program files\Common Files\onazev.ban

2008-10-11 21:00 11,440 ----a-w c:\documents and settings\All Users\Application Data\jiwaworo.dat

2007-12-17 18:09 251,967 ----a-w c:\documents and settings\137\TuaxInfo1.zip

2007-12-12 19:05 2,833,575 ----a-w c:\documents and settings\137\Boxes12-12-07007.zip

2007-12-10 17:51 13,535 ----a-w c:\documents and settings\137\FAX200712101022.zip

2007-11-30 17:39 3,890 ----a-w c:\documents and settings\137\HFLabResults.zip

2007-06-11 16:14 111,633 ----a-w c:\documents and settings\137\DOC070611-003.zip

2007-05-24 17:07 1,666,202 ----a-w c:\documents and settings\137\Image003.zip

2007-05-09 17:50 4,288,686 ----a-w c:\documents and settings\137\DSC00537.zip

2007-03-03 03:40 55,368 ----a-w c:\documents and settings\137\Application Data\GDIPFONTCACHEV1.DAT

2004-06-13 23:01 449 ----a-w c:\documents and settings\137\UpdateReg.reg

2004-04-30 03:36 1,999 ----a-w c:\documents and settings\137\winupdate.dat

2003-04-25 21:40 784 ----a-w c:\documents and settings\137\Application Data\mpauth.dat

2004-10-12 20:02 1,384,332 --sh--w c:\winnt\addins\tacvrd.bak2

2004-10-06 06:39 1,671,435 --sh--w c:\winnt\addins\vrsevaw.bak2

2004-10-18 11:37 28,792,728 --sha-w c:\winnt\system32\Microsoft\nulld.bak1

2004-10-18 11:38 28,792,728 --sh--w c:\winnt\system32\Microsoft\nulld.bak2

2004-10-15 15:23 410,731,701 --sha-w c:\winnt\Web\nupct.bak1

2004-10-16 18:07 854,146,211 --sh--w c:\winnt\Web\nupct.bak2

.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

----a-w 50,776 2005-07-12 11:17:44 c:\program files\America Online 9.0a\bak\AOL.EXE

----a-w 159,832 2005-07-29 16:53:50 c:\program files\Common Files\AOL\1102136020\EE\bak\AOLHostManager.exe

----a-w 13,416 2006-03-10 22:22:56 c:\program files\Common Files\AOL\1102136020\EE\AOLHostManager.exe

----a-r 34,904 2004-10-20 14:40:04 c:\program files\Common Files\AOL\ACS\bak\AOLDial.exe

----a-w 28,738 2001-08-17 04:41:58 c:\program files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe

----a-w 70,776 2004-09-15 01:02:18 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe

----a-w 218,240 2004-11-02 21:59:52 c:\program files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe

----a-w 278,528 2004-12-18 05:20:14 c:\program files\iTunes\bak\iTunesHelper.exe

----a-w 278,528 2004-12-18 04:20:14 c:\program files\iTunes\iTunesHelper.exe

----a-w 331,830 2001-08-23 21:52:52 c:\program files\Microsoft Works\bak\WksSb.exe

----a-w 110,592 2002-08-02 18:41:08 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe

----a-w 135,168 2006-01-17 17:03:06 c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

----a-w 20,480 2001-11-07 18:25:54 c:\program files\PhoneTools\bak\CapFax.EXE

----a-w 99,480 2004-04-05 21:33:54 c:\program files\Pure Networks\Port Magic\bak\PortAOL.exe

----a-w 98,304 2005-03-30 03:43:34 c:\program files\QuickTime\bak\qttask.exe

----a-w 26,112 2004-09-26 16:13:25 c:\program files\Real\RealPlayer\bak\RealPlay.exe

----a-w 0 2006-10-23 02:38:04 c:\program files\Real\RealPlayer\realplay.exe

----a-w 684,032 2002-06-19 06:05:38 c:\program files\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe

----a-w 0 2006-10-23 02:37:55 c:\program files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe

----a-w 1,257,472 2006-07-20 14:24:32 c:\program files\SUPERAntiSpyware\bak\SUPERAntiSpyware.exe

----a-w 1,576,176 2008-09-03 18:07:12 c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

----a-w 114,688 2002-05-15 01:20:50 c:\winnt\system32\bak\hkcmd.exe

----a-w 155,648 2002-05-15 01:29:02 c:\winnt\system32\bak\igfxtray.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{458B9D54-91FD-4161-9A7E-4A50B9A53CBF}]

2005-01-28 12:44 101376 --a------ c:\winnt\System32\cewmdmq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Microsoft Works Update Detection"="c:\program files\Microsoft Works\WkDetect.exe" [N/A]

"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe" [2001-07-25 184376]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-09-03 1576176]

"AOL Fast Start"="c:\program files\America Online 9.0a\AOL.EXE" [N/A]

"Uniblue RegistryBooster 2009"="c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe" [N/A]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2006-01-17 135168]

"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [N/A]

"HostManager"="c:\program files\Common Files\AOL\1102136020\ee\AOLSoftware.exe" [2006-03-10 48280]

"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" [2001-01-03 c:\winnt\system32\SK9910DM.EXE]

"PROMon.exe"="PROMon.exe" [2002-04-18 c:\winnt\system32\PROMon.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2001-08-02 1077277]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0b\aoltray.exe [2006-09-21 36954]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-07-23 15:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"

Link to post
Share on other sites

  • Staff

Hi,

It looks like this computer was already infected for a while...

I see you have not downloaded Combofix to your desktop. This was an important step, because you have to create a cfscript and drag it into combofix, but because it's not on your desktop, it may be confusing for you..

In anyway, I hope you know where you downloaded combofix and ran it from.

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

File::

c:\winnt\System32\cewmdmq.dll

c:\program files\Common Files\gegyp.vbs

c:\documents and settings\137\Application Data\awanonoreq.scr

c:\documents and settings\137\Application Data\ytyfeda.reg

c:\program files\Common Files\kujuvexopi.inf

c:\documents and settings\All Users\Application Data\efazec.sys

c:\documents and settings\137\Application Data\fapojehuny.exe

c:\program files\Common Files\sekulux.vbs

c:\program files\Common Files\idywym.db

c:\program files\Common Files\hugaziso.reg

c:\documents and settings\All Users\Application Data\alohub.reg

c:\documents and settings\All Users\Application Data\elebujufyh.vbs

c:\documents and settings\All Users\Application Data\ewego.bat

c:\program files\Common Files\onazev.ban

c:\documents and settings\All Users\Application Data\jiwaworo.dat

c:\documents and settings\137\winupdate.dat

c:\documents and settings\137\Application Data\mpauth.dat

c:\winnt\addins\tacvrd.bak2

c:\winnt\addins\vrsevaw.bak2

c:\winnt\system32\Microsoft\nulld.bak1

c:\winnt\system32\Microsoft\nulld.bak2

c:\winnt\Web\nupct.bak1

c:\winnt\Web\nupct.bak2

Collect::[8]

c:\winnt\system32\drivers\gjn9637.sys

c:\winnt\system32\drivers\clhmjzbn.sys

AWF::

c:\program files\America Online 9.0a\bak\AOL.EXE

c:\program files\Common Files\AOL\1102136020\EE\bak\AOLHostManager.exe

c:\program files\Common Files\AOL\1102136020\EE\AOLHostManager.exe

c:\program files\Common Files\AOL\ACS\bak\AOLDial.exe

c:\program files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe

c:\program files\Common Files\Symantec Shared\bak\ccApp.exe

c:\program files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe

c:\program files\iTunes\bak\iTunesHelper.exe

c:\program files\Microsoft Works\bak\WksSb.exe

c:\program files\MUSICMATCH\MUSICMATCH Jukebox\bak\mm_tray.exe

c:\program files\PhoneTools\bak\CapFax.EXE

c:\program files\Pure Networks\Port Magic\bak\PortAOL.exe

c:\program files\QuickTime\bak\qttask.exe

c:\program files\Real\RealPlayer\bak\RealPlay.exe

c:\program files\Roxio\Easy CD Creator 5\DirectCD\bak\DirectCD.exe

c:\program files\SUPERAntiSpyware\bak\SUPERAntiSpyware.exe

c:\winnt\system32\bak\hkcmd.exe

c:\winnt\system32\bak\igfxtray.exe

Driver::

cig28ff

gjn9637

iom2185

clhmjzbn

Registry::

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{458B9D54-91FD-4161-9A7E-4A50B9A53CBF}]

Regnull::

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{2F2ED127-9180-E0E9-DD82A3EA97D23C2D}\{BC7AD397-E62C-4E1A-5A858785C5B4F8B7}\{1CB4FE78-537A-1AF0-DBD366375A0DFAF2}*]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif

This will start ComboFix again.

Then, please visit this site:

http://www.bleepingcomputer.com/submit-malware.php?channel=8

Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)

Then click the "Send File" button below in order to upload it.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Link to post
Share on other sites

Here it is:

ComboFix 09-03-23.01 - 137 2009-03-24 15:54:01.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.0.1252.1.1033.18.254.38 [GMT -5:00]

Running from: c:\documents and settings\137\ComboFix.exe

Command switches used :: C:\CFScript.txt

* Created a new restore point

FILE ::

c:\documents and settings\137\Application Data\awanonoreq.scr

c:\documents and settings\137\Application Data\fapojehuny.exe

c:\documents and settings\137\Application Data\mpauth.dat

c:\documents and settings\137\Application Data\ytyfeda.reg

c:\documents and settings\137\winupdate.dat

c:\documents and settings\All Users\Application Data\alohub.reg

c:\documents and settings\All Users\Application Data\efazec.sys

c:\documents and settings\All Users\Application Data\elebujufyh.vbs

c:\documents and settings\All Users\Application Data\ewego.bat

c:\documents and settings\All Users\Application Data\jiwaworo.dat

c:\program files\Common Files\gegyp.vbs

c:\program files\Common Files\hugaziso.reg

c:\program files\Common Files\idywym.db

c:\program files\Common Files\kujuvexopi.inf

c:\program files\Common Files\onazev.ban

c:\program files\Common Files\sekulux.vbs

c:\winnt\addins\tacvrd.bak2

c:\winnt\addins\vrsevaw.bak2

c:\winnt\System32\cewmdmq.dll

c:\winnt\system32\Microsoft\nulld.bak1

c:\winnt\system32\Microsoft\nulld.bak2

c:\winnt\Web\nupct.bak1

c:\winnt\Web\nupct.bak2

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\137\Application Data\awanonoreq.scr

c:\documents and settings\137\Application Data\fapojehuny.exe

c:\documents and settings\137\Application Data\mpauth.dat

c:\documents and settings\137\Application Data\ytyfeda.reg

c:\documents and settings\137\winupdate.dat

c:\documents and settings\All Users\Application Data\alohub.reg

c:\documents and settings\All Users\Application Data\efazec.sys

c:\documents and settings\All Users\Application Data\elebujufyh.vbs

c:\documents and settings\All Users\Application Data\ewego.bat

c:\documents and settings\All Users\Application Data\jiwaworo.dat

c:\program files\Common Files\gegyp.vbs

c:\program files\Common Files\hugaziso.reg

c:\program files\Common Files\idywym.db

c:\program files\Common Files\kujuvexopi.inf

c:\program files\Common Files\onazev.ban

c:\program files\Common Files\sekulux.vbs

c:\winnt\addins\tacvrd.bak2

c:\winnt\addins\vrsevaw.bak2

c:\winnt\System32\cewmdmq.dll

c:\winnt\system32\drivers\clhmjzbn.sys

c:\winnt\system32\drivers\gjn9637.sys

c:\winnt\system32\Microsoft\nulld.bak1

c:\winnt\system32\Microsoft\nulld.bak2

c:\winnt\Web\nupct.bak1

c:\winnt\Web\nupct.bak2

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_CLHMJZBN

-------\Legacy_GJN9637

-------\Service_clhmjzbn

-------\Service_gjn9637

((((((((((((((((((((((((( Files Created from 2009-02-24 to 2009-03-24 )))))))))))))))))))))))))))))))

.

2009-03-24 14:23 . 2009-03-24 14:24 2,934,667 -ra------ c:\documents and settings\137\ComboFix.exe

2009-03-01 19:57 . 2009-03-01 20:40 <DIR> d-------- c:\documents and settings\137\always_data

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-24 21:03 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-03-24 21:03 --------- d-----w c:\program files\America Online 9.0a

2009-03-24 20:53 --------- d-----w c:\program files\SUPERAntiSpyware

2009-03-24 20:53 --------- d-----w c:\program files\QuickTime

2009-03-24 20:53 --------- d-----w c:\program files\PhoneTools

2009-03-24 20:53 --------- d-----w c:\program files\Microsoft Works

2009-03-24 20:53 --------- d-----w c:\program files\iTunes

2009-02-19 04:45 --------- d-----w c:\program files\FreeRIP3

2009-02-19 04:45 --------- d-----w c:\documents and settings\All Users\Application Data\FreeRIP

2009-02-12 04:32 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-02-12 04:03 --------- d-----w c:\program files\America Online 7.0

2009-02-12 04:00 --------- d-----w c:\program files\Uniblue

2009-02-12 04:00 --------- d-----w c:\documents and settings\137\Application Data\Uniblue

2009-02-11 19:30 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-02-11 15:19 38,496 ----a-w c:\winnt\system32\drivers\mbamswissarmy.sys

2009-02-11 15:19 15,504 ----a-w c:\winnt\system32\drivers\mbam.sys

2007-12-17 18:09 251,967 ----a-w c:\documents and settings\137\TuaxInfo1.zip

2007-12-12 19:05 2,833,575 ----a-w c:\documents and settings\137\Boxes12-12-07007.zip

2007-12-10 17:51 13,535 ----a-w c:\documents and settings\137\FAX200712101022.zip

2007-11-30 17:39 3,890 ----a-w c:\documents and settings\137\HFLabResults.zip

2007-06-11 16:14 111,633 ----a-w c:\documents and settings\137\DOC070611-003.zip

2007-05-24 17:07 1,666,202 ----a-w c:\documents and settings\137\Image003.zip

2007-05-09 17:50 4,288,686 ----a-w c:\documents and settings\137\DSC00537.zip

2007-03-03 03:40 55,368 ----a-w c:\documents and settings\137\Application Data\GDIPFONTCACHEV1.DAT

2004-06-13 23:01 449 ----a-w c:\documents and settings\137\UpdateReg.reg

.

((((((((((((((((((((((((((((( SnapShot@2009-03-24_14.45.50.04 )))))))))))))))))))))))))))))))))))))))))

.

+ 2002-05-15 01:20:50 114,688 ----a-w c:\winnt\system32\hkcmd.exe

+ 2002-05-15 01:29:02 155,648 ----a-w c:\winnt\system32\igfxtray.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MoneyAgent"="c:\program files\Microsoft Money\System\Money Express.exe" [2001-07-25 184376]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2006-07-20 1257472]

"AOL Fast Start"="c:\program files\America Online 9.0a\AOL.EXE" [2005-07-12 50776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2002-08-02 110592]

"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2004-10-20 34904]

"HostManager"="c:\program files\Common Files\AOL\1102136020\ee\AOLSoftware.exe" [2006-03-10 48280]

"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" [2001-01-03 c:\winnt\system32\SK9910DM.EXE]

"PROMon.exe"="PROMon.exe" [2002-04-18 c:\winnt\system32\PROMon.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2001-08-02 1077277]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

America Online 9.0 Tray Icon.lnk - c:\program files\America Online 9.0b\aoltray.exe [2006-09-21 36954]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2008-07-23 15:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2008-09-03 8944]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-09-03 55024]

R2 RioPNP;RioPNP;c:\winnt\system32\drivers\RioPnP.sys [2002-09-05 6736]

R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-09-03 7408]

S0 bhf0a86;bhf0a86;\SystemRoot\\SystemRoot\System32\drivers\gjn9637.sys --> \SystemRoot\\SystemRoot\System32\drivers\gjn9637.sys [?]

S3 iscFlash;iscFlash;\??\c:\winnt\SYSTEM32\DRIVERS\iscflash.sys --> c:\winnt\SYSTEM32\DRIVERS\iscflash.sys [?]

S3 Wdm1;USB Bridge Cable Driver;c:\winnt\system32\drivers\usbbc.sys [2005-03-25 15576]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLHMJZBN

*NewlyCreated* - NMSCFG

*NewlyCreated* - NMSSVC

*NewlyCreated* - SYMTDI

*Deregistered* - SYMTDI

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

UxTuneUp

.

Contents of the 'Scheduled Tasks' folder

2008-10-10 c:\winnt\Tasks\1-Click Maintenance.job

- c:\program files\TuneUp Utilities 2006\SystemOptimizer.exe [2006-10-05 15:09]

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe

HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe

HKCU-Run-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

mStart Page = hxxp://www.google.com

IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML

DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-24 16:02:57

Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1106520001-2304659736-1445258045-1005\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1106520001-2304659736-1445258045-1005\Software\Policies\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (S-1-5-21-1106520001-2304659736-1445258045-1005)

@Allowed: (Read) (S-1-5-21-1106520001-2304659736-1445258045-1005)

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(472)

c:\winnt\system32\ODBC32.dll

c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(528)

c:\winnt\System32\dssenh.dll

.

ComboFix-quarantined-files.txt 2009-03-24 21:10:11

ComboFix2.txt 2009-03-24 19:50:53

Pre-Run: 3,038,904,320 bytes free

Post-Run: 3,038,969,856 bytes free

189 --- E O F --- 2009-03-18 08:02:56

Hi,

It looks like this computer was already infected for a while...

I see you have not downloaded Combofix to your desktop. This was an important step, because you have to create a cfscript and drag it into combofix, but because it's not on your desktop, it may be confusing for you..

In anyway, I hope you know where you downloaded combofix and ran it from.

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif

This will start ComboFix again.

Then, please visit this site:

http://www.bleepingcomputer.com/submit-malware.php?channel=8

Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)

Then click the "Send File" button below in order to upload it.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Link to post
Share on other sites

  • Staff

Hi,

Then, please visit this site:

http://www.bleepingcomputer.com/submit-malware.php?channel=8

Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)

Then click the "Send File" button below in order to upload it.

Can you please perform this as well?

Then, go to start > run and copy and paste next commands in the field:

sc delete bhf0a86 hit enter

sc delete CLHMJZBN Hit enter

Let me know in your next reply how things are now.

Link to post
Share on other sites

I did the three steps and the problem has gone. However when I tried to post to MalwareBytes I got an error message and it shut downs on IE and on the AOL browser it stands still like it's loading and will not allow me to post. I am at a different computer now and this is how I have been postsing. Is my problem fixed but the error message unrelated and some other problem?

Hi,

Can you please perform this as well?

Then, go to start > run and copy and paste next commands in the field:

sc delete bhf0a86 hit enter

sc delete CLHMJZBN Hit enter

Let me know in your next reply how things are now.

Link to post
Share on other sites

I turned my computer off and then on and when it loads I get this message:

mm_tray.exe -Entry Point Not Found

The procedure entry point?OMCreateObject@@YA_NPBDO_NPAPAVmiInterface@@@Z could not be located in the dynamic link library ObjectManager.dll.

Do you know what this is and how I can correct it?

I did the three steps and the problem has gone. However when I tried to post to MalwareBytes I got an error message and it shut downs on IE and on the AOL browser it stands still like it's loading and will not allow me to post. I am at a different computer now and this is how I have been postsing. Is my problem fixed but the error message unrelated and some other problem?
Link to post
Share on other sites

  • Staff

Hi,

This is as a result of a previous infection you were dealing with. AWF infection. We had to replace some files from a backup and you get an error because the version we replaced appears to be an older version.

Not a big deal though.. in this case it's about the Musicmatch MMtray and your AOL. What I suggest is to reinstall both (Musicmatch and AOL), because parts became corrupted in it anyway.

Link to post
Share on other sites

Do you know why the Internet Explorer gets an error messsage when I try to reply to this forum? The message I get says:

Error signature

AppName: iexplore.exe AppVer:6.0.2600.0 ModName: mshtml.dll

ModVer: 6.0.2600.0 Offset: 001071a

Is this something I can correct?

Also, I tried to uninstall MusicMatch from add/remove but it will not remove. Is there another way to do it?

Hi,

This is as a result of a previous infection you were dealing with. AWF infection. We had to replace some files from a backup and you get an error because the version we replaced appears to be an older version.

Not a big deal though.. in this case it's about the Musicmatch MMtray and your AOL. What I suggest is to reinstall both (Musicmatch and AOL), because parts became corrupted in it anyway.

Link to post
Share on other sites

Here it is:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:55:38 PM, on 3/24/2009

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Boot mode: Normal

Running processes:

C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\WINNT\system32\svchost.exe

C:\WINNT\System32\svchost.exe

C:\WINNT\system32\spoolsv.exe

C:\WINNT\Explorer.EXE

C:\WINNT\System32\SK9910DM.EXE

C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

C:\WINNT\System32\PROMon.exe

C:\Program Files\Common Files\AOL\1102136020\ee\AOLSoftware.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\Program Files\America Online 9.0a\waol.exe

C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe

C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

C:\WINNT\System32\NMSSvc.exe

C:\WINNT\wanmpsvc.exe

C:\WINNT\System32\wuauclt.exe

c:\program files\common files\aol\1102136020\ee\services\antiSpywareApp\ver2_0_32_1\AOLSP Scheduler.exe

c:\program files\common files\aol\1102136020\ee\aolsoftware.exe

C:\Program Files\America Online 9.0a\shellmon.exe

C:\Program Files\Audacity\audacity.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx

O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE

O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"

O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe

O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102136020\ee\AOLSoftware.exe

O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b

O4 - HKUS\S-1-5-18\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Default user')

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0b\aoltray.exe

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe

O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe

O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\aolserv.exe (file missing)

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

--

End of file - 4208 bytes

No need to uninstall it, just reinstall it :(

Let's have a look what is running in IE there... (bho - toolbar, because Combofix whitelists some)

* Download Trend Micro Hijack This

Link to post
Share on other sites

  • Staff

Hi,

No wonder you get these errors, your PC has never been updated!

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

The very first and most important step is to update your Windows here..

Update to Service Pack 3 and your Internet Explorer to IE7 or IE8.

Update goes via start > Windows update.

You also need Security Software, because I don't even see an Antivirus installed here! Can you explain why your Windows is outdated and there's no Antivirus present here?

Link to post
Share on other sites

I use the computer for information and correspondence. I did not know the importance of updates or antivirus. I will do it now.

Hi,

No wonder you get these errors, your PC has never been updated!

The very first and most important step is to update your Windows here..

Update to Service Pack 3 and your Internet Explorer to IE7 or IE8.

Update goes via start > Windows update.

You also need Security Software, because I don't even see an Antivirus installed here! Can you explain why your Windows is outdated and there's no Antivirus present here?

Link to post
Share on other sites

  • Staff
The updates installed and I am now able to reply to the forum using this computer.
That's one of the reasons why it was needed to update.

I hope you also installed an Antivirus? Because it's really needed to prevent malware in the future.

Also,

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again! :(

Link to post
Share on other sites

  • Staff

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.