Jump to content

Malware.trace


Recommended Posts

Hello all,

I'll say this much, if buying the full version of Malwarebytes gets rid of this problem, I'd be glad to do it. At this point, short of re-installing Windows, I just don't have the skill to know what to do, and what I've Googled so far about the problem seems to indicate that it's way out of my skill range. It's all Greek to me, to be perfectly honest.

Here's my log, if anyone wants to see.

Malwarebytes' Anti-Malware 1.35

Database version: 1917

Windows 5.1.2600 Service Pack 2

3/30/2009 12:07:54 PM

mbam-log-2009-03-30 (12-07-54).txt

Scan type: Full Scan (C:\|)

Objects scanned: 156487

Time elapsed: 1 hour(s), 30 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Antispyware (Rogue.Antispyware) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\Tasks\Antispyware Scheduled Scan.job (Rogue.Antispyware) -> Quarantined and deleted successfully.

Link to post
Share on other sites

  • Replies 64
  • Created
  • Last Reply

Top Posters In This Topic

Whoops, you need the HijackThis Log, sorry.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:20:58 PM, on 3/30/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\WgaTray.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)

O2 - BHO: (no name) - {C2BA40A2-74F3-42BD-F434-2604812C8954} - (no file)

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [sdScansCH] rundll32.exe C:\WINDOWS\stup_tmp.#32,Ini

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"

O4 - HKLM\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKUS\S-1-5-18\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm

O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm

O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm

O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1132637091218

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: karna.dat cfpmrh.dll eefsyf.dll C:\WINDOWS\system32\wafofozu.dll c:\windows\

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--

End of file - 6190 bytes

Link to post
Share on other sites

  • Root Admin

Please UPDATE MBAM again and do another Quick Scan and post that log.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then post back the MBAM log and a new Hijackthis log.

Link to post
Share on other sites

Thanks.

Here's my mbam log:

Windows 5.1.2600 Service Pack 2

4/1/2009 10:24:12 AM

mbam-log-2009-04-01 (10-24-12).txt

Scan type: Full Scan (C:\|)

Objects scanned: 127381

Time elapsed: 1 hour(s), 23 minute(s), 34 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c2ba40a2-74f3-42bd-f4

34-2604812c8954} (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper

Objects\{c2ba40a2-74f3-42bd-f434-2604812c8954} (Trojan.Agent) -> Quarantined and deleted

successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\restore (Rootkit.Agent) -> Quarantined

and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\AGprotect (Malware.Trace) -> Quarantined and deleted

successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

And here's my HijackThis log.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:25:32 AM, on 4/1/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\WgaTray.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [sdScansCH] rundll32.exe C:\WINDOWS\stup_tmp.#32,Ini

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"

O4 - HKLM\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKUS\S-1-5-21-527237240-1417001333-725345543-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Marie and Eamon')

O4 - HKUS\S-1-5-18\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [brastk] C:\WINDOWS\system32\brastk.exe (User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm

O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm

O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: Download web site with Free Download Manager - file://C:\Program Files\Free Download Manager\dlpage.htm

O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1132637091218

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: karna.dat cfpmrh.dll eefsyf.dll C:\WINDOWS\system32\wafofozu.dll c:\windows\

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--

End of file - 6512 bytes

Link to post
Share on other sites

  • Root Admin

STEP 01

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

STEP 02

Download
DDS
and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click
dds.scr
to run the tool.

When done, the
DDS.txt
will open.

Click Yes at the next prompt for Optional Scan.
    When done, DDS will open two (2) logs:

  1. DDS.txt
  2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply:
    DDS.txt
    and
    Attach.txt

STEP 03

    Please create a BOOTLOG
  • Restart the computer and press F8 when Windows start booting. This will bring up the startup options.
  • Select "Enable Boot Logging" option and press enter.
  • Windows prompts you to select a Windows Installation (even if there is only one windows installation)
  • This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows
Link to post
Share on other sites

ComboFix 09-04-04.01 - Ciaran 2009-04-05 12:44:15.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1659 [GMT -4:00]

Running from: c:\documents and settings\Ciaran\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Ciaran\Cookies\ajafiquli.dll

c:\documents and settings\Ciaran\Cookies\boriby._sy

c:\documents and settings\Ciaran\Cookies\ezomagepoj.inf

c:\documents and settings\Ciaran\Cookies\ikocoqim.scr

c:\documents and settings\Ciaran\Cookies\someteh._dl

c:\documents and settings\Ciaran\Cookies\yzyca.reg

c:\documents and settings\Ciaran\Local Settings\Temporary Internet Files\abyvononav.dll

c:\documents and settings\Ciaran\Local Settings\Temporary Internet Files\anytoqosu.pif

c:\documents and settings\Ciaran\Local Settings\Temporary Internet Files\bestwiner.stt

c:\documents and settings\Ciaran\Local Settings\Temporary Internet Files\CPV.stt

c:\documents and settings\Ciaran\Local Settings\Temporary Internet Files\dadygaze.com

c:\documents and settings\Ciaran\Local Settings\Temporary Internet Files\EVRCEncUnit.dll

c:\documents and settings\Ciaran\Local Settings\Temporary Internet Files\fbk.sts

c:\documents and settings\Ciaran\Local Settings\Temporary Internet Files\install4355.smlu

c:\documents and settings\Ciaran\Local Settings\Temporary Internet Files\SVPorsche.inf

c:\documents and settings\Ciaran\Local Settings\Temporary Internet Files\vukiv.reg

c:\documents and settings\Marie and Eamon\Local Settings\Temporary Internet Files\nomyw.dat

c:\documents and settings\Marie and Eamon\Local Settings\Temporary Internet Files\razygurady.com

c:\windows\DRIVERS\beep.sys

c:\windows\IE4 Error Log.txt

c:\windows\system32\TDSSosvd.dat

c:\windows\Tasks\oscjxqla.job

c:\windows\wiaserviv.log

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_botdrv

-------\Service_botdrv

-------\Service_restore

((((((((((((((((((((((((( Files Created from 2009-03-05 to 2009-04-05 )))))))))))))))))))))))))))))))

.

2009-04-04 18:13 . 2009-04-04 18:16 <DIR> d-------- c:\documents and settings\Ciaran\Application Data\vlc

2009-03-30 15:20 . 2009-03-30 15:20 <DIR> d-------- c:\program files\Trend Micro

2009-03-30 12:37 . 2009-03-30 12:37 <DIR> d-------- c:\program files\AVG

2009-03-30 12:37 . 2009-03-30 15:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8

2009-03-29 19:50 . 2009-03-29 19:54 <DIR> d-------- C:\SDFix

2009-03-29 13:59 . 2009-03-29 14:00 <DIR> d-------- c:\documents and settings\Ciaran\Application Data\Antispyware

2009-03-29 13:43 . 2009-03-29 13:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-03-29 13:42 . 2009-03-29 13:53 <DIR> d-------- c:\program files\SUPERAntiSpyware

2009-03-29 13:42 . 2009-03-29 13:53 <DIR> d-------- c:\documents and settings\Ciaran\Application Data\SUPERAntiSpyware.com

2009-03-28 19:20 . 2009-03-28 19:20 <DIR> d-------- c:\program files\TVAnts

2009-03-27 18:01 . 2009-03-27 18:01 42,496 --a------ c:\windows\system32\kuzSniper.exe

2009-03-27 17:57 . 2009-03-27 17:57 62,976 --a------ C:\tqaau.exe

2009-03-27 17:56 . 2009-03-27 17:56 213,376 --a--c--- c:\windows\system32\dllcache\ndis.sys

2009-03-27 17:52 . 2009-03-27 17:58 2 --a------ C:\2097001235

2009-03-23 19:31 . 2008-04-17 12:12 107,368 --a------ c:\windows\system32\GEARAspi.dll

2009-03-23 19:31 . 2009-01-15 12:19 23,848 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys

2009-03-23 19:30 . 2009-03-23 19:31 <DIR> d-------- c:\program files\iTunes

2009-03-23 19:30 . 2009-03-23 19:30 <DIR> d-------- c:\program files\iPod

2009-03-23 19:29 . 2009-03-23 19:29 <DIR> d-------- c:\program files\Apple Software Update

2009-03-23 19:29 . 2009-03-05 23:59 1,900,544 --a------ c:\windows\system32\usbaaplrc.dll

2009-03-23 19:29 . 2009-03-05 23:59 36,864 --a------ c:\windows\system32\drivers\usbaapl.sys

2009-03-23 19:28 . 2009-03-23 19:30 <DIR> d-------- c:\program files\Common Files\Apple

2009-03-23 17:16 . 2009-03-23 17:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}

2009-03-23 17:15 . 2009-03-23 17:15 <DIR> d-------- c:\program files\Bonjour

2009-03-17 20:29 . 2009-03-27 23:15 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-03-17 20:29 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-17 20:29 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-03-07 16:34 . 2009-03-07 16:34 <DIR> d-------- c:\program files\Real Alternative

2009-03-06 14:50 . 2009-03-06 14:50 73,728 --a------ c:\windows\system32\javacpl.cpl

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-05 01:19 --------- d-----w c:\program files\mIRC

2009-04-05 00:14 --------- d-----w c:\documents and settings\Ciaran\Application Data\dvdcss

2009-04-04 22:12 --------- d-----w c:\program files\VideoLAN

2009-04-03 17:37 --------- d-----w c:\documents and settings\Ciaran\Application Data\uTorrent

2009-03-30 04:24 --------- d-----w c:\program files\IrfanView

2009-03-30 02:55 --------- d-----w c:\documents and settings\Ciaran\Application Data\Skype

2009-03-30 00:02 --------- d-----w c:\documents and settings\Ciaran\Application Data\skypePM

2009-03-29 05:56 --------- d-----w c:\documents and settings\Marie and Eamon\Application Data\Skype

2009-03-29 01:56 --------- d-----w c:\documents and settings\Marie and Eamon\Application Data\skypePM

2009-03-27 21:56 213,376 ----a-w c:\windows\system32\drivers\ndis.sys

2009-03-23 23:30 --------- d-----w c:\program files\QuickTime

2009-03-02 02:58 --------- d-----w c:\documents and settings\All Users\Application Data\Citrix

2009-03-02 02:57 --------- d-----w c:\program files\Citrix

2009-03-02 02:37 --------- d-----w c:\program files\Media Player Classic

2009-03-02 01:52 --------- d-----w c:\program files\ffdshow

2009-03-02 01:49 --------- d-----w c:\program files\Matroska Pack

2009-03-01 19:22 --------- d-----w c:\program files\AIM Lite

2009-03-01 02:01 --------- d-----w c:\program files\Common Files\Real

2009-02-28 22:18 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-02-28 22:18 --------- d-----w c:\program files\Common Files\AOL

2009-02-28 22:18 --------- d-----w c:\documents and settings\All Users\Application Data\AOL

2009-02-28 22:17 --------- d-----w c:\program files\ICQLite

2009-02-28 22:15 --------- d-----w c:\documents and settings\Ciaran\Application Data\ICQ

2009-02-28 17:41 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec

2009-02-28 17:06 --------- d-----w c:\program files\Microsoft Chat

2009-02-28 03:56 --------- d-----w c:\program files\Ahead

2009-02-28 03:46 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint

2009-02-28 03:42 --------- d-----w c:\documents and settings\Ciaran\Application Data\Move Networks

2009-02-28 03:30 --------- d--h--w c:\program files\InstallShield Installation Information

2009-02-28 03:29 --------- d-----w c:\program files\Amazon

2009-02-28 03:29 --------- d-----w c:\documents and settings\Ciaran\Application Data\Amazon

2009-02-28 02:52 --------- d-----w c:\program files\Soulseek

2009-02-28 02:50 --------- d-----w c:\program files\blueMSX

2009-02-28 02:49 --------- d-----w c:\program files\Transparent

2009-02-28 02:37 --------- d-----w c:\program files\Java

2009-02-28 02:29 --------- d-----w c:\documents and settings\Administrator\Application Data\Lavasoft

2009-02-28 02:28 --------- d-----w c:\program files\DivX

2009-02-28 02:13 --------- d-----w c:\program files\Winamp

2009-02-28 02:13 --------- d-----w c:\program files\eMule

2009-02-28 02:06 --------- d-----w c:\program files\DC++

2009-02-21 22:27 --------- d-----w c:\documents and settings\All Users\Application Data\TVU Networks

2008-10-21 02:48 18,783 ----a-w c:\program files\Common Files\susehicujy.lib

2008-10-21 02:48 18,145 ----a-w c:\program files\Common Files\abyji.reg

2008-10-21 02:48 15,493 ----a-w c:\documents and settings\All Users\Application Data\nucyfuv.sys

2008-10-21 02:48 14,561 ----a-w c:\documents and settings\All Users\Application Data\bepefata.bat

2008-10-21 02:48 11,045 ----a-w c:\program files\Common Files\fyvalu.bat

2008-10-21 02:48 10,749 ----a-w c:\documents and settings\Ciaran\Application Data\fukuwafeq.bat

2008-09-05 01:55 19,477 ----a-w c:\program files\Common Files\licyw.lib

2008-09-05 01:55 14,397 ----a-w c:\documents and settings\Ciaran\Application Data\fixug.pif

2008-09-05 01:55 14,158 ----a-w c:\documents and settings\Ciaran\Application Data\abusamajag.reg

2008-09-05 01:55 11,822 ----a-w c:\program files\Common Files\toxyzukad.db

2008-09-05 01:55 11,137 ----a-w c:\program files\Common Files\avug.bat

2008-09-05 01:55 11,110 ----a-w c:\documents and settings\All Users\Application Data\udibigota.vbs

2008-02-10 02:20 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat

2008-12-19 22:00 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll

2008-12-19 22:00 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll

2008-12-19 22:00 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll

2008-12-19 22:00 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll

2008-12-19 22:00 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll

2005-07-29 21:24 472 --sha-r c:\windows\cGM\w3g.vbs

.

------- Sigcheck -------

2001-08-23 08:00 161536 3efd4f59ba0a340de0a3ab984001dbf7 c:\windows\$NtServicePackUninstall$\ndis.sys

2004-08-04 02:14 182912 558635d3af1c7546d26067d5d9b6959e c:\windows\ServicePackFiles\i386\ndis.sys

2008-04-13 15:20 182656 1df7f42665c94b825322fae71721130d c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ndis.sys

2009-03-27 17:56 213376 3d748d850b1c17c357c54bbfd4835f27 c:\windows\system32\dllcache\ndis.sys

2009-03-27 17:56 213376 3d748d850b1c17c357c54bbfd4835f27 c:\windows\system32\drivers\ndis.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]

"SdScansCH"="c:\windows\stup_tmp.#32" [2005-02-12 2648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]

"EPSON Stylus CX4200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [2005-03-07 98304]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-06 148888]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]

"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.avis"= ff_acm.acm

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

--a------ 2005-10-19 08:59 126976 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]

--a------ 2003-08-29 04:59 122880 c:\windows\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\WinMX\\WinMX.exe"=

"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=

"c:\\Program Files\\mIRC\\mirc.exe"=

"c:\\Program Files\\AIM Lite\\aimlite.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S1 82032481;82032481;c:\windows\system32\drivers\82032481.sys --> c:\windows\system32\drivers\82032481.sys [?]

S3 MusCDriverV32;MusCDriverV32;c:\windows\system32\drivers\MusCDriverV32.sys [2008-09-15 509312]

S3 MusCVideo32;MusCVideo32;c:\windows\system32\drivers\MusCVideo32.sys [2008-09-15 3768]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59a363ec-b5ab-11dc-98ab-000bdbbf4a38}]

\Shell\AutoRun\command - g:\wd_windows_tools\setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA844-CC51-11CF-AAFA-00AA00B6015C}]

rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\CChat25.inf,PerUserRemove

.

Contents of the 'Scheduled Tasks' folder

2009-03-24 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-ISUSPM - c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

HKLM-Run-Adobe Photo Downloader - c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

HKU-Default-Run-brastk - c:\windows\system32\brastk.exe

MSConfigStartUp-ccApp - c:\program files\Common Files\Symantec Shared\ccApp.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://www.google.com

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

IE: Download All by FlashGet - c:\program files\FlashGet\jc_all.htm

IE: Download using FlashGet - c:\program files\FlashGet\jc_link.htm

FF - ProfilePath - c:\documents and settings\Ciaran\Application Data\Mozilla\Firefox\Profiles\d7fi6qz6.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll

FF - plugin: c:\program files\DideoNET\SeeMedia Mozilla PlugIns\npSLViewer.dll

FF - plugin: c:\program files\DideoNET\SeeMedia Mozilla PlugIns\npSMLiveUpdater.dll

FF - plugin: c:\program files\DideoNET\SeeMedia Mozilla PlugIns\npSVPorsche.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npSLViewer.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npSMLiveUpdater.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npSVPorsche.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npwinamp.dll

.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-05 12:48:50

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\WgaTray.exe

.

**************************************************************************

.

Completion time: 2009-04-05 12:56:03 - machine was rebooted [Ciaran]

ComboFix-quarantined-files.txt 2009-04-05 16:54:45

Pre-Run: 25,834,643,456 bytes free

Post-Run: 27,176,464,384 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

258 --- E O F --- 2009-03-18 11:25:49

Link to post
Share on other sites

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:57:07 PM, on 4/5/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\WgaTray.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [sdScansCH] rundll32.exe C:\WINDOWS\stup_tmp.#32,Ini

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)

O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1132637091218

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--

End of file - 5366 bytes

Link to post
Share on other sites

Well, I seem to have gotten rid of it, as my Anti-Malware file couldn't find anything, but I'm still suffering from another problem that Anti-Malware can't seem to detect: when I use a search engine, many sites are forcefully re-directed to an advertisement for Stopzilla. Any ideas?

Link to post
Share on other sites

  • Root Admin

Where are the DDS, BOOTLOG, and ROOT REPEAL logs?

Please zip the following files into a file and upload them to your reply so we can determine if these files are bad or not.

c:\program files\Common Files\susehicujy.lib

c:\program files\Common Files\abyji.reg

c:\documents and settings\All Users\Application Data\nucyfuv.sys

c:\documents and settings\All Users\Application Data\bepefata.bat

c:\program files\Common Files\fyvalu.bat

c:\documents and settings\Ciaran\Application Data\fukuwafeq.bat

c:\program files\Common Files\licyw.lib

c:\documents and settings\Ciaran\Application Data\abusamajag.reg

c:\documents and settings\Ciaran\Application Data\fixug.pif

c:\program files\Common Files\toxyzukad.db

c:\program files\Common Files\avug.bat

c:\documents and settings\All Users\Application Data\udibigota.vbs

c:\windows\cGM\w3g.vbs

Link to post
Share on other sites

Combofix:

ComboFix 09-04-04.01 - Ciaran 2009-04-06 11:17:13.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1701 [GMT -4:00]

Running from: c:\documents and settings\Ciaran\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\CrucialSoft Ltd

c:\documents and settings\All Users\Application Data\CrucialSoft Ltd\MS AntiSpyware 2009\msas2009.exe

c:\program files\Microsoft Common

c:\program files\Microsoft Common\svchost.exe

c:\windows\IE4 Error Log.txt

c:\windows\Temp\997868966.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_restore

((((((((((((((((((((((((( Files Created from 2009-03-06 to 2009-04-06 )))))))))))))))))))))))))))))))

.

2009-04-06 09:24 . 2009-04-06 09:24 1,420 --a------ c:\windows\Uxenaxitivu.dat

2009-04-06 09:24 . 2009-04-06 09:24 16 --a------ c:\windows\Lwicifigocixa.bin

2009-04-05 21:24 . 2009-04-05 21:24 <DIR> d-------- c:\documents and settings\Marie and Eamon\Application Data\vlc

2009-04-05 15:16 . 2009-04-05 15:17 <DIR> d-------- c:\documents and settings\Ciaran\Application Data\vlc

2009-04-05 14:53 . 2009-04-05 19:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft

2009-03-30 15:20 . 2009-03-30 15:20 <DIR> d-------- c:\program files\Trend Micro

2009-03-30 12:37 . 2009-03-30 12:37 <DIR> d-------- c:\program files\AVG

2009-03-30 12:37 . 2009-03-30 15:20 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8

2009-03-29 19:50 . 2009-03-29 19:54 <DIR> d-------- C:\SDFix

2009-03-29 13:59 . 2009-03-29 14:00 <DIR> d-------- c:\documents and settings\Ciaran\Application Data\Antispyware

2009-03-29 13:43 . 2009-03-29 13:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-03-29 13:42 . 2009-03-29 13:53 <DIR> d-------- c:\program files\SUPERAntiSpyware

2009-03-29 13:42 . 2009-03-29 13:53 <DIR> d-------- c:\documents and settings\Ciaran\Application Data\SUPERAntiSpyware.com

2009-03-28 19:20 . 2009-03-28 19:20 <DIR> d-------- c:\program files\TVAnts

2009-03-27 18:01 . 2009-03-27 18:01 42,496 --a------ c:\windows\system32\kuzSniper.exe

2009-03-27 17:57 . 2009-03-27 17:57 62,976 --a------ C:\tqaau.exe

2009-03-27 17:56 . 2009-03-27 17:56 213,376 --a--c--- c:\windows\system32\dllcache\ndis.sys

2009-03-27 17:52 . 2009-03-27 17:58 2 --a------ C:\2097001235

2009-03-23 19:31 . 2008-04-17 12:12 107,368 --a------ c:\windows\system32\GEARAspi.dll

2009-03-23 19:31 . 2009-01-15 12:19 23,848 --a------ c:\windows\system32\drivers\GEARAspiWDM.sys

2009-03-23 19:30 . 2009-03-23 19:31 <DIR> d-------- c:\program files\iTunes

2009-03-23 19:30 . 2009-03-23 19:30 <DIR> d-------- c:\program files\iPod

2009-03-23 19:29 . 2009-03-23 19:29 <DIR> d-------- c:\program files\Apple Software Update

2009-03-23 19:29 . 2009-03-05 23:59 1,900,544 --a------ c:\windows\system32\usbaaplrc.dll

2009-03-23 19:29 . 2009-03-05 23:59 36,864 --a------ c:\windows\system32\drivers\usbaapl.sys

2009-03-23 19:28 . 2009-03-23 19:30 <DIR> d-------- c:\program files\Common Files\Apple

2009-03-23 17:16 . 2009-03-23 17:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}

2009-03-23 17:15 . 2009-03-23 17:15 <DIR> d-------- c:\program files\Bonjour

2009-03-17 20:29 . 2009-03-27 23:15 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-03-17 20:29 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-17 20:29 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-03-07 16:34 . 2009-03-07 16:34 <DIR> d-------- c:\program files\Real Alternative

2009-03-06 14:50 . 2009-03-06 14:50 73,728 --a------ c:\windows\system32\javacpl.cpl

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-04-06 05:48 --------- d-----w c:\program files\mIRC

2009-04-05 23:21 --------- d-----w c:\documents and settings\Ciaran\Application Data\dvdcss

2009-04-05 23:06 --------- d-----w c:\program files\Telltale Games

2009-04-05 18:32 --------- d-----w c:\documents and settings\Ciaran\Application Data\skypePM

2009-04-05 18:32 --------- d-----w c:\documents and settings\Ciaran\Application Data\Skype

2009-04-04 22:12 --------- d-----w c:\program files\VideoLAN

2009-04-03 17:37 --------- d-----w c:\documents and settings\Ciaran\Application Data\uTorrent

2009-03-30 04:24 --------- d-----w c:\program files\IrfanView

2009-03-29 05:56 --------- d-----w c:\documents and settings\Marie and Eamon\Application Data\Skype

2009-03-29 01:56 --------- d-----w c:\documents and settings\Marie and Eamon\Application Data\skypePM

2009-03-27 21:56 213,376 ----a-w c:\windows\system32\drivers\ndis.sys

2009-03-23 23:30 --------- d-----w c:\program files\QuickTime

2009-03-02 02:58 --------- d-----w c:\documents and settings\All Users\Application Data\Citrix

2009-03-02 02:57 --------- d-----w c:\program files\Citrix

2009-03-02 02:37 --------- d-----w c:\program files\Media Player Classic

2009-03-02 01:52 --------- d-----w c:\program files\ffdshow

2009-03-02 01:49 --------- d-----w c:\program files\Matroska Pack

2009-03-01 19:22 --------- d-----w c:\program files\AIM Lite

2009-03-01 02:01 --------- d-----w c:\program files\Common Files\Real

2009-02-28 22:18 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-02-28 22:18 --------- d-----w c:\program files\Common Files\AOL

2009-02-28 22:18 --------- d-----w c:\documents and settings\All Users\Application Data\AOL

2009-02-28 22:17 --------- d-----w c:\program files\ICQLite

2009-02-28 22:15 --------- d-----w c:\documents and settings\Ciaran\Application Data\ICQ

2009-02-28 17:41 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec

2009-02-28 17:06 --------- d-----w c:\program files\Microsoft Chat

2009-02-28 03:56 --------- d-----w c:\program files\Ahead

2009-02-28 03:46 --------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint

2009-02-28 03:42 --------- d-----w c:\documents and settings\Ciaran\Application Data\Move Networks

2009-02-28 03:30 --------- d--h--w c:\program files\InstallShield Installation Information

2009-02-28 03:29 --------- d-----w c:\program files\Amazon

2009-02-28 03:29 --------- d-----w c:\documents and settings\Ciaran\Application Data\Amazon

2009-02-28 02:52 --------- d-----w c:\program files\Soulseek

2009-02-28 02:50 --------- d-----w c:\program files\blueMSX

2009-02-28 02:49 --------- d-----w c:\program files\Transparent

2009-02-28 02:37 --------- d-----w c:\program files\Java

2009-02-28 02:29 --------- d-----w c:\documents and settings\Administrator\Application Data\Lavasoft

2009-02-28 02:28 --------- d-----w c:\program files\DivX

2009-02-28 02:13 --------- d-----w c:\program files\Winamp

2009-02-28 02:13 --------- d-----w c:\program files\eMule

2009-02-28 02:06 --------- d-----w c:\program files\DC++

2009-02-21 22:27 --------- d-----w c:\documents and settings\All Users\Application Data\TVU Networks

2008-10-21 02:48 18,783 ----a-w c:\program files\Common Files\susehicujy.lib

2008-10-21 02:48 18,145 ----a-w c:\program files\Common Files\abyji.reg

2008-10-21 02:48 15,493 ----a-w c:\documents and settings\All Users\Application Data\nucyfuv.sys

2008-10-21 02:48 14,561 ----a-w c:\documents and settings\All Users\Application Data\bepefata.bat

2008-10-21 02:48 11,045 ----a-w c:\program files\Common Files\fyvalu.bat

2008-10-21 02:48 10,749 ----a-w c:\documents and settings\Ciaran\Application Data\fukuwafeq.bat

2008-09-05 01:55 19,477 ----a-w c:\program files\Common Files\licyw.lib

2008-09-05 01:55 14,397 ----a-w c:\documents and settings\Ciaran\Application Data\fixug.pif

2008-09-05 01:55 14,158 ----a-w c:\documents and settings\Ciaran\Application Data\abusamajag.reg

2008-09-05 01:55 11,822 ----a-w c:\program files\Common Files\toxyzukad.db

2008-09-05 01:55 11,137 ----a-w c:\program files\Common Files\avug.bat

2008-09-05 01:55 11,110 ----a-w c:\documents and settings\All Users\Application Data\udibigota.vbs

2008-02-10 02:20 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat

2008-12-19 22:00 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll

2008-12-19 22:00 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll

2008-12-19 22:00 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll

2008-12-19 22:00 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll

2008-12-19 22:00 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll

2005-07-29 21:24 472 --sha-r c:\windows\cGM\w3g.vbs

.

------- Sigcheck -------

2001-08-23 08:00 161536 3efd4f59ba0a340de0a3ab984001dbf7 c:\windows\$NtServicePackUninstall$\ndis.sys

2004-08-04 02:14 182912 558635d3af1c7546d26067d5d9b6959e c:\windows\ServicePackFiles\i386\ndis.sys

2008-04-13 15:20 182656 1df7f42665c94b825322fae71721130d c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\ndis.sys

2009-03-27 17:56 213376 3d748d850b1c17c357c54bbfd4835f27 c:\windows\system32\dllcache\ndis.sys

2009-03-27 17:56 213376 3d748d850b1c17c357c54bbfd4835f27 c:\windows\system32\drivers\ndis.sys

.

((((((((((((((((((((((((((((( SnapShot@2009-04-05_12.53.40.10 )))))))))))))))))))))))))))))))))))))))))

.

+ 2007-03-08 15:36:28 27,648 ----a-w c:\windows\dse3d1.dll

+ 2007-03-08 15:36:28 160,768 ----a-w c:\windows\ivivojamaz.dll

- 2009-03-27 21:46:50 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-04-06 15:13:59 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2009-03-27 21:46:50 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-04-06 15:13:59 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-04-06 13:11:26 27,648 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\7Q2V735W\install[1].exe

- 2009-03-27 21:46:50 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-04-06 15:13:59 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-04-06 13:11:42 25,088 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KENT74NQ\test1[1].exe

+ 2009-04-06 13:11:59 159,232 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O3ILU1HW\installing_test2[1].exe

+ 2009-04-06 13:11:10 75,275 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\SG8CVM2E\164[1].exe

+ 2009-03-09 19:06:56 64,160 -c--a-w c:\windows\system32\DRVSTORE\lbd_1D149FE61E2CD0936E43877117FE3EF0674B9944\Lbd.sys

+ 2001-08-23 12:00:00 218,368 ----a-w c:\windows\system32\mowevibs.dat

+ 2001-08-23 12:00:00 102,912 ----a-w c:\windows\system32\niypgff.dll

+ 2001-08-23 12:00:00 6,566,656 ----a-w c:\windows\system32\uxvwpfeq.dat

+ 2009-04-06 15:23:10 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_6a0.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]

"SdScansCH"="c:\windows\stup_tmp.#32" [2005-02-12 2648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]

"EPSON Stylus CX4200 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE" [2005-03-07 98304]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-06 148888]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-12 342312]

"Vhihigusudihoso"="c:\windows\ivivojamaz.dll" [2007-03-08 160768]

"nwiz"="nwiz.exe" [2008-09-17 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"msacm.avis"= ff_acm.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli dse3d1.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

--a------ 2005-10-19 08:59 126976 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]

--a------ 2003-08-29 04:59 122880 c:\windows\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\WinMX\\WinMX.exe"=

"c:\\Program Files\\WS_FTP\\WS_FTP95.exe"=

"c:\\Program Files\\mIRC\\mirc.exe"=

"c:\\Program Files\\AIM Lite\\aimlite.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S1 82032481;82032481;c:\windows\system32\drivers\82032481.sys --> c:\windows\system32\drivers\82032481.sys [?]

S2 uhskhkhx;Software Bus Monitor;c:\windows\System32\svchost.exe -k netsvcs [2001-08-23 14336]

S3 MusCDriverV32;MusCDriverV32;c:\windows\system32\drivers\MusCDriverV32.sys [2008-09-15 509312]

S3 MusCVideo32;MusCVideo32;c:\windows\system32\drivers\MusCVideo32.sys [2008-09-15 3768]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

uhskhkhx

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59a363ec-b5ab-11dc-98ab-000bdbbf4a38}]

\Shell\AutoRun\command - g:\wd_windows_tools\setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA844-CC51-11CF-AAFA-00AA00B6015C}]

rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\CChat25.inf,PerUserRemove

.

Contents of the 'Scheduled Tasks' folder

2009-04-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []

2009-03-24 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-04-06 c:\windows\Tasks\At1.job

- c:\windows\system32\yzvxizy.dll []

.

- - - - ORPHANS REMOVED - - - -

BHO-{D5BF49A0-94F3-52BD-F434-3604812C8955} - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://www.google.com

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

IE: Download All by FlashGet - c:\program files\FlashGet\jc_all.htm

IE: Download using FlashGet - c:\program files\FlashGet\jc_link.htm

FF - ProfilePath - c:\documents and settings\Ciaran\Application Data\Mozilla\Firefox\Profiles\d7fi6qz6.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-04-06 11:26:36

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(720)

c:\windows\dse3d1.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\WgaTray.exe

c:\windows\system32\wscntfy.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2009-04-06 11:33:56 - machine was rebooted

ComboFix-quarantined-files.txt 2009-04-06 15:32:39

ComboFix2.txt 2009-04-05 16:56:05

Pre-Run: 27,139,661,824 bytes free

Post-Run: 27,137,953,792 bytes free

260 --- E O F --- 2009-03-18 11:25:49

DDS:

DDS (Ver_09-03-16.01) - NTFSx86

Run by Ciaran at 11:34:59.32 on Mon 04/06/2009

Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_12

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1682 [GMT -4:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\WgaTray.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Ciaran\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

mStart Page = hxxp://www.google.com

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

TB: {E0E899AB-F487-11D5-8D29-0050BA6940E3} - No File

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [sdScansCH] rundll32.exe c:\windows\stup_tmp.#32,Ini

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [EPSON Stylus CX4200 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [nwiz] nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit

mRun: [sunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Vhihigusudihoso] rundll32.exe "c:\windows\ivivojamaz.dll",e

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)

IE: Download All by FlashGet - c:\program files\flashget\jc_all.htm

IE: Download using FlashGet - c:\program files\flashget\jc_link.htm

IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\PartyPoker.exe

IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\progra~1\flashget\flashget.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab

DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132637091218

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab

DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: igfxcui - igfxsrvc.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

LSA: Notification Packages = scecli dse3d1.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ciaran\applic~1\mozilla\firefox\profiles\d7fi6qz6.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - HiddenExtension: XUL Cache: {9F264806-2430-4983-A92B-0718444F0D78} - c:\documents and settings\marie and eamon\local settings\application data\{9F264806-2430-4983-A92B-0718444F0D78}

FF - HiddenExtension: XUL Cache: {84FBBE80-1871-4FD4-B3BC-04148C0E9332} - c:\documents and settings\ciaran\local settings\application data\{84FBBE80-1871-4FD4-B3BC-04148C0E9332}

============= SERVICES / DRIVERS ===============

S1 82032481;82032481;c:\windows\system32\drivers\82032481.sys --> c:\windows\system32\drivers\82032481.sys [?]

S2 uhskhkhx;Software Bus Monitor;c:\windows\system32\svchost.exe -k netsvcs [2001-8-23 14336]

S3 MusCDriverV32;MusCDriverV32;c:\windows\system32\drivers\MusCDriverV32.sys [2008-9-15 509312]

S3 MusCVideo32;MusCVideo32;c:\windows\system32\drivers\MusCVideo32.sys [2008-9-15 3768]

UnknownUnknown restore;restore; [x]

=============== Created Last 30 ================

2009-04-06 09:24 16 a------- c:\windows\Lwicifigocixa.bin

2009-04-06 09:24 1,420 a------- c:\windows\Uxenaxitivu.dat

2009-04-05 12:39 <DIR> a-dshr-- C:\cmdcons

2009-04-05 12:20 161,792 a------- c:\windows\SWREG.exe

2009-04-05 12:20 98,816 a------- c:\windows\sed.exe

2009-03-30 15:20 <DIR> --d----- c:\program files\Trend Micro

2009-03-30 12:37 <DIR> --d----- c:\program files\AVG

2009-03-30 12:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8

2009-03-29 19:50 <DIR> --d----- C:\SDFix

2009-03-29 13:59 <DIR> --d----- c:\docume~1\ciaran\applic~1\Antispyware

2009-03-29 13:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2009-03-29 13:42 <DIR> --d----- c:\program files\SUPERAntiSpyware

2009-03-29 13:42 <DIR> --d----- c:\docume~1\ciaran\applic~1\SUPERAntiSpyware.com

2009-03-28 19:20 <DIR> --d----- c:\program files\TVAnts

2009-03-27 18:01 42,496 a------- c:\windows\system32\kuzSniper.exe

2009-03-27 17:57 62,976 a------- C:\tqaau.exe

2009-03-27 17:56 213,376 ac------ c:\windows\system32\dllcache\ndis.sys

2009-03-27 17:52 2 a------- C:\2097001235

2009-03-23 19:31 107,368 a------- c:\windows\system32\GEARAspi.dll

2009-03-23 19:31 23,848 a------- c:\windows\system32\drivers\GEARAspiWDM.sys

2009-03-23 19:30 <DIR> --d----- c:\program files\iPod

2009-03-23 19:30 <DIR> --d----- c:\program files\iTunes

2009-03-23 19:29 1,900,544 a------- c:\windows\system32\usbaaplrc.dll

2009-03-23 19:29 36,864 a------- c:\windows\system32\drivers\usbaapl.sys

2009-03-23 17:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}

2009-03-23 17:15 <DIR> --d----- c:\program files\Bonjour

2009-03-17 20:29 15,504 a------- c:\windows\system32\drivers\mbam.sys

2009-03-17 20:29 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-03-17 20:29 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-03-07 16:34 <DIR> --d----- c:\program files\Real Alternative

==================== Find3M ====================

2009-03-27 17:56 213,376 a------- c:\windows\system32\drivers\ndis.sys

2009-03-06 14:50 410,984 a------- c:\windows\system32\deploytk.dll

2009-02-09 20:56 67,584 a------- c:\windows\system32\ff_vfw.dll

2009-02-09 06:19 1,846,272 a------- c:\windows\system32\win32k.sys

2008-10-20 22:48 18,783 a------- c:\program files\common files\susehicujy.lib

2008-10-20 22:48 11,045 a------- c:\program files\common files\fyvalu.bat

2008-10-20 22:48 18,145 a------- c:\program files\common files\abyji.reg

2008-10-20 22:48 15,493 a------- c:\docume~1\alluse~1\applic~1\nucyfuv.sys

2008-10-20 22:48 14,561 a------- c:\docume~1\alluse~1\applic~1\bepefata.bat

2008-10-20 22:48 10,749 a------- c:\docume~1\ciaran\applic~1\fukuwafeq.bat

2008-09-04 21:55 19,477 a------- c:\program files\common files\licyw.lib

2008-09-04 21:55 14,397 a------- c:\docume~1\ciaran\applic~1\fixug.pif

2008-09-04 21:55 14,158 a------- c:\docume~1\ciaran\applic~1\abusamajag.reg

2008-09-04 21:55 11,822 a------- c:\program files\common files\toxyzukad.db

2008-09-04 21:55 11,137 a------- c:\program files\common files\avug.bat

2008-09-04 21:55 11,110 a------- c:\docume~1\alluse~1\applic~1\udibigota.vbs

2008-02-09 22:20 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat

2005-07-29 17:24 472 a--shr-- c:\windows\cgm\w3g.vbs

============= FINISH: 11:35:10.21 ===============

Attach:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 10/5/2004 1:50:16 PM

System Uptime: 4/6/2009 11:22:27 AM (0 hours ago)

Motherboard: Dell Computer Corp. | | 0G1548

Processor: Intel® Pentium® 4 CPU 2.20GHz | Microprocessor | 2193/400mhz

==== Disk Partitions =========================

A: is Removable

C: is FIXED (NTFS) - 38 GiB total, 25.292 GiB free.

D: is CDROM ()

E: is CDROM ()

F: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 4/6/2009 11:14:00 AM - System Checkpoint

==== Installed Programs ======================

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.