Jump to content

Infected - MB and HJT won't run - Skynet rootkit


Recommended Posts

My computer has been experiencing some problems for a few days now, mostly the annoying fake antivirus popups such as WinAntiVirus Pro and most recently Antivirus 2010. Malwarebytes Anti-Malware has been working fine for me up until this point. I started to see some of those popups so I ran MBAM. It scanned fine and then on removal crashed. After that, whenever I open it, it will scan for 2 seconds and then close. Upon rebooting MBAM it tells me that I don't have permission to access the file. The same scan, close, deny access situation happens with HijackThis as well.

Along with the program problems, whenever I do a google search the results are hacked and redirect me to various websites the first few attempts to load the page. If I open about 3 of the same page, the last one will finally load as it should. Anyway, please help me as soon as possible and get back to me with what kind of program I should run to get the necessary logs to those of you here who can help me. Thank you.

Edited by Maurice Naggar
Edited topic description for detail
Link to post
Share on other sites

Hello The.Wanderer,

Your Windows version & edition is ?? Your Internet Explorer version is ??

That kind of information is important for more accurate guidance.

Do this to close the rogue window. Repeat as needed.

Use ALT+F4 keys to close those rogue pop-up windows. Press and hold the ALT key & then press F4 key.

Do NOT use this system for web searches or web surfing, online games, etc.

If unable to download tools on this system, use another and copy / burn to CD DVD or clean USB thumb-flash drive, and copy onto Desktop of this pc.

Do this:

1. Go >> Here << and download ERUNT

(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)

2. Install ERUNT by following the prompts

(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)

3. Start ERUNT

(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)

4. Choose a location for the backup

(the default location is C:\WINDOWS\ERDNT which is acceptable).

5. Make sure that at least the first two check boxes are ticked

6. Press OK

7. Press YES to create the folder.

=

1. Set Windows to show all files and all folders.

On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.

Next, un-check Hide extensions for known file types.

Next un-check Hide protected operating system files.

2. Take out the trash (temporary files & temporary internet files)

Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.

Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:

Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

ATF-Cleaner should be run per the above in every user-login account {User Profile}

=

Download to your Desktop FixPolicies.exe, by Bill Castner, MS-MVP, a self-extracting ZIP archive from

>>> here <<<

  • Double-click FixPolicies.exe.
  • Click the "Install" button on the bottom toolbar of the box that will open.
  • The program will create a new Folder called FixPolicies.
  • Double-click to Open the new Folder, and then double-click the file within: Fix_Policies.cmd.
  • A black box will briefly appear and then close.
  • This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.

Download DDS and save it to your desktop from http://www.techsupportforum.com/sectools/sUBs/dds here or http://download.bleepingcomputer.com/sUBs/dds.scr or

http://www.forospyware.com/sUBs/dds

Disable any script blocker if your antivirus/antimalware has it.

Then double click dds.scr to run the tool.

When done, DDS.txt will open.

Click Yes at the next prompt for Optional Scan.

  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt

    [*]Save both reports to your desktop.

Go >> here <<

and download RootRepeal and SAVE to your Desktop.

Doubleclick RootRepeal.exe icon on your Desktop.

Click on the Report tab at bottom of window and then click on Scan button.

A Windows will open asking what to include in the scan. Check all of the below and then click Ok.

Drivers

Files

Processes

SSDT

Hidden Services

Stealth Objects

You will then be asked which drive to scan.

Check C: (or the drive your operating system is installed on if not C) and click Ok again.

The scan will start.

It will take a little while so please be patient. When the scan has finished, click on Save Report.

Name the log RootRepeal.txt and save it to your Documents folder (it should default there).

When you have done this, please copy and paste it in this thread.

=

Please include the following logs in your next reply:

DDS.txt

Attach.txt

RootRepeal.txt

Link to post
Share on other sites

Sorry I have usually been able to fix most of my virus problems on my own so this whole having someone help through forum is a bit new to me so sorry for any non-included information.

Internet Explorer version is the newest(8?) I just installed it a few days ago and was working fine until now. It would not even open today until I reinstalled it but I'm not using that computer for internet right now anyway.

1. Downloaded and ran ERUNT and saved a backup in the default location.

2. Turned on show hidden file, extensions, and operating system files.

3. Downloaded and ran ATF Cleaner and deleted all files.

4. Downloaded and ran Fix Policies which gave me the brief command box as you said.

5. Downloaded and ran DDS however, when I tried to run DDS.scr a black command box appeared for a second or two and then closed itself. It had some text/instructions on it that I could not read because it closed itself so I'm assuming this isn't normal. Due to this I was not able to get the DDS.txt or Attach.txt to post here.

6. Downloaded and ran Root Repeal. Unlike DDS this had no problems opening. However when I tried to scan I got a few popup errors saying it "could not read the boot sector" and "could not read the registry" or something similar. It did however finish the scan and gave me a log file which I will still post here.

RootRepeal.txt

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/08/29 01:32

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP2

==================================================

Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xA8AB4000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xA95BB000 Size: 8192 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xA6727000 Size: 49152 File Visible: No Signed: -

Status: -

Name: SKYNETikvfsjmc.sys

Image Path: C:\WINDOWS\system32\drivers\SKYNETikvfsjmc.sys

Address: 0xAAFC3000 Size: 151552 File Visible: - Signed: -

Status: Hidden from the Windows API!

Name: win32k.sys:1

Image Path: C:\WINDOWS\win32k.sys:1

Address: 0xBA488000 Size: 20480 File Visible: No Signed: -

Status: -

Name: win32k.sys:2

Image Path: C:\WINDOWS\win32k.sys:2

Address: 0xBA2B8000 Size: 61440 File Visible: No Signed: -

Status: -

Stealth Objects

-------------------

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: winlogon.exe (PID: 1120) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: services.exe (PID: 1168) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: lsass.exe (PID: 1192) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: Ati2evxx.exe (PID: 1364) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETbvlwaohl.dll]

Process: svchost.exe (PID: 1380) Address: 0x008e0000 Size: 53248

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: svchost.exe (PID: 1380) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: svchost.exe (PID: 1508) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: svchost.exe (PID: 1564) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: svchost.exe (PID: 1800) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: svchost.exe (PID: 1916) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: spoolsv.exe (PID: 272) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: Ati2evxx.exe (PID: 344) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: svchost.exe (PID: 752) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: AppleMobileDeviceService.exe (PID: 784) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: mDNSResponder.exe (PID: 840) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: cvpnd.exe (PID: 928) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: IntuitUpdateService.exe (PID: 1020) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: McciCMService.exe (PID: 112) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: PGPserv.exe (PID: 1752) Address: 0x00640000 Size: 28672

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: zHotkey.exe (PID: 1780) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: SOUNDMAN.EXE (PID: 1796) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: HPWuSchd2.exe (PID: 1844) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: type32.exe (PID: 1852) Address: 0x00a90000 Size: 28672

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: point32.exe (PID: 1892) Address: 0x00aa0000 Size: 28672

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: HPZipm12.exe (PID: 1996) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: jusched.exe (PID: 2020) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: McciTrayApp.exe (PID: 2036) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: VerizonServicepoint.exe (PID: 124) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: nmctxth.exe (PID: 132) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: LinksysWirelessManager.exe (PID: 160) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: iTunesHelper.exe (PID: 156) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: PrfldSvc.exe (PID: 604) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: PRISMXL.SYS (PID: 652) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: svchost.exe (PID: 924) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: wdfmgr.exe (PID: 1672) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: ViewpointService.exe (PID: 2056) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: nmsrvc.exe (PID: 2184) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: iPodService.exe (PID: 3316) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: alg.exe (PID: 3516) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: explorer.exe (PID: 184) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: svchost.exe (PID: 556) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: ViewMgr.exe (PID: 1240) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: ctfmon.exe (PID: 3588) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: NOTEPAD.EXE (PID: 2860) Address: 0x10000000 Size: 28672

Object: Hidden Module [Name: SKYNETllcbqtdl.dll]

Process: RootRepeal.exe (PID: 804) Address: 0x10000000 Size: 28672

==EOF==

Hope any of this helps. Thank you.

Link to post
Share on other sites

Hello The.Wanderer.

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

eusa_hand.gif

If you are a casual viewer, do NOT try this on your system!

If you are not The.Wanderer and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

icon_arrow.gif Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

=

Close any of your open programs while you run these tools.

There's a serious rootkit infection on-board here. Hoping the following will knock out enough of it so we can proceed.

Download The Avenger by Swandog46 from here.

  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run The Avenger.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
    Files to delete:
    C:\WINDOWS\system32\drivers\SKYNETikvfsjmc.sys
    C:\WINDOWS\win32k.sys:1
    C:\WINDOWS\win32k.sys:2
    C:\WINDOWS\win32k.sys
    c:\windows\system32\SKYNETllcbqtdl.dll
    c:\windows\system32\SKYNETbvlwaohl.dll
    c:\windows\sysguard.exe
    c:\windows\system32\sdra64.exe

    Drivers to delete:
    win32k.sys:1
    win32k.sys:2
    SKYNETikvfsjmc.sys
    SKYNETikvfsjmc

    Folders to delete:
    C:\recycler
    D:\recycler
    e:\recycler
    f:\recycler
    g:\recycler
    h:\recycler


  • In the avenger window, click the Paste Script from Clipboard icon, pastets4.png button.
  • :!: Make sure that what appears in Avenger matches exactly what you were asked to Copy/Paste from the Code box above.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  • If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  • After your PC has completed the necessary reboots, a log should automatically open. Please copy/paste the contents of c:\avenger.txt into your next reply.

Not all the items will be found; so do not worry. Hopefully enough of the rootkit will be removed so that we can continue forward with more cleaning.

If you get a blue screen abort when it reboots, please write down all the information, STOP codes and description.

and then reboot the system again.

=

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

Link 3

CF_download_FF.gif

CF_download_rename.gif

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on Combo-Fix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png

Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

-------------------------------------------------------

A caution - Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

Even when ComboFix appears to be doing nothing, look at your Drive light.

If it is flashing, Combofix is still at work.

=

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of C:\Avenger.txt

and C:\combofix.txt

Link to post
Share on other sites

I tried running Avenger as directed and it gave me a message saying first step complete, avenger will run on reboot. When the computer rebooted it gave me about 4-5 error messages all saying: "Exception processing message c0000013 parameters 75b6bf9c 4 75b6bf9c 75b6bf9c" and then a few windows like total security and other fake antiviruses popped up while changing my background to blue with some text about antivirus, no log whatsoever. I restarted the computer and the background went back to normal, and the popups didnt come up so I tried running avenger again to the same result.

ComboFix ran fine except that it didn't install the recover console. It just gave me an error saying files not installed and then said it would continue with the scan.

Combofix.txt:

ComboFix 09-08-30.01 - Owner 08/30/2009 23:53.1.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1406.1044 [GMT -4:00]

Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Administrator\Local Settings\Application Data\{B401628B-FED5-4225-BE92-E79348014C85}

c:\documents and settings\Administrator\Local Settings\Application Data\{B401628B-FED5-4225-BE92-E79348014C85}\chrome.manifest

c:\documents and settings\Administrator\Local Settings\Application Data\{B401628B-FED5-4225-BE92-E79348014C85}\chrome\content\_cfg.js

c:\documents and settings\Administrator\Local Settings\Application Data\{B401628B-FED5-4225-BE92-E79348014C85}\chrome\content\overlay.xul

c:\documents and settings\Administrator\Local Settings\Application Data\{B401628B-FED5-4225-BE92-E79348014C85}\install.rdf

c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}

c:\documents and settings\All Users\Application Data\12113124

c:\documents and settings\All Users\Application Data\12113124\12113124

c:\documents and settings\All Users\Application Data\12113124\12113124.exe

c:\documents and settings\All Users\Application Data\12113124\pc12113124ins

c:\documents and settings\All Users\Application Data\ahuxune.bat

c:\documents and settings\All Users\Application Data\olili._dl

c:\documents and settings\All Users\Application Data\zanyvy.lib

c:\documents and settings\All Users\Documents\wefahuluj.dl

c:\documents and settings\All Users\Documents\xufyj.ban

c:\documents and settings\Owner\Application Data\akepediw.bin

c:\documents and settings\Owner\Application Data\kaqyd._sy

c:\documents and settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\PC_Antispyware2010.lnk

c:\documents and settings\Owner\Local Settings\Application Data\acafix.bat

c:\documents and settings\Owner\Local Settings\Application Data\azobavafa.inf

c:\documents and settings\Owner\Start Menu\Programs\PC_Antispyware2010

c:\documents and settings\Owner\Start Menu\Programs\PC_Antispyware2010\PC_Antispyware2010.lnk

c:\documents and settings\Owner\Start Menu\Programs\PC_Antispyware2010\Uninstall.lnk

c:\documents and settings\Owner\Start Menu\Programs\Total Security

c:\documents and settings\Owner\Start Menu\Programs\Total Security\Total Security 2009.lnk

C:\fyblb.exe

c:\program files\Common Files\hokah.bin

c:\program files\MorpheusBar\bar\1.bin\M0PLUGIN.DLL

c:\program files\MorpheusBar\bar\1.bin\M0POPSWT.DLL

c:\program files\MorpheusBar\bar\1.bin\NPMORPBR.DLL

c:\recycler\S-1-5-21-139043341-2298894418-1299524777-1003

c:\recycler\S-1-5-21-1736039526-3247635675-2151913700-1003

c:\recycler\S-1-5-21-181162612-2584948223-267096145-1003

c:\recycler\S-1-5-21-2872266940-2700573078-3442167344-1003

c:\windows\apenuwebo.vbs

c:\windows\braviax.exe

c:\windows\cru629.dat

c:\windows\dehy.exe

c:\windows\Downloaded Program Files\popcaploader.dll

c:\windows\Downloaded Program Files\popcaploader.inf

c:\windows\kxarvce.dll

c:\windows\system32\~.exe

c:\windows\system32\amatijivuk.bin

c:\windows\system32\AVR09.exe

c:\windows\system32\braviax.exe

c:\windows\system32\cru629.dat

c:\windows\system32\dllcache\beep.sys

c:\windows\system32\Drivers\alzgzm.sys

c:\windows\system32\Drivers\meftp.sys

c:\windows\system32\drivers\SKYNETikvfsjmc.sys

c:\windows\system32\Drivers\tvefzwjj.sys

c:\windows\system32\mohasobi.dll

c:\windows\system32\niheli.vbs

c:\windows\system32\penigusa.exe

c:\windows\system32\sesanujo.exe

c:\windows\system32\SKYNETbvlwaohl.dll

c:\windows\system32\SKYNETllcbqtdl.dll

c:\windows\system32\SKYNETniamdkrr.dat

c:\windows\system32\SKYNETopncwuqg.dat

c:\windows\system32\tajf83ikdmf.dll

c:\windows\system32\vamegeye.dll

c:\windows\system32\winhelper.dll

c:\windows\system32\winupdate.exe

c:\windows\system32\zoqymyjyho.bin

c:\windows\wpd99.drv

D:\Autorun.inf

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected

Restored copy from - c:\windows\system32\dllcache\eventlog.dll

c:\windows\system32\drivers\beep.sys . . . is infected!!

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_SKYNETmldboeep

-------\Legacy_SKYNETmldboeep

-------\Legacy_ANTIPPRO2009_100

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-31 )))))))))))))))))))))))))))))))

.

2009-08-31 03:27 . 2009-08-31 03:35 0 ----a-w- C:\backup.reg

2009-08-31 03:26 . 2009-08-31 03:26 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

2009-08-29 05:27 . 2009-08-29 05:27 -------- d-----w- c:\program files\ERUNT

2009-08-28 22:48 . 2009-08-28 22:48 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2009-08-28 20:09 . 2009-08-28 20:09 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE

2009-08-28 20:04 . 2004-08-04 19:00 180224 ----a-w- C:\scecli.dll

2009-08-28 19:55 . 2009-08-28 19:56 -------- d-----w- C:\HJT

2009-08-28 19:38 . 2009-08-28 19:38 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Mozilla

2009-08-28 19:35 . 2009-08-28 19:35 -------- d-s---w- C:\CFetf

2009-08-28 19:24 . 2009-08-28 19:25 -------- dc-h--w- c:\windows\ie8

2009-08-28 19:07 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-28 19:07 . 2009-08-28 19:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-28 19:07 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-28 16:59 . 2009-08-28 16:59 -------- d-----w- c:\program files\Trend Micro

2009-08-28 16:37 . 2009-08-28 16:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-08-28 16:33 . 2009-08-28 16:33 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2009-08-28 15:40 . 2009-08-28 15:40 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\{AF84A25A-43D1-4008-B64E-734856F57587}

2009-08-28 15:39 . 2009-08-28 15:39 49664 ----a-w- C:\blyuwrjl.exe

2009-08-28 15:39 . 2009-08-28 15:39 24064 ----a-w- C:\osps.exe

2009-08-28 14:13 . 2009-08-28 16:15 120 ----a-w- c:\windows\Ugixozehujojul.dat

2009-08-28 14:12 . 2009-08-28 14:12 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\{872B0108-327D-40D1-A6E8-BC7362028913}

2009-08-28 14:10 . 2009-08-28 14:10 15242 ----a-w- c:\windows\osudazit.dat

2009-08-28 13:14 . 2009-08-28 13:14 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2009-08-28 13:14 . 2009-08-28 13:14 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2009-08-20 18:55 . 2009-08-20 18:55 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache

2009-08-20 18:53 . 2009-08-20 18:53 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-08-20 18:52 . 2009-08-20 18:52 -------- d-sh--w- c:\documents and settings\Owner\IETldCache

2009-08-20 18:16 . 2009-08-31 03:49 -------- d-----w- c:\windows\ie8updates

2009-08-20 18:12 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2009-08-20 18:12 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2009-08-20 18:12 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2009-08-20 18:12 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2009-08-20 18:12 . 2009-07-03 17:09 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll

2009-08-20 18:11 . 2009-07-01 07:08 101376 -c----w- c:\windows\system32\dllcache\iecompat.dll

2009-08-16 13:37 . 2009-08-16 13:37 -------- d-----w- c:\windows\system32\XPSViewer

2009-08-16 13:36 . 2009-08-16 13:36 -------- d-----w- c:\program files\MSBuild

2009-08-16 13:36 . 2009-08-16 13:36 -------- d-----w- c:\program files\Reference Assemblies

2009-08-16 13:36 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-08-16 13:36 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2009-08-16 13:36 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2009-08-16 13:36 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2009-08-16 13:36 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-08-16 13:36 . 2009-08-16 13:36 -------- d-----w- C:\45aa4bc014f02c68bef922ab9eec

2009-08-16 13:36 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2009-08-16 13:36 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2009-08-16 13:35 . 2009-08-31 03:49 -------- d-----w- c:\windows\SxsCaPendDel

2009-08-16 13:32 . 2009-08-16 13:32 -------- d-----w- c:\program files\MSXML 6.0

2009-08-16 11:34 . 2009-08-16 11:34 -------- d-----w- c:\windows\ServicePackFiles

2009-08-14 05:15 . 2009-08-14 05:15 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2009-08-14 05:15 . 2009-08-14 05:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-11 12:24 . 2004-08-04 04:56 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-31 03:49 . 2005-06-19 18:39 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SampleView

2009-08-31 03:49 . 2005-01-28 09:10 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Symantec

2009-08-29 04:09 . 2009-05-29 04:09 84480 --sha-w- c:\windows\system32\vupeteho.dll

2009-08-29 04:09 . 2009-05-29 04:09 84480 --sha-w- c:\windows\system32\huvezopi.dll

2009-08-28 16:57 . 2005-01-28 09:19 -------- d-----w- c:\program files\BigFix

2009-08-28 16:11 . 2009-05-28 16:11 84992 --sha-w- c:\windows\system32\jefaduku.dll

2009-08-28 15:03 . 2005-01-28 09:20 -------- d-----w- c:\program files\Google

2009-08-20 20:13 . 2005-06-23 16:28 4966 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat

2009-08-16 13:49 . 2005-06-22 20:39 107232 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-15 15:59 . 2006-10-10 00:34 -------- d-----w- c:\program files\Morpheus

2009-08-11 13:50 . 2005-01-28 09:09 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-08-11 12:25 . 2009-08-11 12:25 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf

2009-08-11 12:25 . 2009-08-11 12:25 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

2009-08-05 09:11 . 2004-08-26 16:12 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-29 04:53 . 2004-08-26 16:12 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-07-29 04:53 . 2004-08-26 16:11 82432 ----a-w- c:\windows\system32\fontsub.dll

2009-07-27 14:07 . 2009-07-27 14:07 -------- d-----w- c:\program files\iTunes

2009-07-27 14:07 . 2009-07-27 14:07 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-07-27 14:07 . 2006-02-14 01:04 -------- d-----w- c:\program files\iPod

2009-07-27 14:07 . 2008-12-15 00:19 -------- d-----w- c:\program files\Common Files\Apple

2009-07-27 14:06 . 2009-07-27 14:05 -------- d-----w- c:\program files\QuickTime

2009-07-27 14:02 . 2009-07-27 14:02 75040 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.1.6\SetupAdmin.exe

2009-07-27 14:01 . 2009-07-27 14:01 -------- d-----w- c:\program files\Bonjour

2009-07-20 22:47 . 2009-07-20 22:47 80384 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{CC4C261A-B915-4F23-BD23-7E1AE5713B4E}\Icon6FDEE4821.exe

2009-07-17 18:55 . 2004-08-26 16:11 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-13 14:08 . 2004-08-26 16:12 286720 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-09 16:16 . 2009-07-27 14:04 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll

2009-07-09 16:16 . 2008-12-15 00:20 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2009-06-25 08:44 . 2004-08-26 16:12 59392 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:44 . 2004-08-26 16:12 56320 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:44 . 2004-08-26 16:12 168448 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:44 . 2004-08-26 16:12 133632 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-25 08:44 . 2004-08-26 16:11 724480 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-25 08:44 . 2004-08-26 16:11 298496 ----a-w- c:\windows\system32\kerberos.dll

2009-06-22 11:34 . 2004-08-26 16:11 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2009-06-12 11:50 . 2004-08-26 16:12 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 14:21 . 2004-08-26 16:11 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 06:32 . 2004-08-26 16:12 132096 ----a-w- c:\windows\system32\wkssvc.dll

2009-06-06 21:22 . 2006-02-27 04:19 47 ----a-w- c:\windows\popcinfo.dat

2009-06-05 07:42 . 2004-08-26 18:00 655872 ----a-w- c:\windows\system32\mstscax.dll

2009-06-03 19:27 . 2004-08-26 16:12 1290752 ----a-w- c:\windows\system32\quartz.dll

2009-06-02 15:50 . 2009-07-13 22:30 77312 ----a-w- c:\windows\DEVCON.EXE

2006-02-26 20:21 . 2006-02-26 20:21 774144 ----a-w- c:\program files\RngInterstitial.dll

2005-06-23 11:22 . 2005-06-23 11:22 0 --sha-w- c:\windows\SMINST\HPCD.sys

2009-05-29 04:09 . 2009-05-29 04:09 84480 --sha-w- c:\windows\system32\fabokenu.dll

2009-05-29 04:09 . 2009-05-29 04:09 84480 --sha-w- c:\windows\system32\mujuyizi.dll

2009-05-29 04:09 . 2009-05-29 04:09 84480 --sha-w- c:\windows\system32\vivopiye.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b07a4cb4-7ab5-48a1-8815-5fe2453a4d6d}]

2009-05-29 04:09 84480 --sha-w- c:\windows\system32\mujuyizi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlayHandlerAccessible]

@="{3DBF5F01-3287-46EB-82CF-45AA5C241162}"

[HKEY_CLASSES_ROOT\CLSID\{3DBF5F01-3287-46EB-82CF-45AA5C241162}]

2007-08-10 19:27 598016 ----a-w- c:\windows\system32\PGPfsshl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-12 344064]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]

"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2005-06-10 196608]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-06-10 217088]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]

"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2009-03-10 1553920]

"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2008-09-17 2065648]

"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]

"Linksys Wireless Manager"="c:\program files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" [2009-02-16 1358384]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

"CPM2bfe3d9c"="c:\windows\system32\huvezopi.dll" [2009-08-29 84480]

"hutufozufi"="c:\windows\system32\vivopiye.dll" [2009-05-29 84480]

"CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2004-05-18 543232]

"ShowWnd"="ShowWnd.exe" - c:\windows\ShowWnd.exe [2003-09-19 36864]

"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-11-16 77824]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]

HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]

LUMIX Simple Viewer.lnk - c:\program files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2007-5-1 57344]

PGPtray.exe.lnk - c:\windows\Installer\{882025A7-7599-4989-8FCD-7604FB90D6A9}\Icon6560581611.exe [2008-7-14 55296]

VPN Client.lnk - c:\windows\Installer\{3E5562ED-69AB-4CEC-91E2-64E18EC5ACC6}\Icon3E5562ED7.ico [2006-10-3 6144]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]

"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "c:\windows\system32\huvezopi.dll" [2009-08-29 84480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

"SSODL"= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\huvezopi.dll [2009-08-29 84480]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\fabokenu.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli PGPpwflt c:\windows\system32\fabokenu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Morpheus\\Morpheus.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\system32\\lsass.exe"=

R0 pgpfs;PGP File Sharing;c:\windows\system32\drivers\PGPfsfd.sys [8/10/2007 3:21 PM 97792]

R0 PGPwded;PGPwded Storage Filter Service;c:\windows\system32\drivers\PGPwded.sys [8/10/2007 3:21 PM 168960]

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [12/9/2008 12:37 PM 13088]

R2 PGPdisk;PGPdisk;c:\windows\system32\drivers\PGPdisk.sys [8/10/2007 3:21 PM 224256]

R2 PGPsdkDriver;PGPsdkDriver;c:\windows\system32\drivers\PGPsdk.sys [8/10/2007 3:21 PM 33792]

R2 Prvflder;Prvflder;c:\windows\system32\drivers\prvflder.sys [4/21/2006 8:22 AM 70912]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/27/2008 8:21 AM 24652]

R3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\drivers\WUSB54GCv3.sys [4/13/2009 12:02 PM 627072]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-08-26 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2005-06-19 c:\windows\Tasks\ISP signup reminder 1.job

- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 19:00]

2005-06-19 c:\windows\Tasks\ISP signup reminder 2.job

- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 19:00]

2005-06-19 c:\windows\Tasks\ISP signup reminder 3.job

- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 19:00]

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-AIM - k:\program files\AIM\aim.exe

HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

HKCU-Run-Google Update - c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

HKLM-Run-PC Antispyware 2010 - c:\program files\PC_Antispyware2010\PC_Antispyware2010.exe

HKLM-Run-12113124 - c:\documents and settings\All Users\Application Data\12113124\12113124.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://www.google.com

uInternet Connection Wizard,ShellNext = hxxp://www.emachines.com/

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &AOL Toolbar search

IE: E&xport to Microsoft Excel

LSP: c:\windows\system32\PGPlsp.dll

Trusted Zone: turbotax.com

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ec8zxwrm.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - HiddenExtension: XUL Cache: {872B0108-327D-40D1-A6E8-BC7362028913} - c:\documents and settings\Owner\Local Settings\Application Data\{872B0108-327D-40D1-A6E8-BC7362028913}

FF - HiddenExtension: XUL Cache: {AF84A25A-43D1-4008-B64E-734856F57587} - c:\documents and settings\NetworkService\Local Settings\Application Data\{AF84A25A-43D1-4008-B64E-734856F57587}\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-31 00:04

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1140)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\PGPpwflt.dll

c:\windows\system32\PGPwd.dll

c:\windows\system32\PGPsdk.dll

c:\windows\system32\pgpsdkm.dll

- - - - - - - > 'lsass.exe'(1196)

c:\windows\system32\fabokenu.dll

- - - - - - - > 'explorer.exe'(3408)

c:\windows\system32\PGPhk.dll

c:\program files\Common Files\Motive\McciContextHook_DSR.dll

c:\windows\system32\huvezopi.dll

c:\windows\system32\vivopiye.dll

c:\windows\system32\fabokenu.dll

c:\windows\system32\PGPfsshl.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\ieframe.dll

c:\program files\Microsoft Private Folder 1.0\ShellExt.dll

c:\windows\system32\PFLib.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\windows\system32\ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\windows\system32\PGPserv.exe

c:\program files\Microsoft Private Folder 1.0\PrfldSvc.exe

c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

c:\windows\system32\wdfmgr.exe

c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

c:\program files\PGP Corporation\PGP Desktop\PGPtray.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

c:\program files\HP\Digital Imaging\bin\hpqgalry.exe

.

**************************************************************************

.

Completion time: 2009-08-31 0:10 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-31 04:10

Pre-Run: 135,800,721,408 bytes free

Post-Run: 135,696,871,424 bytes free

428 --- E O F --- 2009-08-28 14:43

Link to post
Share on other sites

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

I am going to have you get a fresh copy of Combofix, save it first, and then run a special script.

There's still some stubborn malware laying about.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

Delete copy of Combo-fix (red lion icon) on your Desktop ! Need to get and SAVE the latest one.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

Link 3

CF_download_FF.gif

CF_download_rename.gif

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KILLALL::

Driver::

win32k.sys:1

win32k.sys:2

SKYNETmldboeep

ANTIPPRO2009_100

File::

c:\windows\system32\huvezopi.dll

c:\windows\system32\vivopiye.dll

c:\windows\system32\fabokenu.dll

C:\WINDOWS\win32k.sys:1

C:\WINDOWS\win32k.sys:2

C:\WINDOWS\win32k.sys

c:\windows\system32\SKYNETllcbqtdl.dll

c:\windows\system32\SKYNETbvlwaohl.dll

c:\windows\sysguard.exe

c:\windows\system32\sdra64.exe

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

=

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

At this time of posting, the current definitions are # 2731 or later. The latest program version is 1.40

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Reply with the latest C:\Combofix.txt

and the latest MBAM scan log

and tell me, How is your system now ?

Link to post
Share on other sites

ComboFix.txt:

ComboFix 09-09-01.07 - Owner 09/02/2009 15:06.2.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1406.906 [GMT -4:00]

Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::

"c:\windows\sysguard.exe"

"c:\windows\system32\fabokenu.dll"

"c:\windows\system32\huvezopi.dll"

"c:\windows\system32\sdra64.exe"

"c:\windows\system32\SKYNETbvlwaohl.dll"

"c:\windows\system32\SKYNETllcbqtdl.dll"

"c:\windows\system32\vivopiye.dll"

"c:\windows\win32k.sys"

"c:\windows\win32k.sys:1"

"c:\windows\win32k.sys:2"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Owner\Local Settings\Application Data\{872B0108-327D-40D1-A6E8-BC7362028913}

c:\documents and settings\Owner\Local Settings\Application Data\{872B0108-327D-40D1-A6E8-BC7362028913}\chrome.manifest

c:\documents and settings\Owner\Local Settings\Application Data\{872B0108-327D-40D1-A6E8-BC7362028913}\chrome\content\_cfg.js

c:\documents and settings\Owner\Local Settings\Application Data\{872B0108-327D-40D1-A6E8-BC7362028913}\chrome\content\overlay.xul

c:\documents and settings\Owner\Local Settings\Application Data\{872B0108-327D-40D1-A6E8-BC7362028913}\install.rdf

c:\windows\system32\fabokenu.dll

c:\windows\system32\huVEzopi.dll

c:\windows\system32\vivopiye.dll

.

((((((((((((((((((((((((( Files Created from 2009-08-02 to 2009-09-02 )))))))))))))))))))))))))))))))

.

2009-08-31 03:27 . 2009-08-31 03:35 0 ----a-w- C:\backup.reg

2009-08-31 03:26 . 2009-08-31 03:26 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

2009-08-29 05:27 . 2009-08-29 05:27 -------- d-----w- c:\program files\ERUNT

2009-08-28 22:48 . 2009-08-28 22:48 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2009-08-28 20:09 . 2009-08-28 20:09 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE

2009-08-28 20:04 . 2004-08-04 19:00 180224 ----a-w- C:\scecli.dll

2009-08-28 19:55 . 2009-08-28 19:56 -------- d-----w- C:\HJT

2009-08-28 19:38 . 2009-08-28 19:38 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Mozilla

2009-08-28 19:35 . 2009-08-28 19:35 -------- d-s---w- C:\CFetf

2009-08-28 19:24 . 2009-08-28 19:25 -------- dc-h--w- c:\windows\ie8

2009-08-28 19:07 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-28 19:07 . 2009-08-28 19:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-28 19:07 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-28 16:59 . 2009-08-28 16:59 -------- d-----w- c:\program files\Trend Micro

2009-08-28 16:37 . 2009-08-28 16:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-08-28 16:33 . 2009-08-28 16:33 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2009-08-20 18:55 . 2009-08-20 18:55 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache

2009-08-20 18:53 . 2009-08-20 18:53 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-08-20 18:52 . 2009-08-20 18:52 -------- d-sh--w- c:\documents and settings\Owner\IETldCache

2009-08-20 18:16 . 2009-08-31 03:49 -------- d-----w- c:\windows\ie8updates

2009-08-20 18:12 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2009-08-20 18:12 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2009-08-20 18:12 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2009-08-20 18:12 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2009-08-20 18:12 . 2009-07-03 17:09 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll

2009-08-20 18:11 . 2009-07-01 07:08 101376 -c----w- c:\windows\system32\dllcache\iecompat.dll

2009-08-16 13:37 . 2009-08-16 13:37 -------- d-----w- c:\windows\system32\XPSViewer

2009-08-16 13:36 . 2009-08-16 13:36 -------- d-----w- c:\program files\MSBuild

2009-08-16 13:36 . 2009-08-16 13:36 -------- d-----w- c:\program files\Reference Assemblies

2009-08-16 13:36 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-08-16 13:36 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2009-08-16 13:36 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2009-08-16 13:36 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2009-08-16 13:36 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-08-16 13:36 . 2009-08-16 13:36 -------- d-----w- C:\45aa4bc014f02c68bef922ab9eec

2009-08-16 13:36 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2009-08-16 13:36 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2009-08-16 13:35 . 2009-08-31 03:49 -------- d-----w- c:\windows\SxsCaPendDel

2009-08-16 13:32 . 2009-08-16 13:32 -------- d-----w- c:\program files\MSXML 6.0

2009-08-16 11:34 . 2009-08-16 11:34 -------- d-----w- c:\windows\ServicePackFiles

2009-08-14 05:15 . 2009-08-14 05:15 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2009-08-14 05:15 . 2009-08-14 05:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-11 12:24 . 2004-08-04 04:56 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-29 04:09 . 2009-05-29 04:09 84480 --sha-w- c:\windows\system32\vupeteho.dll

2009-08-28 16:57 . 2005-01-28 09:19 -------- d-----w- c:\program files\BigFix

2009-08-28 16:15 . 2009-08-28 14:13 120 ----a-w- c:\windows\Ugixozehujojul.dat

2009-08-28 16:11 . 2009-05-28 16:11 84992 --sha-w- c:\windows\system32\jefaduku.dll

2009-08-28 15:39 . 2009-08-28 15:39 49664 ----a-w- C:\blyuwrjl.exe

2009-08-28 15:39 . 2009-08-28 15:39 24064 ----a-w- C:\osps.exe

2009-08-28 15:03 . 2005-01-28 09:20 -------- d-----w- c:\program files\Google

2009-08-28 14:10 . 2009-08-28 14:10 15242 ----a-w- c:\windows\osudazit.dat

2009-08-20 20:13 . 2005-06-23 16:28 4966 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat

2009-08-16 13:49 . 2005-06-22 20:39 107232 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-15 15:59 . 2006-10-10 00:34 -------- d-----w- c:\program files\Morpheus

2009-08-11 13:50 . 2005-01-28 09:09 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-08-11 12:25 . 2009-08-11 12:25 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf

2009-08-11 12:25 . 2009-08-11 12:25 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

2009-08-05 09:11 . 2004-08-26 16:12 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-29 04:53 . 2004-08-26 16:12 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-07-29 04:53 . 2004-08-26 16:11 82432 ----a-w- c:\windows\system32\fontsub.dll

2009-07-27 14:07 . 2009-07-27 14:07 -------- d-----w- c:\program files\iTunes

2009-07-27 14:07 . 2009-07-27 14:07 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-07-27 14:07 . 2006-02-14 01:04 -------- d-----w- c:\program files\iPod

2009-07-27 14:07 . 2008-12-15 00:19 -------- d-----w- c:\program files\Common Files\Apple

2009-07-27 14:06 . 2009-07-27 14:05 -------- d-----w- c:\program files\QuickTime

2009-07-27 14:01 . 2009-07-27 14:01 -------- d-----w- c:\program files\Bonjour

2009-07-17 18:55 . 2004-08-26 16:11 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-13 14:08 . 2004-08-26 16:12 286720 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-09 16:16 . 2009-07-27 14:04 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll

2009-07-09 16:16 . 2008-12-15 00:20 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2009-06-25 08:44 . 2004-08-26 16:12 59392 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:44 . 2004-08-26 16:12 56320 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:44 . 2004-08-26 16:12 168448 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:44 . 2004-08-26 16:12 133632 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-25 08:44 . 2004-08-26 16:11 724480 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-25 08:44 . 2004-08-26 16:11 298496 ----a-w- c:\windows\system32\kerberos.dll

2009-06-22 11:34 . 2004-08-26 16:11 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2009-06-12 11:50 . 2004-08-26 16:12 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 14:21 . 2004-08-26 16:11 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 06:32 . 2004-08-26 16:12 132096 ----a-w- c:\windows\system32\wkssvc.dll

2009-06-06 21:22 . 2006-02-27 04:19 47 ----a-w- c:\windows\popcinfo.dat

2009-06-05 07:42 . 2004-08-26 18:00 655872 ----a-w- c:\windows\system32\mstscax.dll

2006-02-26 20:21 . 2006-02-26 20:21 774144 ----a-w- c:\program files\RngInterstitial.dll

2005-06-23 11:22 . 2005-06-23 11:22 0 --sha-w- c:\windows\SMINST\HPCD.sys

2009-05-29 04:09 . 2009-05-29 04:09 84480 --sha-w- c:\windows\system32\mujuyizi.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b07a4cb4-7ab5-48a1-8815-5fe2453a4d6d}]

2009-05-29 04:09 84480 --sha-w- c:\windows\system32\mujuyizi.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlayHandlerAccessible]

@="{3DBF5F01-3287-46EB-82CF-45AA5C241162}"

[HKEY_CLASSES_ROOT\CLSID\{3DBF5F01-3287-46EB-82CF-45AA5C241162}]

2007-08-10 19:27 598016 ----a-w- c:\windows\system32\PGPfsshl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-12 344064]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]

"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2005-06-10 196608]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-06-10 217088]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]

"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2009-03-10 1553920]

"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2008-09-17 2065648]

"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]

"Linksys Wireless Manager"="c:\program files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" [2009-02-16 1358384]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

"CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2004-05-18 543232]

"ShowWnd"="ShowWnd.exe" - c:\windows\ShowWnd.exe [2003-09-19 36864]

"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-11-16 77824]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]

HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]

LUMIX Simple Viewer.lnk - c:\program files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2007-5-1 57344]

PGPtray.exe.lnk - c:\windows\Installer\{882025A7-7599-4989-8FCD-7604FB90D6A9}\Icon6560581611.exe [2008-7-14 55296]

VPN Client.lnk - c:\windows\Installer\{3E5562ED-69AB-4CEC-91E2-64E18EC5ACC6}\Icon3E5562ED7.ico [2006-10-3 6144]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli PGPpwflt

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Morpheus\\Morpheus.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 pgpfs;PGP File Sharing;c:\windows\system32\drivers\PGPfsfd.sys [8/10/2007 3:21 PM 97792]

R0 PGPwded;PGPwded Storage Filter Service;c:\windows\system32\drivers\PGPwded.sys [8/10/2007 3:21 PM 168960]

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [12/9/2008 12:37 PM 13088]

R2 PGPdisk;PGPdisk;c:\windows\system32\drivers\PGPdisk.sys [8/10/2007 3:21 PM 224256]

R2 PGPsdkDriver;PGPsdkDriver;c:\windows\system32\drivers\PGPsdk.sys [8/10/2007 3:21 PM 33792]

R2 Prvflder;Prvflder;c:\windows\system32\drivers\prvflder.sys [4/21/2006 8:22 AM 70912]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/27/2008 8:21 AM 24652]

R3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\drivers\WUSB54GCv3.sys [4/13/2009 12:02 PM 627072]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-08-26 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2005-06-19 c:\windows\Tasks\ISP signup reminder 1.job

- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 19:00]

2005-06-19 c:\windows\Tasks\ISP signup reminder 2.job

- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 19:00]

2005-06-19 c:\windows\Tasks\ISP signup reminder 3.job

- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 19:00]

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-CPM2bfe3d9c - c:\windows\system32\huvezopi.dll

HKLM-Run-hutufozufi - c:\windows\system32\vivopiye.dll

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://www.google.com

uInternet Connection Wizard,ShellNext = hxxp://www.emachines.com/

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &AOL Toolbar search

IE: E&xport to Microsoft Excel

LSP: c:\windows\system32\PGPlsp.dll

Trusted Zone: turbotax.com

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ec8zxwrm.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - HiddenExtension: XUL Cache: {AF84A25A-43D1-4008-B64E-734856F57587} - c:\documents and settings\NetworkService\Local Settings\Application Data\{AF84A25A-43D1-4008-B64E-734856F57587}\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-02 15:13

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1136)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\PGPpwflt.dll

c:\windows\system32\PGPwd.dll

c:\windows\system32\PGPsdk.dll

c:\windows\system32\pgpsdkm.dll

- - - - - - - > 'explorer.exe'(2712)

c:\windows\system32\PGPhk.dll

c:\program files\Common Files\Motive\McciContextHook_DSR.dll

c:\windows\system32\PGPfsshl.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\ieframe.dll

c:\program files\Microsoft Private Folder 1.0\ShellExt.dll

c:\windows\system32\PFLib.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\windows\system32\PGPserv.exe

c:\program files\Microsoft Private Folder 1.0\PrfldSvc.exe

c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

c:\windows\system32\ati2evxx.exe

c:\windows\system32\wdfmgr.exe

c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

c:\program files\PGP Corporation\PGP Desktop\PGPtray.exe

c:\windows\system32\wscntfy.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\HP\Digital Imaging\bin\hpqgalry.exe

c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

c:\program files\Verizon\McciBrowser.exe

.

**************************************************************************

.

Completion time: 2009-09-02 15:18 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-02 19:18

ComboFix2.txt 2009-08-31 04:10

Pre-Run: 135,685,009,408 bytes free

Post-Run: 135,630,536,704 bytes free

298 --- E O F --- 2009-08-28 14:43

MBAM log:

Malwarebytes' Anti-Malware 1.40

Database version: 2731

Windows 5.1.2600 Service Pack 2

9/2/2009 3:57:51 PM

mbam-log-2009-09-02 (15-57-51).txt

Scan type: Quick Scan

Objects scanned: 104989

Time elapsed: 31 minute(s), 49 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 4

Registry Values Infected: 2

Registry Data Items Infected: 4

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\mujuyizi.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b07a4cb4-7ab5-48a1-8815-5fe2453a4d6d} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{b07a4cb4-7ab5-48a1-8815-5fe2453a4d6d} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b07a4cb4-7ab5-48a1-8815-5fe2453a4d6d} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{425f0f2c-ad94-45a8-893a-bd42dee1219b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hutufozufi (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\mujuyizi.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\blyuwrjl.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\klypnzjnedd.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\vupeteho.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

From what I can tell the computer is running MUCH better now. I can actually run programs like MBAM and other programs that were having problems opening/running. No more annoying popups either. As well as any last cleaning that may need to be done could you recommend to me some firewalls or other programs I could use to keep the computer protected in the future?

Link to post
Share on other sites

I am concerned by the amount of Vundo malware that had been (and appears to still be) on this system.

Do NOT do any websurfing. Confine it to just this forum and the sites I guide you to.

Please download VundoFix to your desktop.

  • Double-click VundoFix.exe to run it. If using Windows Vista be sure to Run As Administrator.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the 'Fix Vundo' button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot. Follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

Next, Using Internet Explorer browser only, go to ESET Online Scanner website:

Vista users should start IE by Start (Vista Orb) >> Internet Explorer >> Right-Click and select Run As Administrator.

  • Accept the Terms of Use and press Start button;
  • Approve the install of the required ActiveX Control, then follow on-screen instructions;
  • Enable (check) the Remove found threats option, and run the scan.
  • After the scan completes, the Details tab in the Results window will display what was found and removed.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.

    Look at contents of this file using Notepad or Wordpad.

    The Frequently Asked Questions for ESET Online Scanner can be viewed here

    http://www.eset.com/onlinescan/cac4.php?page=faq

    • From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
      Otherwise the scan will take twice as long to do:
      everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
    • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
      (And the prompt re-enabling when finished.)
    • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.

=

If you do not already have DDS, Download DDS and save it to your desktop from http://www.techsupportforum.com/sectools/sUBs/dds here or http://download.bleepingcomputer.com/sUBs/dds.scr or

http://www.forospyware.com/sUBs/dds

Disable any script blocker if your antivirus/antimalware has it.

Then double click dds.scr to run the tool.

When done, DDS.txt will open.

Click Yes at the next prompt for Optional Scan.

  • When done, DDS will open two (2) logs:
  • DDS.txt
  • Attach.txt
  • Save both reports to your desktop.

Please include the following logs in your next reply:

the Eset scan log

DDS.txt

Attach.txt

Link to post
Share on other sites

VundoFix didn't find anything when I ran it so I went ahead with the following steps.

Eset Log:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=6

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6050

# api_version=3.0.2

# EOSSerial=b5fb60b933c25c4ca09fede1c9bfadd5

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2009-09-02 11:04:32

# local_time=2009-09-02 07:04:32 (-0500, Eastern Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 2

# scanned=85351

# found=24

# cleaned=24

# scan_time=1794

C:\osps.exe a variant of Win32/Kryptik.AHO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Program Files\Morpheus\morpheustoolbar.exe Win32/Toolbar.AskSBar application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Program Files\Morpheus\mymorpheusToolbar.exe Win32/Toolbar.AskSBar application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\12113124\12113124.exe.vir Win32/Adware.SystemSecurity application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Program Files\MorpheusBar\bar\1.bin\M0PLUGIN.DLL.vir Win32/Toolbar.Morpheus application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\Program Files\MorpheusBar\bar\1.bin\M0POPSWT.DLL.vir Win32/Toolbar.Morpheus application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\braviax.exe.vir a variant of Win32/Kryptik.AHY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\cru629.dat.vir Win32/Small.EJX trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\AVR09.exe.vir Win32/Adware.AdvancedVirusRemover application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\braviax.exe.vir a variant of Win32/Kryptik.AHY trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\cru629.dat.vir Win32/Small.EJX trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.dll.vir a variant of Win32/Kryptik.YQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\mohasobi.dll.vir a variant of Win32/Adware.Virtumonde.NEK application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\penigusa.exe.vir Win32/Adware.SystemSecurity application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\sesanujo.exe.vir a variant of Win32/Kryptik.AIF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\vamegeye.dll.vir a variant of Win32/Adware.Virtumonde.NEK application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\winhelper.dll.vir Win32/Adware.CoreguardAntivirus application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\winupdate.exe.vir Win32/TrojanDownloader.FakeAlert.AED trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir a variant of Win32/Kryptik.AIC trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\beep.sys.vir a variant of Win32/UltimateDefender.A trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1\A0000223.exe a variant of Win32/Kryptik.AHO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1\A0000224.exe Win32/Toolbar.AskSBar application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1\A0000225.exe Win32/Toolbar.AskSBar application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

C:\WINDOWS\system32\jefaduku.dll a variant of Win32/Adware.Virtumonde.NEK application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

DDS.txt:

DDS (Ver_09-07-30.01) - NTFSx86

Run by Owner at 19:07:41.24 on Wed 09/02/2009

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1406.858 [GMT -4:00]

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Common Files\Motive\McciCMService.exe

C:\WINDOWS\system32\PGPserv.exe

C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\Explorer.EXE

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

C:\WINDOWS\zHotkey.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Microsoft IntelliType Pro\type32.exe

C:\Program Files\Microsoft IntelliPoint\point32.exe

C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

C:\Program Files\Verizon\McciTrayApp.exe

C:\Program Files\Verizon\VSP\VerizonServicepoint.exe

C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe

C:\Program Files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe

C:\Program Files\PGP Corporation\PGP Desktop\PGPtray.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://excite.com/

uSearch Page = hxxp://www.google.com

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uSearch Bar = hxxp://www.google.com/ie

uInternet Connection Wizard,ShellNext = hxxp://www.emachines.com/

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

TB: Verizon Broadband Toolbar: {a057a204-bacc-4d26-8398-26fadcf27386} - c:\progra~1\verizo~1\VERIZO~1.DLL

TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File

TB: Morpheus Toolbar: {3f3714a9-89a4-46be-8af3-d0c9d1fb03f9} - c:\program files\morpheusbar\bar\1.bin\MORPHBAR.DLL

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll

TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

uRun: [AIM] k:\program files\aim\aim.exe -cnetwait.odl

uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe

uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE

mRun: [CHotkey] zHotkey.exe

mRun: [showWnd] ShowWnd.exe

mRun: [soundMan] SOUNDMAN.EXE

mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\point32.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre1.6.0_06\bin\jusched.exe"

mRun: [Verizon_McciTrayApp] "c:\program files\verizon\McciTrayApp.exe"

mRun: [VerizonServicepoint.exe] "c:\program files\verizon\vsp\VerizonServicepoint.exe" /AUTORUN

mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"

mRun: [Linksys Wireless Manager] "c:\program files\linksys\linksys wireless manager\LinksysWirelessManager.exe" /cm /min /lcid 1033

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [<NO NAME>]

mRun: [PC Antispyware 2010] "c:\program files\pc_antispyware2010\PC_Antispyware2010.exe" /hide

mRun: [braviax] braviax.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lumixs~1.lnk - c:\program files\panasonic\lumixsimpleviewer\PhLeAutoRun.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pgptra~1.lnk - c:\windows\installer\{882025a7-7599-4989-8fcd-7604fb90d6a9}\Icon6560581611.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{3e5562ed-69ab-4cec-91e2-64e18ec5acc6}\Icon3E5562ED7.ico

dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)

dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)

IE: &AOL Toolbar search

IE: E&xport to Microsoft Excel

LSP: c:\windows\system32\PGPlsp.dll

Trusted Zone: turbotax.com

DPF: {01113300-3E00-11D2-8470-0060089874ED} - hxxps://activatemyfios.verizon.net/sdcCommon/download/FIOS/Verizon%20FiOS%20Installer.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl.sun.com/webapps/download/AutoDL?BundleId=21871

DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C}

DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab

DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A}

Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll

Notify: AtiExtEvent - Ati2evxx.dll

AppInit_DLLs: c:\windows\system32\fabokenu.dll PGPmapih.dll

LSA: Notification Packages = scecli PGPpwflt c:\windows\system32\fabokenu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\ec8zxwrm.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - HiddenExtension: XUL Cache: {AF84A25A-43D1-4008-B64E-734856F57587} - c:\documents and settings\networkservice\local settings\application data\{af84a25a-43d1-4008-b64e-734856f57587}\

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);

c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);

c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);

c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);

c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);

c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);

c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);

c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");

c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 pgpfs;PGP File Sharing;c:\windows\system32\drivers\PGPfsfd.sys [2007-8-10 97792]

R0 PGPwded;PGPwded Storage Filter Service;c:\windows\system32\drivers\PGPwded.sys [2007-8-10 168960]

R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-12-9 13088]

R2 PGPdisk;PGPdisk;c:\windows\system32\drivers\PGPdisk.sys [2007-8-10 224256]

R2 PGPsdkDriver;PGPsdkDriver;c:\windows\system32\drivers\PGPsdk.sys [2007-8-10 33792]

R2 Prvflder;Prvflder;c:\windows\system32\drivers\prvflder.sys [2006-4-21 70912]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-10-27 24652]

R3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\drivers\WUSB54GCv3.sys [2009-4-13 627072]

S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2003-8-28 189792]

=============== Created Last 30 ================

2009-09-02 18:33 <DIR> --d----- c:\program files\ESET

2009-09-02 18:17 <DIR> --d----- C:\VundoFix Backups

2009-08-31 00:09 <DIR> -cd----- c:\windows\system32\dllcache\cache

2009-08-30 23:46 229,888 a------- c:\windows\PEV.exe

2009-08-30 23:46 161,792 a------- c:\windows\SWREG.exe

2009-08-30 23:46 98,816 a------- c:\windows\sed.exe

2009-08-30 23:27 0 a------- C:\backup.reg

2009-08-28 16:09 <DIR> --dsh--- c:\documents and settings\owner\PrivacIE

2009-08-28 16:04 180,224 a------- C:\scecli.dll

2009-08-28 15:55 <DIR> --d----- C:\HJT

2009-08-28 15:35 <DIR> --ds---- C:\CFetf

2009-08-28 15:24 <DIR> -cd-h--- c:\windows\ie8

2009-08-28 15:07 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-28 15:07 19,096 a------- c:\windows\system32\drivers\mbam.sys

2009-08-28 15:07 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-08-28 12:59 <DIR> --d----- c:\program files\Trend Micro

2009-08-28 10:13 120 a------- c:\windows\Ugixozehujojul.dat

2009-08-28 10:10 15,242 a------- c:\windows\osudazit.dat

2009-08-20 14:55 <DIR> --dsh--- c:\documents and settings\owner\IECompatCache

2009-08-20 14:52 <DIR> --dsh--- c:\documents and settings\owner\IETldCache

2009-08-20 14:16 <DIR> --d----- c:\windows\ie8updates

2009-08-20 14:12 594,432 -c------ c:\windows\system32\dllcache\msfeeds.dll

2009-08-20 14:12 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll

2009-08-20 14:12 55,296 -c------ c:\windows\system32\dllcache\msfeedsbs.dll

2009-08-20 14:12 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll

2009-08-20 14:12 1,985,536 -c------ c:\windows\system32\dllcache\iertutil.dll

2009-08-20 14:11 101,376 -c------ c:\windows\system32\dllcache\iecompat.dll

2009-08-16 09:37 <DIR> --d----- c:\windows\system32\XPSViewer

2009-08-16 09:36 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-08-16 09:36 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll

2009-08-16 09:36 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-08-16 09:36 575,488 -------- c:\windows\system32\xpsshhdr.dll

2009-08-16 09:36 117,760 -------- c:\windows\system32\prntvpt.dll

2009-08-16 09:36 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll

2009-08-16 09:36 <DIR> --d----- C:\45aa4bc014f02c68bef922ab9eec

2009-08-16 09:36 1,676,288 -------- c:\windows\system32\xpssvcs.dll

2009-08-16 09:35 <DIR> --d----- c:\windows\SxsCaPendDel

2009-08-16 09:32 <DIR> --d----- c:\program files\MSXML 6.0

2009-08-16 07:34 <DIR> --d----- c:\windows\ServicePackFiles

2009-08-14 01:15 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes

2009-08-14 01:15 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

2009-08-11 08:25 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf

2009-08-11 08:25 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

2009-08-11 08:24 21,504 a------- c:\windows\system32\drivers\hidserv.dll

==================== Find3M ====================

2009-08-20 16:13 4,966 a------- c:\docume~1\owner\applic~1\wklnhst.dat

2009-08-05 05:11 204,800 a------- c:\windows\system32\mswebdvd.dll

2009-07-29 00:53 119,808 a------- c:\windows\system32\t2embed.dll

2009-07-29 00:53 82,432 a------- c:\windows\system32\fontsub.dll

2009-07-17 14:55 58,880 a------- c:\windows\system32\atl.dll

2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll

2009-07-09 12:16 2,060,288 a------- c:\windows\system32\usbaaplrc.dll

2009-07-09 12:16 39,424 a------- c:\windows\system32\drivers\usbaapl.sys

2009-06-25 04:44 724,480 a------- c:\windows\system32\lsasrv.dll

2009-06-25 04:44 298,496 a------- c:\windows\system32\kerberos.dll

2009-06-25 04:44 168,448 a------- c:\windows\system32\schannel.dll

2009-06-25 04:44 133,632 a------- c:\windows\system32\msv1_0.dll

2009-06-25 04:44 59,392 a------- c:\windows\system32\wdigest.dll

2009-06-25 04:44 56,320 a------- c:\windows\system32\secur32.dll

2009-06-12 07:50 76,288 a------- c:\windows\system32\telnet.exe

2009-06-10 10:21 84,992 a------- c:\windows\system32\avifil32.dll

2009-06-10 02:32 132,096 a------- c:\windows\system32\wkssvc.dll

2009-06-05 03:42 655,872 a------- c:\windows\system32\mstscax.dll

2006-02-26 16:21 774,144 a------- c:\program files\RngInterstitial.dll

2005-06-23 07:22 0 a--sh--- c:\windows\sminst\HPCD.sys

============= FINISH: 19:08:04.39 ===============

Attach.txt:

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Home Edition

Boot Device: \Device\HarddiskVolume1

Install Date: 6/19/2005 2:39:09 PM

System Uptime: 9/2/2009 6:15:39 PM (1 hours ago)

Motherboard: | | MS-7093

Processor: AMD Athlon 64 Processor 3200+ | Socket 939 | 1989/199mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 145 GiB total, 126.275 GiB free.

D: is FIXED (FAT32) - 4 GiB total, 1.683 GiB free.

E: is CDROM ()

F: is CDROM ()

G: is Removable

H: is Removable

I: is Removable

J: is Removable

K: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: Cisco Systems VPN Adapter

Device ID: ROOT\NET\0000

Manufacturer: Cisco Systems

Name: Cisco Systems VPN Adapter

PNP Device ID: ROOT\NET\0000

Service: CVirtA

==== System Restore Points ===================

RP1: 9/2/2009 3:05:04 PM - System Checkpoint

==== Installed Programs ======================

1600

1600_Help

1600Trb

Adobe Atmosphere Player for Acrobat and Adobe Reader

Adobe Flash Player 10 ActiveX

Adobe Reader 7.0.8

Adobe Shockwave Player 11

AiO_Scan

AiOSoftware

Ancient Secrets

AnswerWorks 4.0 Runtime - English

AnswerWorks 5.0 English Runtime

AOL You've Got Pictures Screensaver

Apple Mobile Device Support

Apple Software Update

ArcSoft Software Suite

ATI - Software Uninstall Utility

ATI Control Panel

ATI Display Driver

Bejeweled Twist

Bonjour

BufferChm

Centra Client

Cisco Systems VPN Client 4.0.3 (A)

Copy

CP_AtenaShokunin1Config

cp_dwShrek2Albums1

cp_dwShrek2Cards1

CreativeProjects

CreativeProjectsTemplates

CueTour

Destinations

Digital Media Reader

Director

DocProc

DocumentViewer

ERUNT 1.1j

ESET Online Scanner v3

Fax

GdiplusUpgrade

Google Toolbar for Internet Explorer

greenstreet Font Manager

Heartwild Solitaire

HijackThis 2.0.2

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows XP (KB915865)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hoyle Board Games

HP Extended Capabilities 4.7

HP Image Zone 4.7

HP Product Assistant

HP PSC & OfficeJet 4.7

HP Software Update

HPSystemDiagnostics

InstantShare

iPod for Windows 2005-09-23

iPod for Windows 2006-01-10

ISI ResearchSoft - Export Helper

iTunes

Java 2 Runtime Environment, SE v1.4.2

Java 6 Update 6

Jewel Quest Mysteries

Learn2 Player (Uninstall Only)

Linksys Wireless Manager

LP_Flash

LUMIX Simple Viewer

Luxor - Quest for the Afterlife

Macromedia Shockwave Player

Malwarebytes' Anti-Malware

MarketResearch

Memorex exPressit Label Design Studio

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Hotfix (KB928366)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft IntelliPoint 5.4

Microsoft IntelliType Pro 5.4

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft Kernel-Mode Driver Framework Feature Pack 1.5

Microsoft National Language Support Downlevel APIs

Microsoft Office Standard Edition 2003

Microsoft Private Folder 1.0

Microsoft Works

Morpheus 5.2 (remove only)

Morpheus Toolbar

Move Networks Media Player for Internet Explorer

Mozilla Firefox (3.5.2)

MSXML 4.0 SP2 (KB925672)

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB954430)

MSXML 6 Service Pack 2 (KB954459)

Multimedia Keyboard Driver

MyBudgetPlanner

Nero BurnRights

Nero OEM

PanoStandAlone

Parker Brothers Classic Card Games

PGP Desktop

PHOTOfunSTUDIO -viewer-

PhotoGallery

PowerDVD

ProductContext

Pub Quiz Machine 2008

Pure Networks Platform

QFolder

QuickTime

Readme

RealArcade

RealPlayer Basic

Realtek AC'97 Audio

Sandlot Games Client Services 1.2.2

Saqqarah

Scan

ScannerCopy

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player 10 (KB911565)

Security Update for Windows Media Player 10 (KB917734)

Security Update for Windows Media Player 10 (KB936782)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows XP (KB883939)

Security Update for Windows XP (KB890046)

Security Update for Windows XP (KB893066)

Security Update for Windows XP (KB893756)

Security Update for Windows XP (KB896358)

Security Update for Windows XP (KB896422)

Security Update for Windows XP (KB896423)

Security Update for Windows XP (KB896424)

Security Update for Windows XP (KB896428)

Security Update for Windows XP (KB896688)

Security Update for Windows XP (KB899587)

Security Update for Windows XP (KB899588)

Security Update for Windows XP (KB899591)

Security Update for Windows XP (KB900725)

Security Update for Windows XP (KB901017)

Security Update for Windows XP (KB901214)

Security Update for Windows XP (KB902400)

Security Update for Windows XP (KB904706)

Security Update for Windows XP (KB905414)

Security Update for Windows XP (KB905749)

Security Update for Windows XP (KB905915)

Security Update for Windows XP (KB908519)

Security Update for Windows XP (KB908531)

Security Update for Windows XP (KB911280)

Security Update for Windows XP (KB911562)

Security Update for Windows XP (KB911567)

Security Update for Windows XP (KB911927)

Security Update for Windows XP (KB912812)

Security Update for Windows XP (KB912919)

Security Update for Windows XP (KB913446)

Security Update for Windows XP (KB913580)

Security Update for Windows XP (KB914388)

Security Update for Windows XP (KB914389)

Security Update for Windows XP (KB916281)

Security Update for Windows XP (KB917159)

Security Update for Windows XP (KB917344)

Security Update for Windows XP (KB917422)

Security Update for Windows XP (KB917953)

Security Update for Windows XP (KB918118)

Security Update for Windows XP (KB918439)

Security Update for Windows XP (KB918899)

Security Update for Windows XP (KB919007)

Security Update for Windows XP (KB920213)

Security Update for Windows XP (KB920214)

Security Update for Windows XP (KB920670)

Security Update for Windows XP (KB920683)

Security Update for Windows XP (KB920685)

Security Update for Windows XP (KB921398)

Security Update for Windows XP (KB921503)

Security Update for Windows XP (KB921883)

Security Update for Windows XP (KB922616)

Security Update for Windows XP (KB922760)

Security Update for Windows XP (KB922819)

Security Update for Windows XP (KB923191)

Security Update for Windows XP (KB923414)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB923694)

Security Update for Windows XP (KB923980)

Security Update for Windows XP (KB924191)

Security Update for Windows XP (KB924270)

Security Update for Windows XP (KB924496)

Security Update for Windows XP (KB924667)

Security Update for Windows XP (KB925454)

Security Update for Windows XP (KB925486)

Security Update for Windows XP (KB925902)

Security Update for Windows XP (KB926255)

Security Update for Windows XP (KB926436)

Security Update for Windows XP (KB927779)

Security Update for Windows XP (KB927802)

Security Update for Windows XP (KB928090)

Security Update for Windows XP (KB928255)

Security Update for Windows XP (KB928843)

Security Update for Windows XP (KB929123)

Security Update for Windows XP (KB929969)

Security Update for Windows XP (KB930178)

Security Update for Windows XP (KB931261)

Security Update for Windows XP (KB931768)

Security Update for Windows XP (KB931784)

Security Update for Windows XP (KB932168)

Security Update for Windows XP (KB933566)

Security Update for Windows XP (KB933729)

Security Update for Windows XP (KB935839)

Security Update for Windows XP (KB935840)

Security Update for Windows XP (KB936021)

Security Update for Windows XP (KB937143)

Security Update for Windows XP (KB938127)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB938829)

Security Update for Windows XP (KB939653)

Security Update for Windows XP (KB941202)

Security Update for Windows XP (KB941568)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB941644)

Security Update for Windows XP (KB941693)

Security Update for Windows XP (KB942615)

Security Update for Windows XP (KB943055)

Security Update for Windows XP (KB943460)

Security Update for Windows XP (KB943485)

Security Update for Windows XP (KB944338)

Security Update for Windows XP (KB944533)

Security Update for Windows XP (KB944653)

Security Update for Windows XP (KB945553)

Security Update for Windows XP (KB946026)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB947864)

Security Update for Windows XP (KB948590)

Security Update for Windows XP (KB948881)

Security Update for Windows XP (KB950749)

Security Update for Windows XP (KB950759)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951376)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB953838)

Security Update for Windows XP (KB953839)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956390)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB957095)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958215)

Security Update for Windows XP (KB958470)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960714)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371-v2)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB963027)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB972260)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973869)

Sierra Utilities

SkinsHP1

SKIP-BO Castaway Caper

SoftV92 Data Fax Modem with SmartCP

Spybot - Search & Destroy

Super TextTwist

TextTwist 2

TrayApp

TurboTax 2008

TurboTax 2008 WinPerFedFormset

TurboTax 2008 WinPerProgramHelp

TurboTax 2008 WinPerReleaseEngine

TurboTax 2008 WinPerTaxSupport

TurboTax 2008 WinPerUserEducation

TurboTax 2008 wrapper

TurboTax 2008 wvaiper

Undiscovered World - The Incan Sun

Universal Media Player

Unload

Update for Windows XP (KB894391)

Update for Windows XP (KB896727)

Update for Windows XP (KB898461)

Update for Windows XP (KB900485)

Update for Windows XP (KB910437)

Update for Windows XP (KB916595)

Update for Windows XP (KB920872)

Update for Windows XP (KB922582)

Update for Windows XP (KB925720)

Update for Windows XP (KB927891)

Update for Windows XP (KB929338)

Update for Windows XP (KB930916)

Update for Windows XP (KB931836)

Update for Windows XP (KB933360)

Update for Windows XP (KB938828)

Update for Windows XP (KB942763)

Update for Windows XP (KB942840)

Update for Windows XP (KB946627)

Update for Windows XP (KB951072-v2)

Update for Windows XP (KB953356)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB973815)

Verizon Broadband Toolbar (IE only)

Verizon FiOS Activation

Verizon Help and Support Tool

Verizon Servicepoint 1.5.22

Viewpoint Manager (Remove Only)

Viewpoint Media Player

Vz In Home Agent

WebFldrs XP

WebReg

Windows Backup Utility

Windows Genuine Advantage Notifications (KB905474)

Windows Imaging Component

Windows Installer 3.1 (KB893803)

Windows Internet Explorer 8

Windows Media Format Runtime

Windows Media Player 10

Windows XP Hotfix - KB873333

Windows XP Hotfix - KB873339

Windows XP Hotfix - KB885250

Windows XP Hotfix - KB885835

Windows XP Hotfix - KB885836

Windows XP Hotfix - KB886185

Windows XP Hotfix - KB887472

Windows XP Hotfix - KB887742

Windows XP Hotfix - KB888113

Windows XP Hotfix - KB888302

Windows XP Hotfix - KB890175

Windows XP Hotfix - KB890859

Windows XP Hotfix - KB891781

Windows XP Hotfix - KB893086

WinRAR archiver

Wizard's Pen

==== Event Viewer Messages From Past Week ========

9/2/2009 4:02:40 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: abp480n5 adpu160m agp440 agpCPQ Aha154x aic78u2 aic78xx AliIde alim1541 amdagp amsint asc asc3350p asc3550 cbidf cd20xrnt CmdIde Cpqarray dac2w2k dac960nt dpti2o hpn i2omp ini910u IntelIde mraid35x perc2 perc2hib ql1080 Ql10wnt ql12160 ql1240 ql1280 sisagp Sparrow symc810 symc8xx sym_hi sym_u3 TosIde ultra viaagp ViaIde

9/2/2009 3:21:29 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}

9/2/2009 3:13:27 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PEVSystemStart service to connect.

9/2/2009 3:06:48 PM, error: Service Control Manager [7034] - The Windows User Mode Driver Framework service terminated unexpectedly. It has done this 1 time(s).

9/2/2009 3:06:48 PM, error: Service Control Manager [7034] - The Viewpoint Manager Service service terminated unexpectedly. It has done this 1 time(s).

9/2/2009 3:06:48 PM, error: Service Control Manager [7034] - The Pure Networks Platform Service service terminated unexpectedly. It has done this 1 time(s).

9/2/2009 3:06:48 PM, error: Service Control Manager [7034] - The Private Folder Service service terminated unexpectedly. It has done this 1 time(s).

9/2/2009 3:06:48 PM, error: Service Control Manager [7034] - The PrismXL service terminated unexpectedly. It has done this 1 time(s).

9/2/2009 3:06:48 PM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s).

9/2/2009 3:06:48 PM, error: Service Control Manager [7034] - The PGPserv service terminated unexpectedly. It has done this 1 time(s).

9/2/2009 3:06:48 PM, error: Service Control Manager [7034] - The McciCMService service terminated unexpectedly. It has done this 1 time(s).

9/2/2009 3:06:48 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).

9/2/2009 3:06:48 PM, error: Service Control Manager [7034] - The Intuit Update Service service terminated unexpectedly. It has done this 1 time(s).

9/2/2009 3:06:48 PM, error: Service Control Manager [7034] - The Cisco Systems, Inc. VPN Service service terminated unexpectedly. It has done this 1 time(s).

9/2/2009 3:06:48 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).

9/2/2009 3:06:48 PM, error: Service Control Manager [7034] - The Ati HotKey Poller service terminated unexpectedly. It has done this 1 time(s).

9/2/2009 3:06:48 PM, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).

9/2/2009 3:06:48 PM, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

9/2/2009 3:02:58 PM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: The system cannot find the file specified.

9/2/2009 3:02:56 PM, error: SRService [104] - The System Restore initialization process failed.

8/30/2009 11:58:20 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file beep.sys. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.0.

==== End Of File ===========================

Link to post
Share on other sites

This has a very stubborn set of infections. They seem to persist and recur. If we don't make headway, you would be facing a need to wipe/pave/and do a clean install of Windows !!

First, I must insist you remove Morpheus.

Filesharing/downloading apps are one of the leading causes of transmission of malware.

"File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

=

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

I am going to have you get a fresh copy of Combofix, save it first, and then run a special script.

There's still some stubborn malware laying about.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

Link 3

CF_download_FF.gif

CF_download_rename.gif

* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KILLALL::

DDS::

mRun: [PC Antispyware 2010] "c:\program files\pc_antispyware2010\PC_Antispyware2010.exe" /hide

mRun: [braviax] braviax.exe

Driver::

braviax

PC Antispyware 2010

File::

c:\program files\pc_antispyware2010\PC_Antispyware2010.exe

c:\windows\braviax.exe

C:\braviax.exe

c:\windows\system32\braviax.exe

Folder::

c:\program files\pc_antispyware2010

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

=

Start your MBAM MalwareBytes' Anti-Malware.

Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

At this time of posting, the current definitions are # 2734 or later. The latest program version is 1.40

When done, click the Scanner tab.

Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

=

Please download and run the Trend Micro Sysclean Package on your computer.

NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.

  • Trend Micro Damage Cleanup Engine

[*]Make sure you read this document to understand how to use the program.

Trend Micro Sysclean Package README 1st

[*]Basically there are 3 parts that need to be downloaded and SAVED from these links:

[*]Sysclean Package

[*]Virus Pattern Files that will be a LPTxxx.ZIP file

[*]Spyware Pattern Files this is a SSAPIPTNxxx.ZIP

It is the 4th listed file, under title "Detection and Cleanup (Trend Micro Anti-Spyware)

Link to post
Share on other sites

Combofix.txt:

ComboFix 09-09-02.02 - Owner 09/03/2009 9:16.3.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1406.902 [GMT -4:00]

Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

FILE ::

"C:\braviax.exe"

"c:\program files\pc_antispyware2010\PC_Antispyware2010.exe"

"c:\windows\braviax.exe"

"c:\windows\system32\braviax.exe"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://download.j+|Cv+@J:NGD_DQ{ztHG.X.$

.

((((((((((((((((((((((((( Files Created from 2009-08-03 to 2009-09-03 )))))))))))))))))))))))))))))))

.

2009-09-02 22:33 . 2009-09-02 22:33 -------- d-----w- c:\program files\ESET

2009-09-02 22:17 . 2009-09-02 22:17 -------- d-----w- C:\VundoFix Backups

2009-08-31 03:27 . 2009-08-31 03:35 0 ----a-w- C:\backup.reg

2009-08-31 03:26 . 2009-08-31 03:26 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

2009-08-29 05:27 . 2009-08-29 05:27 -------- d-----w- c:\program files\ERUNT

2009-08-28 22:48 . 2009-08-28 22:48 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2009-08-28 20:09 . 2009-08-28 20:09 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE

2009-08-28 20:04 . 2004-08-04 19:00 180224 ----a-w- C:\scecli.dll

2009-08-28 19:55 . 2009-08-28 19:56 -------- d-----w- C:\HJT

2009-08-28 19:38 . 2009-08-28 19:38 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Mozilla

2009-08-28 19:35 . 2009-08-28 19:35 -------- d-s---w- C:\CFetf

2009-08-28 19:24 . 2009-08-28 19:25 -------- dc-h--w- c:\windows\ie8

2009-08-28 19:07 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-28 19:07 . 2009-09-02 19:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-28 19:07 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-28 16:59 . 2009-08-28 16:59 -------- d-----w- c:\program files\Trend Micro

2009-08-28 16:37 . 2009-08-28 16:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-08-28 16:33 . 2009-08-28 16:33 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2009-08-28 15:40 . 2009-08-28 15:40 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\{AF84A25A-43D1-4008-B64E-734856F57587}

2009-08-28 14:13 . 2009-08-28 16:15 120 ----a-w- c:\windows\Ugixozehujojul.dat

2009-08-28 14:10 . 2009-08-28 14:10 15242 ----a-w- c:\windows\osudazit.dat

2009-08-28 13:14 . 2009-08-28 13:14 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

2009-08-28 13:14 . 2009-08-28 13:14 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2009-08-20 18:55 . 2009-08-20 18:55 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache

2009-08-20 18:53 . 2009-08-20 18:53 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-08-20 18:52 . 2009-08-20 18:52 -------- d-sh--w- c:\documents and settings\Owner\IETldCache

2009-08-20 18:16 . 2009-08-31 03:49 -------- d-----w- c:\windows\ie8updates

2009-08-20 18:12 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2009-08-20 18:12 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2009-08-20 18:12 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2009-08-20 18:12 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2009-08-20 18:12 . 2009-07-03 17:09 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll

2009-08-20 18:11 . 2009-07-01 07:08 101376 -c----w- c:\windows\system32\dllcache\iecompat.dll

2009-08-16 13:37 . 2009-08-16 13:37 -------- d-----w- c:\windows\system32\XPSViewer

2009-08-16 13:36 . 2009-08-16 13:36 -------- d-----w- c:\program files\MSBuild

2009-08-16 13:36 . 2009-08-16 13:36 -------- d-----w- c:\program files\Reference Assemblies

2009-08-16 13:36 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll

2009-08-16 13:36 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll

2009-08-16 13:36 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll

2009-08-16 13:36 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll

2009-08-16 13:36 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe

2009-08-16 13:36 . 2009-08-16 13:36 -------- d-----w- C:\45aa4bc014f02c68bef922ab9eec

2009-08-16 13:36 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll

2009-08-16 13:36 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll

2009-08-16 13:35 . 2009-08-31 03:49 -------- d-----w- c:\windows\SxsCaPendDel

2009-08-16 13:32 . 2009-08-16 13:32 -------- d-----w- c:\program files\MSXML 6.0

2009-08-16 11:34 . 2009-08-16 11:34 -------- d-----w- c:\windows\ServicePackFiles

2009-08-14 05:15 . 2009-08-14 05:15 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes

2009-08-14 05:15 . 2009-08-14 05:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-11 12:24 . 2004-08-04 04:56 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-02 22:47 . 2006-10-10 00:34 -------- d-----w- c:\program files\Morpheus

2009-08-31 03:49 . 2005-06-19 18:39 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\SampleView

2009-08-31 03:49 . 2005-01-28 09:10 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Symantec

2009-08-28 16:57 . 2005-01-28 09:19 -------- d-----w- c:\program files\BigFix

2009-08-28 15:03 . 2005-01-28 09:20 -------- d-----w- c:\program files\Google

2009-08-20 20:13 . 2005-06-23 16:28 4966 ----a-w- c:\documents and settings\Owner\Application Data\wklnhst.dat

2009-08-16 13:49 . 2005-06-22 20:39 107232 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-11 13:50 . 2005-01-28 09:09 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-08-11 12:25 . 2009-08-11 12:25 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf

2009-08-11 12:25 . 2009-08-11 12:25 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf

2009-08-05 09:11 . 2004-08-26 16:12 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-29 04:53 . 2004-08-26 16:12 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-07-29 04:53 . 2004-08-26 16:11 82432 ----a-w- c:\windows\system32\fontsub.dll

2009-07-27 14:07 . 2009-07-27 14:07 -------- d-----w- c:\program files\iTunes

2009-07-27 14:07 . 2009-07-27 14:07 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-07-27 14:07 . 2006-02-14 01:04 -------- d-----w- c:\program files\iPod

2009-07-27 14:07 . 2008-12-15 00:19 -------- d-----w- c:\program files\Common Files\Apple

2009-07-27 14:06 . 2009-07-27 14:05 -------- d-----w- c:\program files\QuickTime

2009-07-27 14:01 . 2009-07-27 14:01 -------- d-----w- c:\program files\Bonjour

2009-07-17 18:55 . 2004-08-26 16:11 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-13 14:08 . 2004-08-26 16:12 286720 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-09 16:16 . 2009-07-27 14:04 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll

2009-07-09 16:16 . 2008-12-15 00:20 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys

2009-06-25 08:44 . 2004-08-26 16:12 59392 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:44 . 2004-08-26 16:12 56320 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:44 . 2004-08-26 16:12 168448 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:44 . 2004-08-26 16:12 133632 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-25 08:44 . 2004-08-26 16:11 724480 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-25 08:44 . 2004-08-26 16:11 298496 ----a-w- c:\windows\system32\kerberos.dll

2009-06-22 11:34 . 2004-08-26 16:11 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2009-06-12 11:50 . 2004-08-26 16:12 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 14:21 . 2004-08-26 16:11 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 06:32 . 2004-08-26 16:12 132096 ----a-w- c:\windows\system32\wkssvc.dll

2009-06-06 21:22 . 2006-02-27 04:19 47 ----a-w- c:\windows\popcinfo.dat

2006-02-26 20:21 . 2006-02-26 20:21 774144 ----a-w- c:\program files\RngInterstitial.dll

2005-06-23 11:22 . 2005-06-23 11:22 0 --sha-w- c:\windows\SMINST\HPCD.sys

.

((((((((((((((((((((((((((((( SnapShot@2009-08-31_04.04.57 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-09-03 13:24 . 2009-09-03 13:24 16384 c:\windows\temp\Perflib_Perfdata_300.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\IconOverlayHandlerAccessible]

@="{3DBF5F01-3287-46EB-82CF-45AA5C241162}"

[HKEY_CLASSES_ROOT\CLSID\{3DBF5F01-3287-46EB-82CF-45AA5C241162}]

2007-08-10 19:27 598016 ----a-w- c:\windows\system32\PGPfsshl.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"AIM"="k:\program files\AIM\aim.exe" [bU]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [bU]

"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [bU]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-12 344064]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]

"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2005-06-10 196608]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-06-10 217088]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]

"Verizon_McciTrayApp"="c:\program files\Verizon\McciTrayApp.exe" [2009-03-10 1553920]

"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2008-09-17 2065648]

"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]

"Linksys Wireless Manager"="c:\program files\Linksys\Linksys Wireless Manager\LinksysWirelessManager.exe" [2009-02-16 1358384]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]

"CHotkey"="zHotkey.exe" - c:\windows\zHotkey.exe [2004-05-18 543232]

"ShowWnd"="ShowWnd.exe" - c:\windows\ShowWnd.exe [2003-09-19 36864]

"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2004-11-16 77824]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]

HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]

LUMIX Simple Viewer.lnk - c:\program files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2007-5-1 57344]

PGPtray.exe.lnk - c:\windows\Installer\{882025A7-7599-4989-8FCD-7604FB90D6A9}\Icon6560581611.exe [2008-7-14 55296]

VPN Client.lnk - c:\windows\Installer\{3E5562ED-69AB-4CEC-91E2-64E18EC5ACC6}\Icon3E5562ED7.ico [2006-10-3 6144]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\PGPmapih.dll c:\windows\system32\PGPmapih.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli PGPpwflt

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Morpheus\\Morpheus.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 pgpfs;PGP File Sharing;c:\windows\system32\drivers\PGPfsfd.sys [8/10/2007 3:21 PM 97792]

R0 PGPwded;PGPwded Storage Filter Service;c:\windows\system32\drivers\PGPwded.sys [8/10/2007 3:21 PM 168960]

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [12/9/2008 12:37 PM 13088]

R2 PGPdisk;PGPdisk;c:\windows\system32\drivers\PGPdisk.sys [8/10/2007 3:21 PM 224256]

R2 PGPsdkDriver;PGPsdkDriver;c:\windows\system32\drivers\PGPsdk.sys [8/10/2007 3:21 PM 33792]

R2 Prvflder;Prvflder;c:\windows\system32\drivers\prvflder.sys [4/21/2006 8:22 AM 70912]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [10/27/2008 8:21 AM 24652]

R3 WUSB54GCv3;Compact Wireless-G USB Network Adapter;c:\windows\system32\drivers\WUSB54GCv3.sys [4/13/2009 12:02 PM 627072]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-08-26 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2005-06-19 c:\windows\Tasks\ISP signup reminder 1.job

- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 19:00]

2005-06-19 c:\windows\Tasks\ISP signup reminder 2.job

- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 19:00]

2005-06-19 c:\windows\Tasks\ISP signup reminder 3.job

- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 19:00]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://excite.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = hxxp://www.emachines.com/

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &AOL Toolbar search

IE: E&xport to Microsoft Excel

LSP: c:\windows\system32\PGPlsp.dll

Trusted Zone: turbotax.com

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\ec8zxwrm.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - HiddenExtension: XUL Cache: {AF84A25A-43D1-4008-B64E-734856F57587} - c:\documents and settings\NetworkService\Local Settings\Application Data\{AF84A25A-43D1-4008-B64E-734856F57587}\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-03 09:24

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1156)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\PGPpwflt.dll

c:\windows\system32\PGPwd.dll

c:\windows\system32\PGPsdk.dll

c:\windows\system32\pgpsdkm.dll

- - - - - - - > 'explorer.exe'(3292)

c:\windows\system32\PGPhk.dll

c:\program files\Common Files\Motive\McciContextHook_DSR.dll

c:\windows\system32\PGPfsshl.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\ieframe.dll

c:\program files\Microsoft Private Folder 1.0\ShellExt.dll

c:\windows\system32\PFLib.dll

c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Common Files\Motive\McciCMService.exe

c:\windows\system32\PGPserv.exe

c:\windows\system32\ati2evxx.exe

c:\program files\Microsoft Private Folder 1.0\PrfldSvc.exe

c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

c:\windows\system32\wdfmgr.exe

c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe

c:\program files\PGP Corporation\PGP Desktop\PGPtray.exe

c:\windows\system32\wscntfy.exe

c:\program files\HP\Digital Imaging\bin\hpqgalry.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe

.

**************************************************************************

.

Completion time: 2009-09-03 9:28 - machine was rebooted

ComboFix-quarantined-files.txt 2009-09-03 13:27

ComboFix2.txt 2009-09-02 19:18

ComboFix3.txt 2009-08-31 04:10

Pre-Run: 135,554,117,632 bytes free

Post-Run: 135,498,817,536 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

296 --- E O F --- 2009-08-28 14:43

MBAM log:

Malwarebytes' Anti-Malware 1.40

Database version: 2735

Windows 5.1.2600 Service Pack 2

9/3/2009 10:00:02 AM

mbam-log-2009-09-03 (10-00-02).txt

Scan type: Quick Scan

Objects scanned: 104555

Time elapsed: 30 minute(s), 36 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Sysclean.txt:

/--------------------------------------------------------------\

| Trend Micro System Cleaner |

| Copyright 2009-2010, Trend Micro, Inc. |

| http://www.trendmicro.com |

\--------------------------------------------------------------/

2009-09-03, 10:01:24, Auto-clean mode specified.

2009-09-03, 10:01:25, Initialized Rootkit Driver version 2.2.0.1004.

2009-09-03, 10:01:25, Running scanner "C:\Documents and Settings\Owner\Desktop\DCE\TSC.BIN"...

2009-09-03, 10:01:38, Scanner "C:\Documents and Settings\Owner\Desktop\DCE\TSC.BIN" has finished running.

2009-09-03, 10:01:38, TSC Log:

Link to post
Share on other sites

Looking better. The Sysclean did not find anything new and MBAM is good. But I need for you to do 1 update & 1 more scan.

javaicon.gif See this topic in the AumHa Security forum and get the latest Java run-time

http://aumha.net/viewtopic.php?f=26&t=41698

Scan the system with the Kaspersky Online Scanner

http://www.kaspersky.com/virusscanner

icon_arrow.gifAttention: Kaspersky Online Scanner 7.0 may not run successfully while another antivirus program is running. If you have Anti-Virus software installed, please temporarily disable your AV protection before running the Kaspersky Online Scanner. Reenable it after the scan is finished.

During this run, make sure your browser does not block popup windows. Have patience while some screens populate.

1) Click the Kapersky Online Scanner button. You'll see a popup window.

2) Accept the agreement

3) Accept the installation of the required ActiveX object ( XP SP2-SP3 will show this in the Information Bar )

4) For XP SP2-SP3, click the Install button when prompted

5) The necessary files will be downloaded and installed. Please have plenty of patience.

6) After Kaspersky AntiVirus Database is updated, look at the Scan box.

7) Click the My Computer line

8 ) Be infinetely patient, the scan is comprehensive and, unlike other online antivirus scanners, will detect all malwares

9) When the scan is completed there will be an option to Save report as a .txt file. Click that button. Copy and paste the report into your reply.

( To see an animated tutorial-how-to on the scan, see >>this link<<)

Re-enable your antivirus program after Kaspersky has finished.

Kapersky Online Scanner can be uninstalled later on from Add or Remove Programs in the Control Panel, if desired.

Do not be alarmed if Kaspersky tags items that are already in quarantine by MBAM, or ComboFix's Qoobox & quarantine.

Kaspersky is a report only and does not remove files.

Post back with copies of the Kaspersky.txt report.

How is your system now ?

Link to post
Share on other sites

Kaspersky.txt:

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Friday, September 4, 2009

Operating system: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Thursday, September 03, 2009 20:46:05

Records in database: 2743488

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

D:\

E:\

F:\

G:\

H:\

I:\

J:\

K:\

Scan statistics:

Objects scanned: 86315

Threats found: 3

Infected objects found: 3

Suspicious objects found: 0

Scan duration: 01:52:30

File name / Threat / Threats count

C:\Qoobox\Quarantine\C\Program Files\MorpheusBar\bar\1.bin\NPMORPBR.DLL.vir Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.i 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\SKYNETikvfsjmc.sys.vir Infected: Trojan.Win32.TDSS.amxe 1

C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP1\A0000178.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.wpx 1

Selected area has been scanned.

Link to post
Share on other sites

ERUNT you should keep and use on some regular basis to backup the Windows registry.

You should also keep ATF Cleaner and use to delete temp files.

Unless you have purchased Malwarebytes' Anti Malware {MBAM}, you should un-install it.

Go to Control Panel and Add-or-Remove programs.

Look for it and click the line for it. Select Change/Remove to de-install it.

De-install Eset Online scan

De-install Kaspersky Online

OK & Exit out of Control Panel

I see that you are clear of your original issues.

If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used; followed by advice on staying safer.

We have to remove Combofix and all its associated folders. By whichever name you named it, ( you had named it combo-fix icon_exclaim.gif), put that name in the RUN box stated just below.

The "/u" in the Run line below is to start Combofix for it's cleanup & removal function.

Note the space after x and before the slash mark.

The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.

  • Click Start, then click Run.
    In the command box that opens, type or copy/paste
    combo-fix /u
    and then click OK.

  • Download OTL by OldTimer to your desktop: http://oldtimer.geekstogo.com/OTL.exe
  • Please double-click OTL.exe otlDesktopIcon.png to run it.
  • Click on the CleanUp! button at upper Right corner. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTL attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
  • This step removes the files, folders, and shortcuts created by the tools I had you download and run.

We are finished here. Best regards.

I'm closing this thread.

Note to any casual viewer: The procedures used here are only for this system.

If you have similar issues, open your own New topic. Do not use the procedures here on another system.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.