Reallyhatesspyware Posted September 12, 2009 ID:125813 Share Posted September 12, 2009 After hours of sitting in front of the computer, downloading all sorts of promising anti-malware/spyware removers, I have resorted to do what no man has done before. Ask for help. Here's my situation.I have had Malwarebytes Anti-Malware installed on my computer for a while now, at the recommendation of a friend. Today, it decided it wasn't going to run when "AntivirusPro_2010" showed up on my computer. Total disaster. I tried to run Malwarebytes, but an error message comes up saying that I have no damn right to run it .I looked through a few websites with miracle cures to removing this "new type of malware". I have since downloaded; STOPZilla, SUPERAntispyware, Avira, and Hijackthis, in order. I ran a 'STOPzilla' scan and a few Trojans, Spyware, Hijackers and Viruses showed up; Win32kStream, CoolwebSearch, Deviant.C, ExecVariant.C, Tapi.nfo, Antivirus2010 (*shakes fist* ), Skynet, System Policies, Ultimate Cleaner, Host File.B and Explorer Policies something or other, to name a 'few'. I then realized that I had to pay (of course!) to remove these malware/spyware programs etc, which is not going to happen.I then ran a 'SUPERAntispyware' scan, and like the Malwarebytes scan..It shut down after a few moments of scanning.. teasing me by showing me some of the spyware I actually had first though! Hopeless.Then, I found myself here...and after mindless browsing through the forums I downloaded 'Avira Antivirus Personal' and 'Hijackthis', as some other poor soul was told to by Malwarebyte staff request. The 'Avira' scan is still running at the moment, with a promising 11 detections found. I attempted to run the 'Hijackthis' program, to no avail. The window did not even show up. After a few moments of extra browsing, I tried 'Combofix'. As you can imagine with my luck today, it also did not run. This is the point I'm at right now. Not nearly at boiling point yet though, as I've had to deal with this sort of thing in the past. This situation has perplexed me though, so I may need a little help. ANY help would be wonderful. Keep in mind that I'm somewhat of a novice when it comes to this sort of thing Link to post Share on other sites More sharing options...
Reallyhatesspyware Posted September 14, 2009 Author ID:126414 Share Posted September 14, 2009 Link to post Share on other sites More sharing options...
LonnyRJ Posted September 17, 2009 ID:128221 Share Posted September 17, 2009 Welcome ReallyhatesspywareDownload (dont run yet) this toolhttp://download.bleepingcomputer.com/rootr.../Win32kDiag.exehttp://ad13.geekstogo.com/Win32kDiag.exePlace it on your desktop.Go start run copy then paste in the line below and press enter"%userprofile%\desktop\Win32kDiag.exe" -r -fA log should open when it is finished, post it please.Do not run any tools except what we recommend here until your clear of these pests Link to post Share on other sites More sharing options...
Reallyhatesspyware Posted September 17, 2009 Author ID:128367 Share Posted September 17, 2009 Well, I did as you said. Problem is, when the window comes up the text says "Cannot Access: C:\WINDOWS\system32\eventlog.dll" along with some other text, and does nothing else. Link to post Share on other sites More sharing options...
LonnyRJ Posted September 17, 2009 ID:128522 Share Posted September 17, 2009 You need to let it continue to run until it is finished. Link to post Share on other sites More sharing options...
Reallyhatesspyware Posted September 17, 2009 Author ID:128566 Share Posted September 17, 2009 Hopefully this is what you're looking for Running from: C:\Documents and Settings\Stephen Reid\desktop\Win32kDiag.exeLog file at : C:\Documents and Settings\Stephen Reid\Desktop\Win32kDiag.txtRemoving all found mount points.Attempting to reset file permissions.WARNING: Could not get backup privileges!Searching 'C:\WINDOWS'...Cannot access: C:\WINDOWS\system32\eventlog.dllAttempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll[1] 2008-04-13 17:11:53 56320 C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\eventlog.dll (Microsoft Corporation)[1] 2004-08-10 05:00:00 61952 C:\WINDOWS\system32\eventlog.dll ()[2] 2004-08-10 05:00:00 55808 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)Found mount point : C:\WINDOWS\system32\export\exportMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\export\exportFound mount point : C:\WINDOWS\system32\FxsTmp\FxsTmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\FxsTmp\FxsTmpFound mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNTMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\IME\CINTLGNT\CINTLGNTFound mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNTMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\IME\PINTLGNT\PINTLGNTFound mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNTMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\IME\TINTLGNT\TINTLGNTFound mount point : C:\WINDOWS\system32\inetsrv\inetsrvMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\inetsrv\inetsrvFound mount point : C:\WINDOWS\system32\mui\dispspec\dispspecMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\mui\dispspec\dispspecFound mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnupMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\oobe\html\ispsgnup\ispsgnupFound mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcustMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\oobe\html\oemcust\oemcustFound mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhwMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\oobe\html\oemhw\oemhwFound mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemregMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\oobe\html\oemreg\oemregFound mount point : C:\WINDOWS\system32\oobe\sample\sampleMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\oobe\sample\sampleFound mount point : C:\WINDOWS\system32\ShellExt\ShellExtMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\ShellExt\ShellExtFound mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERSMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\spool\PRINTERS\PRINTERSFound mount point : C:\WINDOWS\system32\wbem\mof\bad\badMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\wbem\mof\bad\badFound mount point : C:\WINDOWS\system32\wbem\mof\good\goodMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\wbem\mof\good\goodFound mount point : C:\WINDOWS\system32\wbem\snmp\snmpMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\wbem\snmp\snmpFound mount point : C:\WINDOWS\system32\wins\winsMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\wins\winsFound mount point : C:\WINDOWS\system32\xircom\xircomMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\system32\xircom\xircomFound mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTempMount point destination : \Device\__max++>\^Removing mount point : C:\WINDOWS\WinSxS\InstallTemp\InstallTempFinished! Link to post Share on other sites More sharing options...
LonnyRJ Posted September 17, 2009 ID:128571 Share Posted September 17, 2009 Visit the webpage below for instructions for downloading and running ComboFix:But proir to running Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This is because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how. http://www.bleepingcomputer.com/forums/topic114351.htmlhttp://www.bleepingcomputer.com/combofix/how-to-use-combofixPost combofix's log which will open automaticly when complete, if not it is located here. C:\combofix.txtNote: If windows auto-update comes up cancel it for now.For others looking for a solution, please do not try my advice to this user, post for help yourself. Link to post Share on other sites More sharing options...
Reallyhatesspyware Posted September 17, 2009 Author ID:128619 Share Posted September 17, 2009 I attempted to run 'combofix', but it refuses to open. I disabled my Avira Antivirus, and deleted all my other Antispyware Programs. Link to post Share on other sites More sharing options...
LonnyRJ Posted September 18, 2009 ID:128715 Share Posted September 18, 2009 Sometimes for heavly infected PC's combofix takes awhile to start, did you give it five minutes to open ? Link to post Share on other sites More sharing options...
LonnyRJ Posted September 18, 2009 ID:128716 Share Posted September 18, 2009 If so and it never openedgo start run and type in SC CONFIG EVENTLOG START= DISABLEDpress enter and restart your PCNow try running combofix again Link to post Share on other sites More sharing options...
Reallyhatesspyware Posted September 18, 2009 Author ID:128752 Share Posted September 18, 2009 Still unresponsive. Would there be any other factors that wouldn't allow it to run? Link to post Share on other sites More sharing options...
LonnyRJ Posted September 18, 2009 ID:128820 Share Posted September 18, 2009 Make sure it was disabledOpen a command prompt and typeSC query EVENTLOG Link to post Share on other sites More sharing options...
Reallyhatesspyware Posted September 21, 2009 Author ID:130766 Share Posted September 21, 2009 I apologize My computer came under serious attack and I could not access the internet until now. I'll post more information later. Link to post Share on other sites More sharing options...
Reallyhatesspyware Posted September 22, 2009 Author ID:131008 Share Posted September 22, 2009 I got combofix to run, along with Malwarebytes. Malwarebytes removed a lot of the infections, but if I run the scan again there are a few infections (which were the same ones as last time) that still show up. What should I do now? Link to post Share on other sites More sharing options...
LonnyRJ Posted September 22, 2009 ID:131013 Share Posted September 22, 2009 Post the combofix log > c:\combofix.txtPost the latest mbam log to please. Link to post Share on other sites More sharing options...
Reallyhatesspyware Posted September 22, 2009 Author ID:131030 Share Posted September 22, 2009 MBAM Log-------------------------------------------------------------------------------------------------------------------------------Malwarebytes' Anti-Malware 1.41Database version: 2839Windows 5.1.2600 Service Pack 29/21/2009 4:35:53 PMmbam-log-2009-09-21 (16-35-53).txtScan type: Quick ScanObjects scanned: 112363Time elapsed: 1 hour(s), 17 minute(s), 15 second(s)Memory Processes Infected: 3Memory Modules Infected: 4Registry Keys Infected: 11Registry Values Infected: 21Registry Data Items Infected: 20Folders Infected: 8Files Infected: 77Memory Processes Infected:C:\WINDOWS\system32\winupdate.exe (Trojan.FakeAlert) -> Unloaded process successfully.C:\Program Files\AdvancedVirusRemover\PAVRM.exe (Rogue.AdvancedVirusRemover) -> Unloaded process successfully.C:\WINDOWS\braviax.exe (Trojan.Downloader) -> Unloaded process successfully.Memory Modules Infected:c:\WINDOWS\system32\fevusota.dll (Trojan.Vundo.H) -> Delete on reboot.c:\WINDOWS\system32\BtwSrv.dll (Trojan.Agent) -> Delete on reboot.\\?\globalroot\systemroot\system32\SKYNETvcbvqpyr.dll (Trojan.FakeAlert) -> Delete on reboot.c:\WINDOWS\system32\6to4v32.dll (Trojan.Agent) -> Delete on reboot.Registry Keys Infected:HKEY_CLASSES_ROOT\CLSID\{3c72b957-1a9d-489b-8599-9bb96c15d007} (Trojan.Vundo.H) -> Delete on reboot.HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\antiviruspro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\6to4 (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\6to4 (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\AVR (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UACd.sys (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.Registry Values Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jidoridow (Trojan.Vundo.H) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{3c72b957-1a9d-489b-8599-9bb96c15d007} (Trojan.Vundo.H) -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\hevamulaj (Trojan.Vundo.H) -> Delete on reboot.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\advanced virus remover (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\advanced virus remover (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\Control Panel\don't load\scui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\Control Panel\don't load\wscui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mso (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udso (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vomiguheme (Trojan.Agent) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\braviax (Trojan.Downloader) -> Quarantined and deleted successfully.Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\fevusota.dll -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\fevusota.dll -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.FakeAlert) -> Data: c:\windows\system32\cru629.dat -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.FakeAlert) -> Data: system32\cru629.dat -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\sdra64.exe -> Delete on reboot.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.Folders Infected:C:\Documents and Settings\All Users\Application Data\12106714 (Rogue.Multiple) -> Quarantined and deleted successfully.C:\Program Files\AdvancedVirusRemover (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.C:\Program Files\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.C:\Program Files\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.C:\Program Files\AntivirusPro_2010\data (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.C:\Documents and Settings\Stephen Reid\Start Menu\Programs\AntivirusPro_2010 (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.Files Infected:c:\WINDOWS\system32\fevusota.dll (Trojan.Vundo.H) -> Delete on reboot.c:\WINDOWS\system32\BtwSrv.dll (Trojan.Agent) -> Delete on reboot.\\?\globalroot\systemroot\system32\SKYNETvcbvqpyr.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\ddbpu.exe (Rootkit.Agent) -> Quarantined and deleted successfully.C:\ileede.exe (Trojan.Dropper) -> Quarantined and deleted successfully.C:\kqjopjiq.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\mdnsq.exe (Rogue.Installer) -> Quarantined and deleted successfully.C:\ruptbvv.exe (Trojan.Dropper) -> Quarantined and deleted successfully.C:\WINDOWS\system32\bisepufi.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.C:\WINDOWS\system32\cru629.dat (Trojan.FakeAlert) -> Delete on reboot.C:\WINDOWS\system32\eventlog.dll (Trojan.Sirefef) -> Quarantined and deleted successfully.C:\WINDOWS\system32\fifiteko.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\WINDOWS\system32\kri746.dat (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\WINDOWS\system32\logevent.dll (Trojan.Sirefef) -> Quarantined and deleted successfully.C:\WINDOWS\system32\nzfiu3h78di.dll (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\winupdate.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\WINDOWS\system32\wisdstr.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\WINDOWS\system32\wiwow64.exe (Backdoor.Bot) -> Quarantined and deleted successfully.C:\WINDOWS\system32\wmdtc.exe (Backdoor.Bot) -> Quarantined and deleted successfully.C:\WINDOWS\system32\drivers\beep.sys (Trojan.KillAV) -> Quarantined and deleted successfully.C:\WINDOWS\system32\drivers\UACviuotfunlm.sys (Trojan.TDSS.T) -> Quarantined and deleted successfully.C:\WINDOWS\Temp\nkjnravsej.exe (Trojan.Dropper) -> Quarantined and deleted successfully.C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\HACMB1BS\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KY0D4B2P\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KY0D4B2P\w[2].bin (Backdoor.Bot) -> Quarantined and deleted successfully.C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KY0D4B2P\w[3].bin (Backdoor.Bot) -> Quarantined and deleted successfully.C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\KY0D4B2P\w[4].bin (Backdoor.Bot) -> Quarantined and deleted successfully.C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\R7W1YWYT\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UHCQNW8X\w[1].bin (Backdoor.Bot) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Application Data\12106714\12106714 (Rogue.Multiple) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Application Data\12106714\pc12106714ins (Rogue.Multiple) -> Quarantined and deleted successfully.C:\Program Files\AdvancedVirusRemover\PAVRM.exe (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.cfg (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.C:\Program Files\AntivirusPro_2010\AVEngn.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.C:\Program Files\AntivirusPro_2010\htmlayout.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.C:\Program Files\AntivirusPro_2010\pthreadVC2.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.C:\Program Files\AntivirusPro_2010\Uninstall.exe (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.C:\Program Files\AntivirusPro_2010\wscui.cpl (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.C:\Program Files\AntivirusPro_2010\data\daily.cvd (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT\Microsoft.VC80.CRT.manifest (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcm80.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcp80.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.C:\Program Files\AntivirusPro_2010\Microsoft.VC80.CRT\msvcr80.dll (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.C:\Documents and Settings\Stephen Reid\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.C:\Documents and Settings\Stephen Reid\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.C:\Documents and Settings\All Users\Application Data\danigudu.dll (Trojan.Agent) -> Quarantined and deleted successfully.C:\Documents and Settings\Stephen Reid\Desktop\Advanced Virus Remover.lnk (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.C:\Documents and Settings\Stephen Reid\Application Data\Microsoft\Internet Explorer\Quick Launch\Advanced Virus Remover.lnk (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.C:\Documents and Settings\Stephen Reid\Start Menu\Advanced Virus Remover.lnk (Rogue.AdvancedVirusRemover) -> Quarantined and deleted successfully.C:\WINDOWS\system32\~.exe (Backdoor.Bot) -> Quarantined and deleted successfully.C:\WINDOWS\system32\_scui.cpl (Trojan.FakeAlert) -> Quarantined and deleted successfully.C:\WINDOWS\system32\6to4v32.dll (Trojan.Agent) -> Delete on reboot.C:\WINDOWS\system32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Delete on reboot.C:\WINDOWS\system32\drivers\UACvakomqrgfv.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.C:\WINDOWS\system32\dumibimo.dll (Trojan.Vundo) -> Delete on reboot.C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.C:\WINDOWS\system32\UACmyktuwehwe.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.C:\Documents and Settings\Stephen Reid\Local Settings\Temp\tmpwr2 (Rogue.Installer) -> Quarantined and deleted successfully.C:\Documents and Settings\Stephen Reid\Local Settings\Temp\tmpwr3 (Rogue.Installer) -> Quarantined and deleted successfully.C:\Documents and Settings\Stephen Reid\Local Settings\Temp\tmpwr4 (Rogue.Installer) -> Quarantined and deleted successfully.C:\Documents and Settings\Stephen Reid\Local Settings\Temp\tmpwr5 (Rogue.Installer) -> Quarantined and deleted successfully.C:\Documents and Settings\Stephen Reid\Local Settings\Temp\tmpwr6 (Rogue.Installer) -> Quarantined and deleted successfully.C:\Documents and Settings\Stephen Reid\Cookies\lajyxyli.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.C:\Documents and Settings\Stephen Reid\Local Settings\Temporary Internet Files\zehydybore.exe (Trojan.Agent) -> Quarantined and deleted successfully.C:\WINDOWS\braviax.exe (Trojan.Downloader) -> Quarantined and deleted successfully.C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.C:\WINDOWS\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.C:\Documents and Settings\Stephen Reid\Desktop\AntivirusPro_2010.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.C:\Documents and Settings\Stephen Reid\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusPro_2010.lnk (Rogue.AntiVirusPro2010) -> Quarantined and deleted successfully.C:\rhjdpc.exe (Trojan.Dropper) -> Quarantined and deleted successfully.C:\vhlyrkv.exe (Trojan.Dropper) -> Quarantined and deleted successfully.C:\joxa.exe (Trojan.Dropper) -> Quarantined and deleted successfully.---------------------------------------------------------------------------------------------------------------------------------------------------------------------- Link to post Share on other sites More sharing options...
Reallyhatesspyware Posted September 22, 2009 Author ID:131031 Share Posted September 22, 2009 ComboFix LogComboFix 09-09-16.05 - xxxxxx 09/21/2009 16:52.1.2 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.439 [GMT -7:00]Running from: c:\documents and settings\xxxxxxx\Desktop\ComboFix.exeAV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.- REDUCED FUNCTIONALITY MODE -.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\recycler\S-1-5-21-3868997124-911790988-508925577-500c:\recycler\S-1-5-21-3868997124-911790988-508925577-500\desktop.inic:\recycler\S-1-5-21-3868997124-911790988-508925577-500\INFO2c:\windows\Install.txtc:\windows\kb913800.exec:\windows\system32\cru629.datc:\windows\system32\Install.txtc:\windows\system32\lowsecc:\windows\system32\lowsec\local.dsc:\windows\system32\lowsec\user.dsc:\windows\system32\lowsec\user.ds.lllc:\windows\system32\sdra64.exe.((((((((((((((((((((((((( Files Created from 2009-08-21 to 2009-09-21 ))))))))))))))))))))))))))))))).2009-09-21 23:14 . 2009-09-21 23:14 0 ----a-w- c:\windows\system32\6334.exe2009-09-21 22:14 . 2009-09-21 22:14 0 ----a-w- c:\windows\system32\18467.exe2009-09-21 21:25 . 2009-09-21 21:25 17821 ----a-w- c:\windows\gupuc.scr2009-09-21 21:25 . 2009-09-21 21:25 13589 ----a-w- c:\program files\Common Files\xixicu.sys2009-09-21 21:25 . 2009-09-21 21:25 11045 ----a-w- c:\windows\qypyd.com2009-09-21 21:25 . 2009-09-21 21:25 10041 ----a-w- c:\program files\Common Files\lecypijafi.scr2009-09-21 21:15 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2009-09-21 21:15 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys2009-09-21 21:15 . 2009-09-21 21:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2009-09-21 21:14 . 2009-09-21 21:14 0 ----a-w- c:\windows\system32\41.exe2009-09-21 21:14 . 2009-09-21 21:14 43 ----a-w- c:\windows\system32\SKYNETpumihtvc.dat2009-09-21 21:07 . 2009-09-21 21:07 -------- d-----w- c:\documents and settings\Stephen Reid\Local Settings\Application Data\tjnet2009-09-21 17:12 . 2009-09-21 17:12 49152 ----a-w- C:\hwdgqmcw.exe2009-09-19 02:25 . 2009-09-21 06:17 -------- d-----w- c:\documents and settings\Stephen Reid\Application Data\mjusbsp2009-09-13 01:35 . 2009-09-13 01:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple2009-09-12 22:39 . 2009-07-28 23:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys2009-09-12 22:39 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys2009-09-12 22:39 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys2009-09-12 22:39 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys2009-09-12 22:39 . 2009-09-12 22:39 -------- d-----w- c:\program files\Avira2009-09-12 22:39 . 2009-09-12 22:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira2009-09-12 22:38 . 2009-09-12 22:38 -------- d-----w- c:\program files\Trend Micro2009-09-12 21:56 . 2009-09-12 22:36 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard2009-09-12 21:54 . 2009-09-17 08:40 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!2009-09-12 21:54 . 2009-09-12 21:54 -------- d-----w- c:\program files\Common Files\iS32009-09-12 21:48 . 2009-09-12 21:48 12851 ----a-w- c:\windows\system32\tewohisowy.pif2009-09-12 21:48 . 2009-09-12 21:48 18565 ----a-w- c:\windows\sycapyvac.dat2009-09-12 21:48 . 2009-09-12 21:48 10784 ----a-w- c:\windows\aborujary.sys2009-09-12 21:48 . 2009-09-12 21:48 10009 ----a-w- c:\program files\Common Files\uzijuda.dll2009-09-12 21:41 . 2009-09-12 21:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com2009-09-12 21:40 . 2009-09-12 21:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes2009-09-12 21:38 . 2009-09-12 21:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla2009-09-12 21:20 . 2009-09-12 21:20 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard2009-09-12 21:09 . 2009-09-12 21:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe2009-09-12 21:03 . 2009-09-12 21:03 18297 ----a-w- c:\program files\Common Files\enyna.bat2009-09-12 21:03 . 2009-09-12 21:03 17514 ----a-w- c:\program files\Common Files\ycisobevus.sys2009-09-12 21:03 . 2009-09-12 21:03 16053 ----a-w- c:\windows\tycu.exe2009-09-12 21:03 . 2009-09-12 21:03 15949 ----a-w- c:\windows\apucas.exe2009-09-12 21:03 . 2009-09-12 21:03 14000 ----a-w- c:\windows\system32\fazibu.bat2009-09-12 21:03 . 2009-09-12 21:03 13136 ----a-w- c:\windows\xacuze.reg2009-09-12 21:03 . 2009-09-12 21:03 12125 ----a-w- c:\documents and settings\Stephen Reid\Local Settings\Application Data\ivawyjewe.bin2009-09-12 21:03 . 2009-09-12 21:03 11047 ----a-w- c:\windows\system32\qubi.pif2009-09-12 21:03 . 2009-09-12 21:03 10592 ----a-w- c:\program files\Common Files\depod.com2009-09-12 20:31 . 2009-09-12 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files2009-09-12 00:38 . 2009-09-18 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\myitlab2009-09-10 22:01 . 2009-09-11 09:05 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS2009-09-09 06:11 . 2009-06-21 22:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll2009-09-06 22:10 . 2009-09-06 22:10 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment2009-09-04 18:25 . 2009-09-18 08:25 45 ----a-w- c:\documents and settings\Stephen Reid\jagex_runescape_preferences2.dat2009-08-27 22:12 . 2009-09-11 03:59 -------- d-----w- c:\program files\Warcraft III2009-08-23 23:20 . 2009-08-23 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Age of Empires 3 YPack Trial2009-08-23 23:18 . 2005-05-26 22:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll2009-08-23 22:34 . 2009-08-23 22:34 -------- d-----w- c:\documents and settings\Stephen Reid\Application Data\PlaneShift2009-08-23 22:34 . 2009-08-23 22:34 -------- d-----w- c:\documents and settings\Stephen Reid\Application Data\CrystalSpace2009-08-23 22:32 . 2009-08-23 22:42 -------- d-----w- c:\program files\PlaneShift Steel Blue2009-08-23 22:18 . 2009-08-23 22:18 -------- d-----w- c:\program files\Guild Wars.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-09-21 23:50 . 2009-05-25 19:31 -------- d-----w- c:\documents and settings\Stephen Reid\Application Data\Skype2009-09-21 21:25 . 2009-09-21 21:25 19654 ----a-w- c:\documents and settings\Stephen Reid\Application Data\mojowy.com2009-09-21 21:25 . 2009-09-21 21:25 18205 ----a-w- c:\documents and settings\Stephen Reid\Application Data\ukuc.sys2009-09-21 21:25 . 2009-09-21 21:25 17986 ----a-w- c:\program files\Common Files\fudoly.inf2009-09-21 21:25 . 2009-09-21 21:25 17220 ----a-w- c:\program files\Common Files\oxyza.dl2009-09-21 21:25 . 2009-09-21 21:25 11490 ----a-w- c:\program files\Common Files\fyno._sy2009-09-21 21:14 . 2009-08-10 09:53 1036226 ----a-w- c:\windows\system32\SKYNETalihyxen.dat2009-09-21 21:14 . 2009-06-21 21:14 87552 ------w- c:\windows\system32\fevusota.dll2009-09-21 21:14 . 2009-06-21 21:14 36864 --sha-w- c:\windows\system32\parodupa.dll2009-09-21 21:13 . 2009-05-25 19:37 -------- d-----w- c:\documents and settings\Stephen Reid\Application Data\skypePM2009-09-18 08:25 . 2009-04-04 08:33 37 ----a-w- c:\documents and settings\Stephen Reid\jagex_runescape_preferences.dat2009-09-17 20:29 . 2006-02-16 09:42 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com2009-09-17 19:08 . 2009-04-20 17:33 -------- d-----w- c:\program files\SUPERAntiSpyware2009-09-16 02:27 . 2009-09-16 02:26 3296 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg2009-09-16 02:26 . 2009-09-16 02:26 2464 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg2009-09-12 21:48 . 2009-09-12 21:48 12079 ----a-w- c:\documents and settings\All Users\Application Data\yxuhek.vbs2009-09-12 21:48 . 2009-09-12 21:48 10112 ----a-w- c:\documents and settings\Stephen Reid\Application Data\emyzedelyz.pif2009-09-12 21:48 . 2009-09-12 21:48 14213 ----a-w- c:\documents and settings\Stephen Reid\Application Data\kijanezuk.bin2009-09-12 21:48 . 2009-09-12 21:48 10466 ----a-w- c:\documents and settings\All Users\Application Data\dyhupypa.sys2009-09-12 21:03 . 2009-09-12 21:03 18670 ----a-w- c:\documents and settings\Stephen Reid\Application Data\imomu.com2009-09-12 21:03 . 2009-09-12 21:03 18631 ----a-w- c:\documents and settings\Stephen Reid\Application Data\ymuqad.dll2009-09-12 21:03 . 2009-09-12 21:03 13495 ----a-w- c:\documents and settings\All Users\Application Data\ikoq.bat2009-09-12 21:03 . 2009-09-12 21:03 13187 ----a-w- c:\documents and settings\All Users\Application Data\erih.bat2009-09-12 21:03 . 2009-09-12 21:03 12643 ----a-w- c:\documents and settings\All Users\Application Data\zasuwas.bin2009-09-12 21:03 . 2009-09-12 21:03 11876 ----a-w- c:\documents and settings\Stephen Reid\Application Data\ekezono.vbs2009-09-12 21:03 . 2009-09-12 21:03 10668 ----a-w- c:\documents and settings\Stephen Reid\Application Data\ekygak.vbs2009-09-11 09:24 . 2009-07-17 02:53 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP2009-09-07 21:34 . 2009-09-07 21:34 -------- d-----w- c:\documents and settings\Stephen Reid\Application Data\Apple Computer2009-09-07 21:34 . 2009-09-07 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}2009-09-07 21:34 . 2009-09-07 21:33 -------- d-----w- c:\program files\iTunes2009-09-07 21:33 . 2009-09-07 21:33 -------- d-----w- c:\program files\iPod2009-09-07 21:33 . 2009-09-07 21:25 -------- d-----w- c:\program files\Common Files\Apple2009-09-07 21:33 . 2009-09-07 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer2009-09-07 21:33 . 2009-09-07 21:33 -------- d-----w- c:\program files\Bonjour2009-09-07 21:32 . 2006-02-16 09:56 -------- d-----w- c:\program files\QuickTime2009-09-07 21:26 . 2009-09-07 21:26 -------- d-----w- c:\program files\Apple Software Update2009-09-07 21:25 . 2009-09-07 21:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple2009-09-01 00:08 . 2009-05-04 11:18 -------- d-----w- c:\documents and settings\Stephen Reid\Application Data\HPAppData2009-08-25 19:23 . 2006-02-15 16:20 -------- d--h--w- c:\program files\InstallShield Installation Information2009-08-25 19:19 . 2009-08-22 23:25 -------- d-----w- c:\program files\Microsoft Games2009-08-22 23:28 . 2009-08-22 23:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Age of Empires 3 XPack Trial2009-08-22 20:57 . 2009-05-22 01:46 -------- d-----w- c:\program files\Common Files\LogiShrd2009-08-10 09:53 . 2009-08-10 09:53 20480 ------w- c:\windows\system32\SKYNETarowrhyg.dll2009-08-10 09:53 . 2009-08-10 09:53 70656 ----a-w- c:\windows\system32\drivers\SKYNETsmykyorn.sys2009-08-10 09:53 . 2009-08-10 09:53 44544 ------w- c:\windows\system32\SKYNETttquvppe.dll2009-08-05 09:11 . 2006-02-15 14:03 204800 ----a-w- c:\windows\system32\mswebdvd.dll2009-07-29 19:28 . 2009-05-30 07:58 -------- d-----w- c:\program files\PopCap Games2009-07-29 19:26 . 2009-04-06 01:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo2009-07-24 10:34 . 2006-02-18 15:00 -------- d-----w- c:\program files\GemMaster2009-07-24 06:43 . 2009-07-24 06:28 25 ----a-w- c:\windows\popcinfot.dat2009-07-24 06:27 . 2009-07-24 06:27 -------- d-----w- c:\documents and settings\All Users\Application Data\PopCap Games2009-07-20 10:45 . 2009-07-11 08:24 139016 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys2009-07-20 10:45 . 2009-07-11 08:24 189488 ----a-w- c:\windows\system32\PnkBstrB.exe2009-07-17 18:55 . 2006-02-15 14:02 58880 ----a-w- c:\windows\system32\atl.dll2009-07-13 17:08 . 2006-02-15 14:05 286720 ----a-w- c:\windows\system32\wmpdxm.dll2009-07-11 08:24 . 2009-07-11 08:24 139152 ----a-w- c:\documents and settings\Stephen Reid\Application Data\PnkBstrK.sys2009-07-11 08:24 . 2009-07-11 08:24 794408 ----a-w- c:\windows\system32\pbsvc.exe2009-07-11 08:24 . 2009-07-11 08:24 75064 ----a-w- c:\windows\system32\PnkBstrA.exe2009-06-29 16:12 . 2006-02-15 14:04 827392 ----a-w- c:\windows\system32\wininet.dll2009-06-29 16:12 . 2006-02-15 14:02 78336 ----a-w- c:\windows\system32\ieencode.dll2009-06-29 16:12 . 2006-02-15 14:02 17408 ------w- c:\windows\system32\corpol.dll2009-06-25 18:36 . 2006-02-15 14:03 95744 ----a-w- c:\windows\system32\mqsec.dll2009-06-25 18:36 . 2006-02-15 14:03 517120 ----a-w- c:\windows\system32\mqsnap.dll2009-06-25 18:36 . 2006-02-15 14:03 48640 ----a-w- c:\windows\system32\mqupgrd.dll2009-06-25 18:36 . 2006-02-15 14:03 471552 ----a-w- c:\windows\system32\mqutil.dll2009-06-25 18:36 . 2006-02-15 14:03 186880 ----a-w- c:\windows\system32\mqtrig.dll2009-06-25 18:36 . 2006-02-15 14:03 177152 ----a-w- c:\windows\system32\mqrt.dll2009-06-25 18:36 . 2006-02-15 14:03 123392 ----a-w- c:\windows\system32\mqrtdep.dll2009-06-25 18:36 . 2006-02-15 14:03 661504 ----a-w- c:\windows\system32\mqqm.dll2009-06-25 18:36 . 2006-02-15 14:03 47104 ----a-w- c:\windows\system32\mqdscli.dll2009-06-25 18:36 . 2006-02-15 14:03 225280 ----a-w- c:\windows\system32\mqoa.dll2009-06-25 18:36 . 2006-02-15 14:03 16896 ----a-w- c:\windows\system32\mqise.dll2009-06-25 18:36 . 2006-02-15 14:03 138240 ----a-w- c:\windows\system32\mqad.dll2009-06-25 08:17 . 2006-02-15 14:04 59392 ----a-w- c:\windows\system32\wdigest.dll2009-06-25 08:17 . 2006-02-15 14:03 56320 ----a-w- c:\windows\system32\secur32.dll2009-06-25 08:17 . 2006-02-15 14:03 168448 ----a-w- c:\windows\system32\schannel.dll2009-06-25 08:17 . 2006-02-15 14:03 136192 ----a-w- c:\windows\system32\msv1_0.dll2009-06-25 08:17 . 2006-02-15 14:02 729600 ----a-w- c:\windows\system32\lsasrv.dll2009-06-25 08:17 . 2006-02-15 14:02 301568 ----a-w- c:\windows\system32\kerberos.dll2009-06-21 17:12 . 2009-06-21 17:12 49152 --sha-w- c:\windows\system32\fahisili.dll2009-06-21 17:12 . 2009-06-21 17:12 49152 --sha-w- c:\windows\system32\hanelawi.dll.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-04-16 24264488]"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\af49317e-6a14-4015-8442-b9c13b4491cf.exe" [2009-09-04 1994480]"cdloader"="c:\documents and settings\Stephen Reid\Application Data\mjusbsp\cdloader2.exe" [2009-08-01 50520]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-16 82009]"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2004-08-18 184320]"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]"dla"="c:\windows\system32\dla\DLACTRLW.exe" [2005-10-06 122940]"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-28 148888]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]"jidoridow"="c:\windows\system32\fevusota.dll" [2009-09-21 87552]"TFncKy"="TFncKy.exe" [bU]"TDispVol"="TDispVol.exe" - c:\windows\system32\TDispVol.exe [2005-03-11 73728]"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2005-10-15 88203]"NDSTray.exe"="NDSTray.exe" [bU]"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-06-01 282624]"CFSServ.exe"="CFSServ.exe" [bU]"vomiguheme"="fahisili.dll" - c:\windows\system32\fahisili.dll [2009-06-21 49152]c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-2-15 155648][HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]"NoSetActiveDesktop"= 1 (0x1)"NoActiveDesktopChanges"= 1 (0x1)[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]"{3c72b957-1a9d-489b-8599-9bb96c15d007}"= "c:\windows\system32\fevusota.dll" [2009-09-21 87552][hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]"hevamulaj"= {3c72b957-1a9d-489b-8599-9bb96c15d007} - c:\windows\system32\fevusota.dll [2009-09-21 87552][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]"Userinit"="c:\windows\system32\userinit.exe,c:\windows\system32\sdra64.exe,"[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]"LoadAppInit_DLLs"=1 (0x1)[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]Notification Packages REG_MULTI_SZ scecli fahisili.dll hanelawi.dll[HKEY_LOCAL_MACHINE\software\microsoft\security center]"UpdatesDisableNotify"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"="c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="c:\\Program Files\\America Online 9.0\\waol.exe"="c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="c:\\Program Files\\Common Files\\AOL\\1140083713\\EE\\AOLServiceHost.exe"="c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="c:\\Program Files\\Messenger\\msmsgs.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="c:\\ijji\\ENGLISH\\u_gbound.exe"="c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"="c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="c:\\Program Files\\Mozilla Firefox\\firefox.exe"="c:\\WINDOWS\\system32\\rtcshare.exe"="c:\\Program Files\\NetMeeting\\conf.exe"="c:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"="c:\\WINDOWS\\system32\\PnkBstrA.exe"="c:\\WINDOWS\\system32\\PnkBstrB.exe"="c:\\WINDOWS\\system32\\dpvsetup.exe"="c:\\WINDOWS\\system32\\rundll32.exe"="c:\\Program Files\\Microsoft Games\\Age of Empires III - The WarChiefs Trial\\age3x.exe"="c:\\Program Files\\Warcraft III\\Warcraft III.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="c:\\Documents and Settings\\Stephen Reid\\Application Data\\mjusbsp\\magicJack.exe"="c:\\WINDOWS\\system32\\lsass.exe"="c:\\Program Files\\Skype\\Phone\\Skype.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"56477:TCP"= 56477:TCP:Pando Media Booster"56477:UDP"= 56477:UDP:Pando Media BoosterR1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/4/2009 2:49 PM 74480]R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/12/2009 3:39 PM 108289]S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys --> c:\windows\system32\Drivers\avgldx86.sys [?]S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys --> c:\windows\system32\Drivers\avgtdix.sys [?]S1 SASDIFSV;SASDIFSV;\??\c:\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> C:c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]S2 ezjqasr;ezjqasr;c:\windows\system32\drivers\prcjjli.sys --> c:\windows\system32\drivers\prcjjli.sys [?]S2 fyjxwqs;fyjxwqs;c:\windows\system32\drivers\pbie.sys --> c:\windows\system32\drivers\pbie.sys [?]S3 mfsdisk;mfsdisk;c:\windows\system32\mfsdisk.sys [2/15/2006 7:03 AM 2304]S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/4/2009 2:50 PM 7408]S4 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [2/15/2006 7:04 AM 14336]S4 xvpwun;xvpwun;\??\c:\windows\system32\drivers\xjehpubegdv.sys --> c:\windows\system32\drivers\xjehpubegdv.sys [?][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvcHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcsBtwSrv[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ea8bdd27-a4ac-11de-9936-00038a000015}]\Shell\AutoRun\command - E:\autorun.exe\Shell\phone\command - E:\autorun.exe.Contents of the 'Scheduled Tasks' folder2009-09-13 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]..------- Supplementary Scan -------.uStart Page = hxxp://www.google.commStart Page = hxxp://www.google.comuInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstartuInternet Settings,ProxyOverride = *.localIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000FF - ProfilePath - c:\documents and settings\Stephen Reid\Application Data\Mozilla\Firefox\Profiles\s3y4kzv2.default\FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dllFF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dllFF - plugin: c:\documents and settings\Stephen Reid\Application Data\Move Networks\plugins\npqmp071503000010.dllFF - plugin: c:\documents and settings\Stephen Reid\Application Data\Mozilla\Firefox\Profiles\s3y4kzv2.default\extensions\justintvpublisher@justin.tv\platform\WINNT_x86-msvc\plugins\npjustintvpublish.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dllFF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll.- - - - ORPHANS REMOVED - - - -BHO-{cea18b11-bc29-4514-88c0-181bbc858c9f} - dumibimo.dllToolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)Toolbar-SITEguard - (no file)WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)HKU-Default-Run-AntiSpyware Service - c:\windows\TEMP\x5q48rt7d.exeAddRemove-Power Saver - c:\windows\IsUninst.exe -fc:\program files\TOSHIBA\Power Saver\Uninst.isuAddRemove-{20B30DC1-E423-4939-B51D-05C58B0F9BBB} - c:\program files\HP\Digital Imaging\{20B30DC1-E423-4939-B51D-05C58B0F9BBB}\setup\hpzscr01.exe -datfile hposcr21.datAddRemove-Warcraft III - c:\windows\War3Unin.exe**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-09-21 16:55Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]"ImagePath"="c:\windows\system32\GameMon.des -service"[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SKYNETqohmnmwx]"imagepath"="\systemroot\system32\drivers\SKYNETsmykyorn.sys".--------------------- LOCKED REGISTRY KEYS ---------------------[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SKYNETqohmnmwx]@DACL=(02 0000)"start"=dword:00000004"type"=dword:00000001"group"="file system""imagepath"=expand:"\\systemroot\\system32\\drivers\\SKYNETsmykyorn.sys".--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(764)c:\program files\SUPERAntiSpyware\SASWINLO.dllc:\windows\system32\WININET.dll- - - - - - - > 'lsass.exe'(820)c:\windows\system32\fahisili.dllc:\windows\system32\hanelawi.dllc:\windows\system32\wininet.dll- - - - - - - > 'explorer.exe'(5388)c:\windows\system32\WININET.dllc:\windows\system32\fahisili.dllc:\windows\system32\fevusota.dllc:\windows\system32\TDispVol.dllc:\windows\system32\msi.dllc:\windows\system32\ieframe.dllc:\windows\system32\TPwrCfg.DLLc:\windows\system32\TPwrReg.dllc:\windows\system32\TPSTrace.DLL.------------------------ Other Running Processes ------------------------.c:\program files\Intel\Wireless\Bin\EvtEng.exec:\program files\Intel\Wireless\Bin\S24EvMon.exec:\program files\Avira\AntiVir Desktop\avguard.exec:\program files\Common Files\AOL\ACS\AOLacsd.exec:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exec:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exec:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exec:\program files\Bonjour\mDNSResponder.exec:\program files\TOSHIBA\ConfigFree\CFSvcs.exec:\windows\system32\DVDRAMSV.exec:\windows\ehome\ehrecvr.exec:\windows\ehome\ehSched.exec:\program files\Java\jre6\bin\jqs.exec:\windows\system32\PnkBstrA.exec:\program files\Intel\Wireless\Bin\RegSrvc.exec:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exec:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exec:\windows\ehome\mcrdsvc.exec:\program files\Synaptics\SynTP\Toshiba.exec:\windows\system32\TPSBattM.exec:\program files\TOSHIBA\ConfigFree\CFSServ.exec:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exec:\windows\system32\dllhost.exec:\program files\iPod\bin\iPodService.exec:\windows\ehome\ehmsas.exec:\program files\Skype\Plugin Manager\skypePM.exec:\program files\HP\Digital Imaging\bin\hpqste08.exec:\program files\HP\Digital Imaging\bin\hpqbam08.exec:\program files\HP\Digital Imaging\bin\hpqgpc01.exe.**************************************************************************.Completion time: 2009-09-21 16:59 - machine was rebootedComboFix-quarantined-files.txt 2009-09-21 23:59Pre-Run: 74,675,957,760 bytes freePost-Run: 75,889,446,912 bytes freeCurrent=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4415 --- E O F --- 2009-09-14 10:00 Link to post Share on other sites More sharing options...
LonnyRJ Posted September 22, 2009 ID:131177 Share Posted September 22, 2009 Are you having connection problems ?Run combofix again while connected, when it prompts about an update let it update.Post the Log again. Link to post Share on other sites More sharing options...
Reallyhatesspyware Posted September 22, 2009 Author ID:131334 Share Posted September 22, 2009 Here you go pal ComboFix 09-09-22.01 - Stephen Reid 09/22/2009 13:12.2.2 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.241 [GMT -7:00]Running from: c:\documents and settings\Stephen Reid\Desktop\ComboFix.exeAV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\documents and settings\All Users\Application Data\biguhezex.infc:\documents and settings\All Users\Application Data\dyhupypa.sysc:\documents and settings\All Users\Application Data\erih.batc:\documents and settings\All Users\Application Data\ikoq.batc:\documents and settings\All Users\Application Data\jymum.infc:\documents and settings\All Users\Application Data\yxuhek.vbsc:\documents and settings\All Users\Application Data\zasuwas.binc:\documents and settings\All Users\Documents\awavav._dlc:\documents and settings\All Users\Documents\cijoxoh.infc:\documents and settings\All Users\Documents\ejepasa.dllc:\documents and settings\All Users\Documents\iqexydoby.infc:\documents and settings\All Users\Documents\iqyhyzir.banc:\documents and settings\All Users\Documents\niwunax.infc:\documents and settings\All Users\Documents\umebejyd.batc:\documents and settings\All Users\Documents\uxaqa.regc:\documents and settings\Stephen Reid\Application Data\ekezono.vbsc:\documents and settings\Stephen Reid\Application Data\ekygak.vbsc:\documents and settings\Stephen Reid\Application Data\emyzedelyz.pifc:\documents and settings\Stephen Reid\Application Data\imomu.comc:\documents and settings\Stephen Reid\Application Data\kijanezuk.binc:\documents and settings\Stephen Reid\Application Data\mojowy.comc:\documents and settings\Stephen Reid\Application Data\ukuc.sysc:\documents and settings\Stephen Reid\Application Data\ymuqad.dllc:\documents and settings\Stephen Reid\Cookies\sygisysyno._dlc:\documents and settings\Stephen Reid\Cookies\upysaqen.dlc:\documents and settings\Stephen Reid\Local Settings\Application Data\hokuwawy.infc:\documents and settings\Stephen Reid\Local Settings\Application Data\ivawyjewe.binc:\documents and settings\Stephen Reid\Local Settings\Application Data\jubynon.dlc:\documents and settings\Stephen Reid\Local Settings\Temporary Internet Files\akyxyxeji.dllc:\documents and settings\Stephen Reid\Local Settings\Temporary Internet Files\ijjistarter_verinfo.datc:\documents and settings\Stephen Reid\Local Settings\Temporary Internet Files\ived.vbsc:\documents and settings\Stephen Reid\Local Settings\Temporary Internet Files\nacality.libc:\documents and settings\Stephen Reid\Local Settings\Temporary Internet Files\nojagosuna.batc:\documents and settings\Stephen Reid\Local Settings\Temporary Internet Files\obidyk.banc:\documents and settings\Stephen Reid\Local Settings\Temporary Internet Files\orydu.batc:\documents and settings\Stephen Reid\Local Settings\Temporary Internet Files\savynywyn.pifc:\documents and settings\Stephen Reid\Local Settings\Temporary Internet Files\suqotoj.batc:\documents and settings\Stephen Reid\Local Settings\Temporary Internet Files\utap.pifc:\documents and settings\Stephen Reid\Local Settings\Temporary Internet Files\xekuki._syc:\documents and settings\Stephen Reid\Local Settings\Temporary Internet Files\yzapyzanu.libc:\program files\Common Files\depod.comc:\program files\Common Files\enyna.batc:\program files\Common Files\fudoly.infc:\program files\Common Files\lecypijafi.scrc:\program files\Common Files\oxyza.dlc:\program files\Common Files\uzijuda.dllc:\program files\Common Files\xixicu.sysc:\program files\Common Files\ycisobevus.sysc:\windows\aborujary.sysc:\windows\apucas.exec:\windows\duqi.banc:\windows\gupuc.scrc:\windows\hofuc.banc:\windows\Installer\441c572.msic:\windows\Installer\9bffb.msic:\windows\osemokaqy.infc:\windows\sofa.banc:\windows\system32\18467.exec:\windows\system32\41.exec:\windows\system32\6334.exec:\windows\system32\drivers\SKYNETsmykyorn.sysc:\windows\system32\fazibu.batc:\windows\system32\fezijepa.dllc:\windows\system32\iniasd.txtc:\windows\system32\jakibise.dllc:\windows\system32\parodupa.dllc:\windows\system32\qubi.pifc:\windows\system32\SKYNETalihyxen.datc:\windows\system32\SKYNETarowrhyg.dllc:\windows\system32\SKYNETpumihtvc.datc:\windows\system32\SKYNETttquvppe.dllc:\windows\system32\tewohisowy.pifc:\windows\system32\yoharoyi.dllc:\windows\tycu.exec:\windows\unaper.banc:\windows\xacuze.reg.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_6TO4-------\Legacy_SKYNETqohmnmwx-------\Legacy_UACD.SYS-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}-------\Service_SKYNETqohmnmwx((((((((((((((((((((((((( Files Created from 2009-08-22 to 2009-09-22 ))))))))))))))))))))))))))))))).2009-09-21 21:25 . 2009-09-21 21:25 11045 ----a-w- c:\windows\qypyd.com2009-09-21 21:15 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2009-09-21 21:15 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys2009-09-21 21:15 . 2009-09-21 21:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2009-09-21 21:07 . 2009-09-21 21:07 -------- d-----w- c:\documents and settings\Stephen Reid\Local Settings\Application Data\tjnet2009-09-21 17:12 . 2009-09-21 17:12 49152 ----a-w- C:\hwdgqmcw.exe2009-09-19 02:25 . 2009-09-22 04:57 -------- d-----w- c:\documents and settings\Stephen Reid\Application Data\mjusbsp2009-09-13 01:35 . 2009-09-13 01:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple2009-09-12 22:39 . 2009-07-28 23:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys2009-09-12 22:39 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys2009-09-12 22:39 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys2009-09-12 22:39 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys2009-09-12 22:39 . 2009-09-12 22:39 -------- d-----w- c:\program files\Avira2009-09-12 22:39 . 2009-09-12 22:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira2009-09-12 22:38 . 2009-09-12 22:38 -------- d-----w- c:\program files\Trend Micro2009-09-12 21:56 . 2009-09-12 22:36 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard2009-09-12 21:54 . 2009-09-17 08:40 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!2009-09-12 21:54 . 2009-09-12 21:54 -------- d-----w- c:\program files\Common Files\iS32009-09-12 21:48 . 2009-09-12 21:48 18565 ----a-w- c:\windows\sycapyvac.dat2009-09-12 21:41 . 2009-09-12 21:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com2009-09-12 21:40 . 2009-09-12 21:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes2009-09-12 21:38 . 2009-09-12 21:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla2009-09-12 21:20 . 2009-09-12 21:20 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard2009-09-12 21:09 . 2009-09-12 21:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe2009-09-12 20:31 . 2009-09-12 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files2009-09-12 00:38 . 2009-09-18 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\myitlab2009-09-10 22:01 . 2009-09-11 09:05 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS2009-09-09 06:11 . 2009-06-21 22:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll2009-09-06 22:10 . 2009-09-06 22:10 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment2009-09-04 18:25 . 2009-09-18 08:25 45 ----a-w- c:\documents and settings\Stephen Reid\jagex_runescape_preferences2.dat2009-08-27 22:12 . 2009-09-11 03:59 -------- d-----w- c:\program files\Warcraft III2009-08-23 23:20 . 2009-08-23 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Age of Empires 3 YPack Trial2009-08-23 23:18 . 2005-05-26 22:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll2009-08-23 22:34 . 2009-08-23 22:34 -------- d-----w- c:\documents and settings\Stephen Reid\Application Data\PlaneShift2009-08-23 22:34 . 2009-08-23 22:34 -------- d-----w- c:\documents and settings\Stephen Reid\Application Data\CrystalSpace2009-08-23 22:32 . 2009-08-23 22:42 -------- d-----w- c:\program files\PlaneShift Steel Blue2009-08-23 22:18 . 2009-08-23 22:18 -------- d-----w- c:\program files\Guild Wars.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-09-22 20:15 . 2009-04-20 17:33 -------- d-----w- c:\program files\SUPERAntiSpyware2009-09-22 20:12 . 2009-05-25 19:31 -------- d-----w- c:\documents and settings\Stephen Reid\Application Data\Skype2009-09-22 15:02 . 2009-05-25 19:37 -------- d-----w- c:\documents and settings\Stephen Reid\Application Data\skypePM2009-09-22 09:12 . 2009-06-22 09:12 49664 --sha-w- c:\windows\system32\rikosego.dll2009-09-22 09:12 . 2009-06-22 09:12 87552 --sha-w- c:\windows\system32\nakuwiyi.dll2009-09-21 21:25 . 2009-09-21 21:25 11490 ----a-w- c:\program files\Common Files\fyno._sy2009-09-21 21:14 . 2009-06-21 21:14 87552 ------w- c:\windows\system32\fevusota.dll2009-09-18 08:25 . 2009-04-04 08:33 37 ----a-w- c:\documents and settings\Stephen Reid\jagex_runescape_preferences.dat2009-09-17 20:29 . 2006-02-16 09:42 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com2009-09-16 02:27 . 2009-09-16 02:26 3296 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg2009-09-16 02:26 . 2009-09-16 02:26 2464 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg2009-09-11 09:24 . 2009-07-17 02:53 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP2009-09-07 21:34 . 2009-09-07 21:34 -------- d-----w- c:\documents and settings\Stephen Reid\Application Data\Apple Computer2009-09-07 21:34 . 2009-09-07 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}2009-09-07 21:34 . 2009-09-07 21:33 -------- d-----w- c:\program files\iTunes2009-09-07 21:33 . 2009-09-07 21:33 -------- d-----w- c:\program files\iPod2009-09-07 21:33 . 2009-09-07 21:25 -------- d-----w- c:\program files\Common Files\Apple2009-09-07 21:33 . 2009-09-07 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer2009-09-07 21:33 . 2009-09-07 21:33 -------- d-----w- c:\program files\Bonjour2009-09-07 21:32 . 2006-02-16 09:56 -------- d-----w- c:\program files\QuickTime2009-09-07 21:26 . 2009-09-07 21:26 -------- d-----w- c:\program files\Apple Software Update2009-09-07 21:25 . 2009-09-07 21:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple2009-09-01 00:08 . 2009-05-04 11:18 -------- d-----w- c:\documents and settings\Stephen Reid\Application Data\HPAppData2009-08-25 19:23 . 2006-02-15 16:20 -------- d--h--w- c:\program files\InstallShield Installation Information2009-08-25 19:19 . 2009-08-22 23:25 -------- d-----w- c:\program files\Microsoft Games2009-08-22 23:28 . 2009-08-22 23:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Age of Empires 3 XPack Trial2009-08-22 20:57 . 2009-05-22 01:46 -------- d-----w- c:\program files\Common Files\LogiShrd2009-08-05 09:11 . 2006-02-15 14:03 204800 ----a-w- c:\windows\system32\mswebdvd.dll2009-07-29 19:28 . 2009-05-30 07:58 -------- d-----w- c:\program files\PopCap Games2009-07-29 19:26 . 2009-04-06 01:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo2009-07-24 06:43 . 2009-07-24 06:28 25 ----a-w- c:\windows\popcinfot.dat2009-07-20 10:45 . 2009-07-11 08:24 139016 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys2009-07-20 10:45 . 2009-07-11 08:24 189488 ----a-w- c:\windows\system32\PnkBstrB.exe2009-07-17 18:55 . 2006-02-15 14:02 58880 ----a-w- c:\windows\system32\atl.dll2009-07-13 17:08 . 2006-02-15 14:05 286720 ----a-w- c:\windows\system32\wmpdxm.dll2009-07-11 08:24 . 2009-07-11 08:24 139152 ----a-w- c:\documents and settings\Stephen Reid\Application Data\PnkBstrK.sys2009-07-11 08:24 . 2009-07-11 08:24 794408 ----a-w- c:\windows\system32\pbsvc.exe2009-07-11 08:24 . 2009-07-11 08:24 75064 ----a-w- c:\windows\system32\PnkBstrA.exe2009-06-29 16:12 . 2006-02-15 14:04 827392 ------w- c:\windows\system32\wininet.dll2009-06-29 16:12 . 2006-02-15 14:02 78336 ----a-w- c:\windows\system32\ieencode.dll2009-06-29 16:12 . 2006-02-15 14:02 17408 ------w- c:\windows\system32\corpol.dll2009-06-25 18:36 . 2006-02-15 14:03 95744 ----a-w- c:\windows\system32\mqsec.dll2009-06-25 18:36 . 2006-02-15 14:03 517120 ----a-w- c:\windows\system32\mqsnap.dll2009-06-25 18:36 . 2006-02-15 14:03 48640 ----a-w- c:\windows\system32\mqupgrd.dll2009-06-25 18:36 . 2006-02-15 14:03 471552 ----a-w- c:\windows\system32\mqutil.dll2009-06-25 18:36 . 2006-02-15 14:03 186880 ----a-w- c:\windows\system32\mqtrig.dll2009-06-25 18:36 . 2006-02-15 14:03 177152 ----a-w- c:\windows\system32\mqrt.dll2009-06-25 18:36 . 2006-02-15 14:03 123392 ----a-w- c:\windows\system32\mqrtdep.dll2009-06-25 18:36 . 2006-02-15 14:03 661504 ----a-w- c:\windows\system32\mqqm.dll2009-06-25 18:36 . 2006-02-15 14:03 47104 ----a-w- c:\windows\system32\mqdscli.dll2009-06-25 18:36 . 2006-02-15 14:03 225280 ----a-w- c:\windows\system32\mqoa.dll2009-06-25 18:36 . 2006-02-15 14:03 16896 ----a-w- c:\windows\system32\mqise.dll2009-06-25 18:36 . 2006-02-15 14:03 138240 ----a-w- c:\windows\system32\mqad.dll2009-06-25 08:17 . 2006-02-15 14:04 59392 ----a-w- c:\windows\system32\wdigest.dll2009-06-25 08:17 . 2006-02-15 14:03 56320 ----a-w- c:\windows\system32\secur32.dll2009-06-25 08:17 . 2006-02-15 14:03 168448 ----a-w- c:\windows\system32\schannel.dll2009-06-25 08:17 . 2006-02-15 14:03 136192 ----a-w- c:\windows\system32\msv1_0.dll2009-06-25 08:17 . 2006-02-15 14:02 729600 ----a-w- c:\windows\system32\lsasrv.dll2009-06-25 08:17 . 2006-02-15 14:02 301568 ----a-w- c:\windows\system32\kerberos.dll2009-06-21 17:12 . 2009-06-21 17:12 49152 --sha-w- c:\windows\system32\fahisili.dll.tmp2009-06-21 17:12 . 2009-06-21 17:12 49152 --sha-w- c:\windows\system32\hanelawi.dll.tmp2009-06-22 09:13 . 2009-06-22 09:13 49664 --sha-w- c:\windows\system32\witiwegu.dll.((((((((((((((((((((((((((((( SnapShot@2009-09-21_23.56.08 ))))))))))))))))))))))))))))))))))))))))).+ 2009-09-22 20:20 . 2009-09-22 20:20 16384 c:\windows\temp\Perflib_Perfdata_230.dat.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cea18b11-bc29-4514-88c0-181bbc858c9f}]2009-06-22 09:13 49664 --sha-w- c:\windows\system32\witiwegu.dll[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-04-16 24264488]"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\af49317e-6a14-4015-8442-b9c13b4491cf.exe" [2009-09-04 1994480]"cdloader"="c:\documents and settings\Stephen Reid\Application Data\mjusbsp\cdloader2.exe" [2009-08-01 50520]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-16 82009]"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2004-08-18 184320]"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]"dla"="c:\windows\system32\dla\DLACTRLW.exe" [2005-10-06 122940]"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-28 148888]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]"jidoridow"="c:\windows\system32\nakuwiyi.dll" [2009-09-22 87552]"TFncKy"="TFncKy.exe" [bU]"TDispVol"="TDispVol.exe" - c:\windows\system32\TDispVol.exe [2005-03-11 73728]"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2005-10-15 88203]"NDSTray.exe"="NDSTray.exe" [bU]"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-06-01 282624]"CFSServ.exe"="CFSServ.exe" [bU]c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-2-15 155648][HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]"NoSetActiveDesktop"= 1 (0x1)"NoActiveDesktopChanges"= 1 (0x1)[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]"{2faad82f-36d8-4d4c-9f9f-7e9650c7c6f1}"= "c:\windows\system32\nakuwiyi.dll" [2009-09-22 87552][hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]"relejogag"= {2faad82f-36d8-4d4c-9f9f-7e9650c7c6f1} - c:\windows\system32\nakuwiyi.dll [2009-09-22 87552][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]"LoadAppInit_DLLs"=1 (0x1)[HKEY_LOCAL_MACHINE\software\microsoft\security center]"UpdatesDisableNotify"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"="c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="c:\\Program Files\\America Online 9.0\\waol.exe"="c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="c:\\Program Files\\Common Files\\AOL\\1140083713\\EE\\AOLServiceHost.exe"="c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="c:\\Program Files\\Messenger\\msmsgs.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="c:\\ijji\\ENGLISH\\u_gbound.exe"="c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"="c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="c:\\Program Files\\Mozilla Firefox\\firefox.exe"="c:\\WINDOWS\\system32\\rtcshare.exe"="c:\\Program Files\\NetMeeting\\conf.exe"="c:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"="c:\\WINDOWS\\system32\\PnkBstrA.exe"="c:\\WINDOWS\\system32\\PnkBstrB.exe"="c:\\WINDOWS\\system32\\dpvsetup.exe"="c:\\Program Files\\Microsoft Games\\Age of Empires III - The WarChiefs Trial\\age3x.exe"="c:\\Program Files\\Warcraft III\\Warcraft III.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="c:\\Documents and Settings\\Stephen Reid\\Application Data\\mjusbsp\\magicJack.exe"="c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"="c:\\Program Files\\Skype\\Phone\\Skype.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"56477:TCP"= 56477:TCP:Pando Media Booster"56477:UDP"= 56477:UDP:Pando Media BoosterR1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/4/2009 2:49 PM 74480]R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/12/2009 3:39 PM 108289]S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys --> c:\windows\system32\Drivers\avgldx86.sys [?]S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys --> c:\windows\system32\Drivers\avgtdix.sys [?]S1 SASDIFSV;SASDIFSV;\??\c:\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> C:c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]S2 ezjqasr;ezjqasr;c:\windows\system32\drivers\prcjjli.sys --> c:\windows\system32\drivers\prcjjli.sys [?]S2 fyjxwqs;fyjxwqs;c:\windows\system32\drivers\pbie.sys --> c:\windows\system32\drivers\pbie.sys [?]S3 mfsdisk;mfsdisk;c:\windows\system32\mfsdisk.sys [2/15/2006 7:03 AM 2304]S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/4/2009 2:50 PM 7408]S4 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [2/15/2006 7:04 AM 14336]S4 xvpwun;xvpwun;\??\c:\windows\system32\drivers\xjehpubegdv.sys --> c:\windows\system32\drivers\xjehpubegdv.sys [?][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvcHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcsBtwSrv.Contents of the 'Scheduled Tasks' folder2009-09-13 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]..------- Supplementary Scan -------.uStart Page = hxxp://www.google.commStart Page = hxxp://www.google.comuInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstartuInternet Settings,ProxyOverride = *.localIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000FF - ProfilePath - c:\documents and settings\Stephen Reid\Application Data\Mozilla\Firefox\Profiles\s3y4kzv2.default\FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dllFF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dllFF - plugin: c:\documents and settings\Stephen Reid\Application Data\Move Networks\plugins\npqmp071503000010.dllFF - plugin: c:\documents and settings\Stephen Reid\Application Data\Mozilla\Firefox\Profiles\s3y4kzv2.default\extensions\justintvpublisher@justin.tv\platform\WINNT_x86-msvc\plugins\npjustintvpublish.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dllFF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll.- - - - ORPHANS REMOVED - - - -HKLM-Run-vomiguheme - fezijepa.dll**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-09-22 13:21Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]"ImagePath"="c:\windows\system32\GameMon.des -service".--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(948)c:\program files\SUPERAntiSpyware\SASWINLO.dllc:\windows\system32\WININET.dll- - - - - - - > 'explorer.exe'(1076)c:\windows\system32\WININET.dllc:\windows\system32\nakuwiyi.dllc:\windows\system32\TDispVol.dllc:\windows\system32\msi.dllc:\windows\system32\ieframe.dllc:\windows\system32\TPwrCfg.DLLc:\windows\system32\TPwrReg.dllc:\windows\system32\TPSTrace.DLLc:\program files\SUPERAntiSpyware\SASSEH.DLL.------------------------ Other Running Processes ------------------------.c:\program files\Intel\Wireless\Bin\EvtEng.exec:\program files\Intel\Wireless\Bin\S24EvMon.exec:\program files\Avira\AntiVir Desktop\avguard.exec:\program files\Common Files\AOL\ACS\AOLacsd.exec:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exec:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exec:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exec:\program files\Bonjour\mDNSResponder.exec:\program files\TOSHIBA\ConfigFree\CFSvcs.exec:\windows\system32\DVDRAMSV.exec:\windows\ehome\ehrecvr.exec:\windows\ehome\ehSched.exec:\program files\Java\jre6\bin\jqs.exec:\windows\system32\PnkBstrA.exec:\program files\Intel\Wireless\Bin\RegSrvc.exec:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exec:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exec:\windows\ehome\mcrdsvc.exec:\program files\Synaptics\SynTP\Toshiba.exec:\windows\system32\TPSBattM.exec:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exec:\windows\system32\dllhost.exec:\program files\iPod\bin\iPodService.exec:\windows\ehome\ehmsas.exec:\windows\system32\wscntfy.exec:\program files\HP\Digital Imaging\bin\hpqste08.exec:\program files\HP\Digital Imaging\bin\hpqbam08.exec:\program files\HP\Digital Imaging\bin\hpqgpc01.exec:\program files\Skype\Plugin Manager\skypePM.exe.**************************************************************************.Completion time: 2009-09-22 13:26 - machine was rebootedComboFix-quarantined-files.txt 2009-09-22 20:26ComboFix2.txt 2009-09-21 23:59Pre-Run: 75,848,577,024 bytes freePost-Run: 75,687,084,032 bytes freeWindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsmulti(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetectCurrent=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4428 --- E O F --- 2009-09-14 10:00 Link to post Share on other sites More sharing options...
LonnyRJ Posted September 22, 2009 ID:131381 Share Posted September 22, 2009 Open a command prompt and typeSC query EVENTLOGWhat do you see ?Launch Notepad (Important, not wordpad or other third party text editor), and copy and paste the contents of the code box below into a new text file. (dont include the word code)Save it as file name: cfscript.txthttp://www.malwarebytes.org/forums/index.php?showtopic=24484&view=getnewpostfile::c:\windows\qypyd.comC:\hwdgqmcw.exec:\windows\sycapyvac.datc:\program files\Common Files\fyno._sycollect::c:\windows\system32\fevusota.dllc:\windows\system32\nakuwiyi.dllc:\windows\system32\rikosego.dllc:\windows\system32\witiwegu.dllc:\windows\system32\drivers\xjehpubegdv.sysc:\windows\system32\drivers\pbie.sysc:\windows\system32\drivers\prcjjli.syssuspect::c:\windows\system32\mfsdisk.sysfolder::c:\documents and settings\Stephen Reid\Application Data\mjusbspregistry::[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cea18b11-bc29-4514-88c0-181bbc858c9f}][HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"cdloader"=-[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"jidoridow"=-[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]"{2faad82f-36d8-4d4c-9f9f-7e9650c7c6f1}"=-[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]"relejogag"=-[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]"LoadAppInit_DLLs"=-driver::xvpwunfyjxwqsezjqasrKillall::As in the picture above drag and drop cfscript.txt onto combofix.exeWhen it is finished a text will open, post it.Additonally, ComboFix attempt to submit samples, click ok when connected.In the event there is a problem auto-submitting the file do so yourself by double clicking on c:\CF-Submit.htm Link to post Share on other sites More sharing options...
Reallyhatesspyware Posted September 23, 2009 Author ID:131420 Share Posted September 23, 2009 After typing in SC query EVENTLOG------------------------------------------------------------------Microsoft Windows XP [Version 5.1.2600]© Copyright 1985-2001 Microsoft Corp.C:\Documents and Settings\Stephen Reid>SC query EVENTLOGSERVICE_NAME: EVENTLOG TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0C:\Documents and Settings\Stephen Reid>-------------------------------------------------------------------------------------------------------------------------------------Text after Scan ------------------------------------------------------------------------------------------------------------------------------------ComboFix 09-09-22.02 - Stephen Reid 09/22/2009 16:47.3.2 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.328 [GMT -7:00]Running from: c:\documents and settings\Stephen Reid\Desktop\ComboFix.exeCommand switches used :: c:\documents and settings\Stephen Reid\Desktop\cfscript.txtAV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}FILE ::"C:\hwdgqmcw.exe""c:\program files\Common Files\fyno._sy""c:\windows\qypyd.com""c:\windows\sycapyvac.dat"file zipped: c:\windows\system32\nakuwiyi.dllfile zipped: c:\windows\system32\rikosego.dllfile zipped: c:\windows\system32\witiwegu.dllfile zipped: c:\windows\system32\mfsdisk.sys.((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))).c:\documents and settings\Stephen Reid\Application Data\mjusbspc:\documents and settings\Stephen Reid\Application Data\mjusbsp\_911offline.htmlc:\documents and settings\Stephen Reid\Application Data\mjusbsp\_shuttingdown.htmlc:\documents and settings\Stephen Reid\Application Data\mjusbsp\ar00000\install.exec:\documents and settings\Stephen Reid\Application Data\mjusbsp\ar00000\magicJack.dllc:\documents and settings\Stephen Reid\Application Data\mjusbsp\ar00000\magicJackSplash.exec:\documents and settings\Stephen Reid\Application Data\mjusbsp\ar00000\mjsetup.exec:\documents and settings\Stephen Reid\Application Data\mjusbsp\ar00000\splash.gifc:\documents and settings\Stephen Reid\Application Data\mjusbsp\ar00000\WarningMJCouldNotStart.gifc:\documents and settings\Stephen Reid\Application Data\mjusbsp\big.sknc:\documents and settings\Stephen Reid\Application Data\mjusbsp\cdloader2.exec:\documents and settings\Stephen Reid\Application Data\mjusbsp\closeWindow.pngc:\documents and settings\Stephen Reid\Application Data\mjusbsp\in00000\magicJack.dllc:\documents and settings\Stephen Reid\Application Data\mjusbsp\in00000\magicJackSplash.exec:\documents and settings\Stephen Reid\Application Data\mjusbsp\in00000\mjsetup.exec:\documents and settings\Stephen Reid\Application Data\mjusbsp\in00000\setup.exec:\documents and settings\Stephen Reid\Application Data\mjusbsp\in00000\splash.gifc:\documents and settings\Stephen Reid\Application Data\mjusbsp\in00000\WarningMJCouldNotStart.gifc:\documents and settings\Stephen Reid\Application Data\mjusbsp\Loader.gifc:\documents and settings\Stephen Reid\Application Data\mjusbsp\magicJack.dllc:\documents and settings\Stephen Reid\Application Data\mjusbsp\magicJack.exec:\documents and settings\Stephen Reid\Application Data\mjusbsp\magicJackLoader.exec:\documents and settings\Stephen Reid\Application Data\mjusbsp\magicJackSplash.exec:\documents and settings\Stephen Reid\Application Data\mjusbsp\mainBannerOffline.htmlc:\documents and settings\Stephen Reid\Application Data\mjusbsp\octvqe1_apiw.dllc:\documents and settings\Stephen Reid\Application Data\mjusbsp\SJHandsetMagicJack.dllc:\documents and settings\Stephen Reid\Application Data\mjusbsp\small.sknc:\documents and settings\Stephen Reid\Application Data\mjusbsp\st00000\magicJack.dllc:\documents and settings\Stephen Reid\Application Data\mjusbsp\st00000\magicJackSplash.exec:\documents and settings\Stephen Reid\Application Data\mjusbsp\st00000\mjsetup.exec:\documents and settings\Stephen Reid\Application Data\mjusbsp\st00000\splash.gifc:\documents and settings\Stephen Reid\Application Data\mjusbsp\st00000\WarningMJCouldNotStart.gifc:\documents and settings\Stephen Reid\Application Data\mjusbsp\TjIpSys.dllc:\documents and settings\Stephen Reid\Application Data\mjusbsp\TjVista.dllc:\documents and settings\Stephen Reid\Application Data\mjusbsp\ug00000\install.exec:\documents and settings\Stephen Reid\Application Data\mjusbsp\ug00000\magicJack.dllc:\documents and settings\Stephen Reid\Application Data\mjusbsp\ug00000\magicJackSplash.exec:\documents and settings\Stephen Reid\Application Data\mjusbsp\ug00000\setup.exec:\documents and settings\Stephen Reid\Application Data\mjusbsp\ug00000\splash.gifc:\documents and settings\Stephen Reid\Application Data\mjusbsp\ug00000\WarningMJCouldNotStart.gifc:\documents and settings\Stephen Reid\Application Data\mjusbsp\Upgrade\install1.exec:\documents and settings\Stephen Reid\Application Data\mjusbsp\Upgrade\install1.inic:\documents and settings\Stephen Reid\Application Data\mjusbsp\Upgrade\setup1.exec:\documents and settings\Stephen Reid\Application Data\mjusbsp\Upgrade\setup1.inic:\documents and settings\Stephen Reid\Application Data\mjusbsp\WarningMJCouldNotStart.gifc:\documents and settings\Stephen Reid\Application Data\mjusbsp\WarningNoDeviceFound.gifc:\documents and settings\Stephen Reid\Application Data\mjusbsp\wroffline.htmlc:\documents and settings\Stephen Reid\Application Data\mjusbsp\wroffline1.htmlC:\hwdgqmcw.exec:\program files\Common Files\fyno._syc:\windows\qypyd.comc:\windows\sycapyvac.datc:\windows\system32\nakuwiyi.dllc:\windows\system32\rikosego.dllc:\windows\system32\wawavara.dllc:\windows\system32\witiwegu.dll.((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_XVPWUN-------\Service_ezjqasr-------\Service_fyjxwqs-------\Service_xvpwun((((((((((((((((((((((((( Files Created from 2009-08-23 to 2009-09-23 ))))))))))))))))))))))))))))))).2009-09-21 21:15 . 2009-09-10 21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2009-09-21 21:15 . 2009-09-10 21:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys2009-09-21 21:15 . 2009-09-21 21:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware2009-09-21 21:07 . 2009-09-21 21:07 -------- d-----w- c:\documents and settings\Stephen Reid\Local Settings\Application Data\tjnet2009-09-13 01:35 . 2009-09-13 01:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple2009-09-12 22:39 . 2009-07-28 23:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys2009-09-12 22:39 . 2009-03-30 17:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys2009-09-12 22:39 . 2009-02-13 19:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys2009-09-12 22:39 . 2009-02-13 19:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys2009-09-12 22:39 . 2009-09-12 22:39 -------- d-----w- c:\program files\Avira2009-09-12 22:39 . 2009-09-12 22:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira2009-09-12 22:38 . 2009-09-12 22:38 -------- d-----w- c:\program files\Trend Micro2009-09-12 21:56 . 2009-09-12 22:36 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard2009-09-12 21:54 . 2009-09-17 08:40 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!2009-09-12 21:54 . 2009-09-12 21:54 -------- d-----w- c:\program files\Common Files\iS32009-09-12 21:41 . 2009-09-12 21:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com2009-09-12 21:40 . 2009-09-12 21:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes2009-09-12 21:38 . 2009-09-12 21:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla2009-09-12 21:20 . 2009-09-12 21:20 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard2009-09-12 21:09 . 2009-09-12 21:09 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe2009-09-12 20:31 . 2009-09-12 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files2009-09-12 00:38 . 2009-09-18 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\myitlab2009-09-10 22:01 . 2009-09-11 09:05 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS2009-09-09 06:11 . 2009-06-21 22:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll2009-09-06 22:10 . 2009-09-06 22:10 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment2009-09-04 18:25 . 2009-09-18 08:25 45 ----a-w- c:\documents and settings\Stephen Reid\jagex_runescape_preferences2.dat2009-08-27 22:12 . 2009-09-11 03:59 -------- d-----w- c:\program files\Warcraft III.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-09-22 23:50 . 2009-04-20 17:33 -------- d-----w- c:\program files\SUPERAntiSpyware2009-09-22 23:43 . 2009-05-25 19:31 -------- d-----w- c:\documents and settings\Stephen Reid\Application Data\Skype2009-09-22 23:05 . 2009-05-25 19:37 -------- d-----w- c:\documents and settings\Stephen Reid\Application Data\skypePM2009-09-22 21:12 . 2009-06-22 21:12 88064 --sha-w- c:\windows\system32\majubilu.dll2009-09-18 08:25 . 2009-04-04 08:33 37 ----a-w- c:\documents and settings\Stephen Reid\jagex_runescape_preferences.dat2009-09-17 20:29 . 2006-02-16 09:42 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee.com2009-09-16 02:27 . 2009-09-16 02:26 3296 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg2009-09-16 02:26 . 2009-09-16 02:26 2464 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg2009-09-11 09:24 . 2009-07-17 02:53 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP2009-09-07 21:34 . 2009-09-07 21:34 -------- d-----w- c:\documents and settings\Stephen Reid\Application Data\Apple Computer2009-09-07 21:34 . 2009-09-07 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}2009-09-07 21:34 . 2009-09-07 21:33 -------- d-----w- c:\program files\iTunes2009-09-07 21:33 . 2009-09-07 21:33 -------- d-----w- c:\program files\iPod2009-09-07 21:33 . 2009-09-07 21:25 -------- d-----w- c:\program files\Common Files\Apple2009-09-07 21:33 . 2009-09-07 21:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer2009-09-07 21:33 . 2009-09-07 21:33 -------- d-----w- c:\program files\Bonjour2009-09-07 21:32 . 2006-02-16 09:56 -------- d-----w- c:\program files\QuickTime2009-09-07 21:26 . 2009-09-07 21:26 -------- d-----w- c:\program files\Apple Software Update2009-09-07 21:25 . 2009-09-07 21:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple2009-09-01 00:08 . 2009-05-04 11:18 -------- d-----w- c:\documents and settings\Stephen Reid\Application Data\HPAppData2009-08-25 19:23 . 2006-02-15 16:20 -------- d--h--w- c:\program files\InstallShield Installation Information2009-08-25 19:19 . 2009-08-22 23:25 -------- d-----w- c:\program files\Microsoft Games2009-08-23 23:20 . 2009-08-23 23:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Age of Empires 3 YPack Trial2009-08-23 22:42 . 2009-08-23 22:32 -------- d-----w- c:\program files\PlaneShift Steel Blue2009-08-23 22:34 . 2009-08-23 22:34 -------- d-----w- c:\documents and settings\Stephen Reid\Application Data\PlaneShift2009-08-23 22:34 . 2009-08-23 22:34 -------- d-----w- c:\documents and settings\Stephen Reid\Application Data\CrystalSpace2009-08-23 22:18 . 2009-08-23 22:18 -------- d-----w- c:\program files\Guild Wars2009-08-22 23:28 . 2009-08-22 23:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Age of Empires 3 XPack Trial2009-08-22 20:57 . 2009-05-22 01:46 -------- d-----w- c:\program files\Common Files\LogiShrd2009-08-05 09:11 . 2006-02-15 14:03 204800 ----a-w- c:\windows\system32\mswebdvd.dll2009-07-29 19:28 . 2009-05-30 07:58 -------- d-----w- c:\program files\PopCap Games2009-07-29 19:26 . 2009-04-06 01:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo2009-07-24 06:43 . 2009-07-24 06:28 25 ----a-w- c:\windows\popcinfot.dat2009-07-20 10:45 . 2009-07-11 08:24 139016 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys2009-07-20 10:45 . 2009-07-11 08:24 189488 ----a-w- c:\windows\system32\PnkBstrB.exe2009-07-17 18:55 . 2006-02-15 14:02 58880 ----a-w- c:\windows\system32\atl.dll2009-07-13 17:08 . 2006-02-15 14:05 286720 ----a-w- c:\windows\system32\wmpdxm.dll2009-07-11 08:24 . 2009-07-11 08:24 139152 ----a-w- c:\documents and settings\Stephen Reid\Application Data\PnkBstrK.sys2009-07-11 08:24 . 2009-07-11 08:24 794408 ----a-w- c:\windows\system32\pbsvc.exe2009-07-11 08:24 . 2009-07-11 08:24 75064 ----a-w- c:\windows\system32\PnkBstrA.exe2009-06-29 16:12 . 2006-02-15 14:04 827392 ------w- c:\windows\system32\wininet.dll2009-06-29 16:12 . 2006-02-15 14:02 78336 ----a-w- c:\windows\system32\ieencode.dll2009-06-29 16:12 . 2006-02-15 14:02 17408 ------w- c:\windows\system32\corpol.dll2009-06-25 18:36 . 2006-02-15 14:03 95744 ----a-w- c:\windows\system32\mqsec.dll2009-06-25 18:36 . 2006-02-15 14:03 517120 ----a-w- c:\windows\system32\mqsnap.dll2009-06-25 18:36 . 2006-02-15 14:03 48640 ----a-w- c:\windows\system32\mqupgrd.dll2009-06-25 18:36 . 2006-02-15 14:03 471552 ----a-w- c:\windows\system32\mqutil.dll2009-06-25 18:36 . 2006-02-15 14:03 186880 ----a-w- c:\windows\system32\mqtrig.dll2009-06-25 18:36 . 2006-02-15 14:03 177152 ----a-w- c:\windows\system32\mqrt.dll2009-06-25 18:36 . 2006-02-15 14:03 123392 ----a-w- c:\windows\system32\mqrtdep.dll2009-06-25 18:36 . 2006-02-15 14:03 661504 ----a-w- c:\windows\system32\mqqm.dll2009-06-25 18:36 . 2006-02-15 14:03 47104 ----a-w- c:\windows\system32\mqdscli.dll2009-06-25 18:36 . 2006-02-15 14:03 225280 ----a-w- c:\windows\system32\mqoa.dll2009-06-25 18:36 . 2006-02-15 14:03 16896 ----a-w- c:\windows\system32\mqise.dll2009-06-25 18:36 . 2006-02-15 14:03 138240 ----a-w- c:\windows\system32\mqad.dll2009-06-25 08:17 . 2006-02-15 14:04 59392 ----a-w- c:\windows\system32\wdigest.dll2009-06-25 08:17 . 2006-02-15 14:03 56320 ----a-w- c:\windows\system32\secur32.dll2009-06-25 08:17 . 2006-02-15 14:03 168448 ----a-w- c:\windows\system32\schannel.dll2009-06-25 08:17 . 2006-02-15 14:03 136192 ----a-w- c:\windows\system32\msv1_0.dll2009-06-25 08:17 . 2006-02-15 14:02 729600 ----a-w- c:\windows\system32\lsasrv.dll2009-06-25 08:17 . 2006-02-15 14:02 301568 ----a-w- c:\windows\system32\kerberos.dll2009-06-21 17:12 . 2009-06-21 17:12 49152 --sha-w- c:\windows\system32\fahisili.dll.tmp2009-06-21 17:12 . 2009-06-21 17:12 49152 --sha-w- c:\windows\system32\hanelawi.dll.tmp.((((((((((((((((((((((((((((( SnapShot@2009-09-21_23.56.08 ))))))))))))))))))))))))))))))))))))))))).+ 2009-09-22 23:53 . 2009-09-22 23:53 16384 c:\windows\temp\Perflib_Perfdata_7a8.dat.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-04-16 24264488]"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\af49317e-6a14-4015-8442-b9c13b4491cf.exe" [2009-09-04 1994480]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-16 82009]"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2004-08-18 184320]"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]"dla"="c:\windows\system32\dla\DLACTRLW.exe" [2005-10-06 122940]"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-28 148888]"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]"jidoridow"="c:\windows\system32\majubilu.dll" [2009-09-22 88064]"TFncKy"="TFncKy.exe" [bU]"TDispVol"="TDispVol.exe" - c:\windows\system32\TDispVol.exe [2005-03-11 73728]"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2005-10-15 88203]"NDSTray.exe"="NDSTray.exe" [bU]"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-06-01 282624]"CFSServ.exe"="CFSServ.exe" [bU]"vomiguheme"="fezijepa.dll" [bU]c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-2-15 155648][HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]"NoSetActiveDesktop"= 1 (0x1)"NoActiveDesktopChanges"= 1 (0x1)[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]"{42ee3da9-7d44-4012-b3bf-85aa0a10e1c7}"= "c:\windows\system32\majubilu.dll" [2009-09-22 88064][hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]"minefivom"= {42ee3da9-7d44-4012-b3bf-85aa0a10e1c7} - c:\windows\system32\majubilu.dll [2009-09-22 88064][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll[HKEY_LOCAL_MACHINE\software\microsoft\security center]"UpdatesDisableNotify"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"="c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="c:\\Program Files\\America Online 9.0\\waol.exe"="c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="c:\\Program Files\\Common Files\\AOL\\1140083713\\EE\\AOLServiceHost.exe"="c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="c:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="c:\\Program Files\\Messenger\\msmsgs.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="c:\\ijji\\ENGLISH\\u_gbound.exe"="c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"="c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"="c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="c:\\Program Files\\Mozilla Firefox\\firefox.exe"="c:\\WINDOWS\\system32\\rtcshare.exe"="c:\\Program Files\\NetMeeting\\conf.exe"="c:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"="c:\\WINDOWS\\system32\\PnkBstrA.exe"="c:\\WINDOWS\\system32\\PnkBstrB.exe"="c:\\WINDOWS\\system32\\dpvsetup.exe"="c:\\Program Files\\Microsoft Games\\Age of Empires III - The WarChiefs Trial\\age3x.exe"="c:\\Program Files\\Warcraft III\\Warcraft III.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"="c:\\Program Files\\Avira\\AntiVir Desktop\\avgnt.exe"="c:\\Program Files\\Skype\\Phone\\Skype.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"56477:TCP"= 56477:TCP:Pando Media Booster"56477:UDP"= 56477:UDP:Pando Media BoosterR1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [9/4/2009 2:49 PM 74480]R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [9/12/2009 3:39 PM 108289]S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys --> c:\windows\system32\Drivers\avgldx86.sys [?]S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys --> c:\windows\system32\Drivers\avgtdix.sys [?]S1 SASDIFSV;SASDIFSV;\??\c:\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> C:c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]S3 mfsdisk;mfsdisk;c:\windows\system32\mfsdisk.sys [2/15/2006 7:03 AM 2304]S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [9/4/2009 2:50 PM 7408]S4 BtwSrv;BtwSrv;c:\windows\system32\svchost.exe -k netsvcs [2/15/2006 7:04 AM 14336][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvcHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcsBtwSrv.Contents of the 'Scheduled Tasks' folder2009-09-13 c:\windows\Tasks\AppleSoftwareUpdate.job- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]..------- Supplementary Scan -------.uStart Page = hxxp://www.google.commStart Page = hxxp://www.google.comuInternet Connection Wizard,ShellNext = hxxp://www.toshibadirect.com/dpdstartuInternet Settings,ProxyOverride = *.localIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000FF - ProfilePath - c:\documents and settings\Stephen Reid\Application Data\Mozilla\Firefox\Profiles\s3y4kzv2.default\FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dllFF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dllFF - plugin: c:\documents and settings\Stephen Reid\Application Data\Move Networks\plugins\npqmp071503000010.dllFF - plugin: c:\documents and settings\Stephen Reid\Application Data\Mozilla\Firefox\Profiles\s3y4kzv2.default\extensions\justintvpublisher@justin.tv\platform\WINNT_x86-msvc\plugins\npjustintvpublish.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dllFF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll.**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-09-22 17:06Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]"ImagePath"="c:\windows\system32\GameMon.des -service".--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(948)c:\program files\SUPERAntiSpyware\SASWINLO.dllc:\windows\system32\WININET.dll- - - - - - - > 'explorer.exe'(2360)c:\windows\system32\WININET.dllc:\windows\system32\majubilu.dllc:\windows\system32\TDispVol.dllc:\windows\system32\ieframe.dllc:\windows\system32\msi.dllc:\windows\system32\TPwrCfg.DLLc:\windows\system32\TPwrReg.dllc:\windows\system32\TPSTrace.DLL.------------------------ Other Running Processes ------------------------.c:\program files\Intel\Wireless\Bin\EvtEng.exec:\program files\Intel\Wireless\Bin\S24EvMon.exec:\program files\Avira\AntiVir Desktop\avguard.exec:\program files\Common Files\AOL\ACS\AOLacsd.exec:\program files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exec:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exec:\program files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exec:\program files\Bonjour\mDNSResponder.exec:\program files\TOSHIBA\ConfigFree\CFSvcs.exec:\windows\system32\DVDRAMSV.exec:\windows\ehome\ehrecvr.exec:\windows\ehome\ehSched.exec:\program files\Java\jre6\bin\jqs.exec:\windows\system32\PnkBstrA.exec:\program files\Intel\Wireless\Bin\RegSrvc.exec:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exec:\toshiba\IVP\swupdate\swupdtmr.exec:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exec:\windows\ehome\mcrdsvc.exec:\windows\system32\dllhost.exec:\program files\TOSHIBA\TOSHIBA Controls\TFncKy.exec:\windows\ehome\ehmsas.exec:\program files\Synaptics\SynTP\Toshiba.exec:\windows\system32\TPSBattM.exec:\progra~1\Intel\Wireless\Bin\Dot1XCfg.exec:\program files\iPod\bin\iPodService.exec:\windows\system32\wscntfy.exec:\program files\HP\Digital Imaging\bin\hpqste08.exec:\program files\HP\Digital Imaging\bin\hpqbam08.exec:\program files\HP\Digital Imaging\bin\hpqgpc01.exec:\program files\Skype\Plugin Manager\skypePM.exe.**************************************************************************.Completion time: 2009-09-23 17:11 - machine was rebootedComboFix-quarantined-files.txt 2009-09-23 00:11ComboFix2.txt 2009-09-22 20:26ComboFix3.txt 2009-09-21 23:59Pre-Run: 75,653,201,920 bytes freePost-Run: 75,580,739,584 bytes freeCurrent=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4393 --- E O F --- 2009-09-14 10:00 Link to post Share on other sites More sharing options...
Reallyhatesspyware Posted September 23, 2009 Author ID:131423 Share Posted September 23, 2009 This process seems to have deleted one of my non-malware programs. "MagicJack", which is an plug-in internet phone. Is there anyway I can reinstall that? As it's not coming up in the normal re-installation process Link to post Share on other sites More sharing options...
Reallyhatesspyware Posted September 23, 2009 Author ID:131435 Share Posted September 23, 2009 Nevermind about the MagicJack. Fixed that easily enough. Link to post Share on other sites More sharing options...
LonnyRJ Posted September 23, 2009 ID:131528 Share Posted September 23, 2009 The deletion of MagicJack was my error, good you fixed it.When combofix was finished were you prompted to upload a file ?If not is this file present c:\CF-Submit.htm if so double click it to run, http://www.bleepingcomputer.com/submit-malware.php?channel=4if not post this text C:\Qoobox\ComboFix-quarantined files.txt Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 28, 2009 Root Admin ID:134329 Share Posted September 28, 2009 Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks!The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you. Link to post Share on other sites More sharing options...
Recommended Posts