Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 92315 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Packed.Monder in C:\Windows\Explorer.exe


  • This topic is locked This topic is locked
21 replies to this topic

#1 Becky R.

Becky R.

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 05 October 2009 - 11:09 PM

Ok, Earlier today I was sitting on the computer and my ZoneAlarm started complaining about N.ExN wanting to connect to the internet, which I promptly deny all access but it still apartly overpowered my computer and crashed it, and when it came back I was smacked with Malware of Security Tool, which I was able by doing a websearch on my other computer to disable [since I promptly unplug the infected computer from the network], I was able to disable it, and remove the directory it created in my application data folder, and remove anything funny looking in my MSCONFIG (I already had a custom MSCONFIG so I knew what should be in there.)

After that was removed from the system I started looking how it got in, I saw that my AVG Free found Packed.Monder in explorer.exe in the windows directory, and a rotscxjveyudme.dll in \\?globalroot\systemroot\system32\

Doing a websearch on the virus, I was directed here, which in a few places they asked the people to run GMER to see if a rootkit is on the computer, I was wondering if I was more infected, so I ran the scan, and it highlighted the rot...udme.dl that the AVG found, and said you many have rootkit activity, so I did as here suggested, which doing the full scan causes the computer to do a serious system fault and crash.

Becky

Edited to add missing log files

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/06 02:18
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF3E30000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7A83000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB8634000 Size: 49152 File Visible: No Signed: -
Status: -

Name: srescan.sys
Image Path: srescan.sys
Address: 0xF729A000 Size: 81920 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 031 Function Name: NtConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3fc7fc0

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3fc4c80

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3fdf170

#: 046 Function Name: NtCreatePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3fc8580

#: 047 Function Name: NtCreateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3fdc900

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3fdcb10

#: 050 Function Name: NtCreateSection
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3fe0b10

#: 056 Function Name: NtCreateWaitablePort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3fc8670

#: 062 Function Name: NtDeleteFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3fc5210

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3fdf9f0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3fdf7a0

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3fdc280

#: 098 Function Name: NtLoadKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3fdff10

#: 099 Function Name: NtLoadKey2
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3fdff90

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3fc5070

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3fde180

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3fddf40

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3fe06f0

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3fe0150

#: 200 Function Name: NtRequestWaitReplyPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3fc7be0

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3fe0540

#: 210 Function Name: NtSecureConnectPort
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3fc8190

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3fc5440

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3fdf4e0

#: 255 Function Name: NtSystemDebugControl
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3fdd200

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "C:\WINDOWS\System32\vsdatant.sys" at address 0xf3fdd080

Hidden Services
-------------------
Service Name: rotscxiyqxvjkb
Image Path: C:\WINDOWS\system32\drivers\rotscxocwxdrtc.sys

==EOF==


DDS (Ver_09-06-26.01) - NTFSx86
Run by Reus at 2:11:33.09 on Tue 10/06/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.220 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SK9910DM.EXE
C:\WINDOWS\GWHotKey.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\PROGRA~1\MICROS~4\Office10\OUTLOOK.EXE
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Reus\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot
uRun: [QuickenScheduledUpdates] c:\program files\quicken\bagent.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [ATIPTA] atiptaxx.exe
mRun: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe
mRun: [Multi-function Keyboard] GWHotKey.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_10\bin\jusched.exe"
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [4823416992] c:\documents and settings\reus\application data\4823416992\4823416992.exe
mRun: [dejamiliw] Rundll32.exe "c:\windows\system32\lodivoyo.dll",a
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: WebConnect Pro 6.2.10 - hxxps://secureconnect.csx.com:3443/WebConnectDU.cab
DPF: Yahoo! MahJong Solitaire - hxxp://download.games.yahoo.com/games/clients/y/mjst4_x.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://support.gateway.com/support/profiler/PCPitStop.CAB
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - hxxp://download.ebay.com/turbo_lister/US/install.cab
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://jnstrains.no-ip.info:8081/kxhcm10.ocx
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab
DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://software-dl.real.com/15167acc602526938716/netzip/RdxIE601.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093620660625
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} - hxxp://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab
DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} - hxxp://apps.corel.com/nos_dl_manager/plugin/IENetOpPlugin.ocx
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\windows\system32\hunayeko.dll c:\windows\system32\lodivoyo.dll,hupabubi.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: narenozej - {c8b9ac13-5894-49eb-b867-114f22a08f75} - c:\windows\system32\hunayeko.dll
SSODL: gefojokub - {c6841d3c-d027-48ef-88e5-4a98d4669c8b} - c:\windows\system32\lodivoyo.dll
STS: tokatiluy: {c8b9ac13-5894-49eb-b867-114f22a08f75} - c:\windows\system32\hunayeko.dll
STS: mujuzedij: {c6841d3c-d027-48ef-88e5-4a98d4669c8b} - c:\windows\system32\lodivoyo.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll
LSA: Notification Packages = scecli rugujape.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\reus\applic~1\mozilla\firefox\profiles\2uo80nvm.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\reus\application data\mozilla\firefox\profiles\2uo80nvm.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-2 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-3-12 27784]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-2-24 353672]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-29 297752]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-7-16 133104]
S2 mrtRate;mrtRate; [x]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 getPlusHelper;getPlus® Helper;c:\windows\system32\svchost.exe -k getPlusHelper [1979-12-31 14336]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]

=============== Created Last 30 ================

2009-10-06 02:00 <DIR> --d----- c:\docume~1\reus\applic~1\4823416992
2009-10-04 11:21 <DIR> --d----- c:\docume~1\reus\applic~1\Office Genuine Advantage
2009-10-03 23:15 <DIR> --d----- c:\program files\Microsoft
2009-10-03 02:17 195,440 -------- c:\windows\system32\MpSigStub.exe
2009-09-14 14:07 <DIR> --d----- c:\documents and settings\reus\.gimp-2.2
2009-09-08 17:49 153,088 -c------ c:\windows\system32\dllcache\triedit.dll

==================== Find3M ====================

2009-09-14 14:03 30,520 a------- c:\docume~1\reus\applic~1\GDIPFONTCACHEV1.DAT
2009-08-29 08:58 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-29 08:58 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-06 19:23 274,288 a------- c:\windows\system32\mucltui.dll
2009-08-06 19:23 215,920 a------- c:\windows\system32\muweb.dll
2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-03 15:07 403,816 a------- c:\windows\system32\OGACheckControl.dll
2009-08-03 15:07 322,928 a------- c:\windows\system32\OGAAddin.dll
2009-08-03 15:07 230,768 a------- c:\windows\system32\OGAEXEC.exe
2009-07-26 16:44 48,448 a------- c:\windows\system32\sirenacm.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2005-09-27 17:25 32 a----r-- c:\documents and settings\all users\hash.dat
2006-01-15 01:50 56 ---shr-- c:\windows\system32\6474B34A9E.sys
2009-07-05 10:59 26,624 a--sh--- c:\windows\system32\deniyiri.dll
2009-07-05 10:59 36,864 a--sh--- c:\windows\system32\gefuwode.dll
2009-07-06 02:00 37,888 a--sh--- c:\windows\system32\gesulodu.dll
2009-07-06 02:00 51,712 a--sh--- c:\windows\system32\hafurive.dll
2009-07-06 02:00 51,712 a--sh--- c:\windows\system32\henemate.dll
2009-07-06 02:00 51,712 a--sh--- c:\windows\system32\hupabubi.dll
2006-01-15 01:50 3,350 a--sh--- c:\windows\system32\KGyGaAvL.sys
2009-07-06 02:00 88,064 a--sh--- c:\windows\system32\lodivoyo.dll
2009-07-06 02:00 1,048,611 a--sh--- c:\windows\system32\redivipo.exe
2009-07-06 02:00 51,712 a--sh--- c:\windows\system32\rugujape.dll
2009-07-05 10:59 1,048,611 a--sh--- c:\windows\system32\zopirozu.exe

============= FINISH: 2:14:03.42 ===============

Attached Files


Edited by Becky R., 06 October 2009 - 12:36 AM.

    Advertisements

Register to Remove


#2 inzanity

inzanity

    ♠♠lost♠♠

  • Malware Team
  • 2,340 posts

Posted 06 October 2009 - 06:00 PM

Hello and :welcome: Please be advised, as I am still in training, all my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advise. This may cause a delay, but I will do my best to keep it as short as possible. I am checking over your log , I will post back shortly with instructions.

Proud graduate of WTT Classroom


The help we provide here is free, however, if you wish to donate, you can do so here: http://www.whatthetech.com/donate/

ASAP and UNITE member

________________________________________________


!


#3 inzanity

inzanity

    ♠♠lost♠♠

  • Malware Team
  • 2,340 posts

Posted 07 October 2009 - 07:08 PM

Hi Becky R.,

:welcome:

I will be helping you on removing malwares on your computer. Log research takes time, so please be patient and I'd be grateful if you would note the following:
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Do not install/uninstall anything on your computer unless advised.
  • Do not run any other scanning tools other than those instructed for you to use.
  • Follow the instructions on the order they are given.
  • Stay with this thread until advised when your computer is clean. Absence of symptoms does not necessarily mean a clean computer.
  • If you are being helped regarding this problem on another forum please advice us so that we can close this thread.
  • And lastly, if you have any questions, please ask before proceeding with any of the advised fixes.

_________________________________________________

Please download Combofix from any of the links below. You must rename it before saving it. Save it as SubsFix.exe

* IMPORTANT !!! Save SubsFix.exe to your Desktop

Link 1
Link 2

--------------------------------------------------------------------
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link - How to Disable your Security Programs
--------------------------------------------------------------------

  • Double click on Combo-Fix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Proud graduate of WTT Classroom


The help we provide here is free, however, if you wish to donate, you can do so here: http://www.whatthetech.com/donate/

ASAP and UNITE member

________________________________________________


!


#4 Becky R.

Becky R.

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 07 October 2009 - 11:11 PM

Ok, I ran it, and here is the log file:

ComboFix 09-10-06.04 - Reus 10/08/2009 0:29.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.409 [GMT -4:00]
Running from: c:\documents and settings\Reus\Desktop\SubsFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\recycler\NPROTECT
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\Downloaded Program Files\RdxIE.dll
c:\windows\system32\deniyiri.dll
c:\windows\system32\drivers\rotscxocwxdrtc.sys
c:\windows\system32\gedogeye.dll
c:\windows\system32\jukisoya.dll
c:\windows\system32\rotscxegxtoewr.dat
c:\windows\system32\rotscxetylbjrn.dll
c:\windows\system32\rotscxjveyudme.dll
c:\windows\system32\rotscxmbbmpfqr.dat
c:\windows\system32\rotscxridwmykw.dll
c:\windows\system32\rotscxtodonvym.dll
c:\windows\system32\rotscxuebblcnp.dll
c:\windows\system32\yirumuno.dll
c:\windows\system32\zukogulu.dll

----- BITS: Possible infected sites -----

hxxp://82.98.235.208
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_rotscxiyqxvjkb
-------\Legacy_rotscxiyqxvjkb


((((((((((((((((((((((((( Files Created from 2009-09-08 to 2009-10-08 )))))))))))))))))))))))))))))))
.

2009-10-06 18:00 . 2009-10-06 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\31228925
2009-10-06 17:37 . 2009-10-06 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-06 17:37 . 2009-10-06 17:40 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-06 05:57 . 2009-10-06 05:57 -------- d-----w- c:\program files\ERUNT
2009-10-04 15:26 . 2009-10-04 15:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-10-04 15:21 . 2009-10-04 15:21 -------- d-----w- c:\documents and settings\Reus\Application Data\Office Genuine Advantage
2009-10-04 03:15 . 2009-10-04 03:15 -------- d-----w- c:\program files\Microsoft
2009-10-03 06:17 . 2009-10-01 14:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-16 14:03 . 2009-09-16 14:03 -------- d-----w- c:\program files\Common Files\Apple
2009-09-16 14:02 . 2009-09-16 14:02 -------- d-----w- c:\program files\QuickTime
2009-09-14 18:07 . 2009-09-14 20:20 -------- d-----w- c:\documents and settings\Reus\.gimp-2.2
2009-09-10 05:06 . 2009-09-10 05:06 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-08 21:49 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-07 17:05 . 2008-04-21 23:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-10-06 03:36 . 2005-10-05 15:40 -------- d-----w- c:\program files\Google
2009-10-06 03:35 . 2009-01-08 22:56 -------- d-----w- c:\documents and settings\Reus\Application Data\uTorrent
2009-09-16 14:02 . 2004-11-21 23:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-08-29 12:58 . 2009-01-30 01:41 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-29 12:58 . 2007-03-12 14:02 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-29 12:58 . 2009-01-02 16:33 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-28 02:13 . 2004-08-27 23:45 30520 ----a-w- c:\documents and settings\Reus\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-28 02:02 . 2009-08-28 02:02 -------- d-----w- c:\program files\MSBuild
2009-08-28 02:02 . 2009-08-28 02:02 -------- d-----w- c:\program files\Reference Assemblies
2009-08-24 01:03 . 2004-11-10 20:33 -------- d-----w- c:\program files\Shenware
2009-08-23 16:53 . 2009-08-23 16:53 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-23 16:53 . 2009-08-23 16:53 -------- d-----w- c:\program files\NOS
2009-08-14 17:50 . 2005-11-27 18:46 -------- d-----w- c:\documents and settings\Reus\Application Data\SecondLife
2009-08-06 23:24 . 2004-08-03 19:02 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2004-08-03 18:59 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2005-05-26 08:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2004-08-03 18:59 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2004-08-27 06:11 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 1980-01-01 00:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2004-08-03 19:00 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2009-03-27 07:17 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2009-03-27 07:17 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 23:23 . 2004-08-27 06:11 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2002-12-12 05:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 19:07 . 2009-08-03 19:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-26 20:44 . 2009-07-26 20:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
2009-07-17 19:01 . 1980-01-01 00:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-27 06:27 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2006-01-15 05:50 . 2006-01-15 05:50 56 --sh--r- c:\windows\system32\6474B34A9E.sys
2009-07-06 18:00 . 2009-07-06 18:00 50688 --sha-w- c:\windows\system32\dulupuhu.dll
2006-01-15 05:50 . 2006-01-15 05:41 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-07-06 18:00 . 2009-07-06 18:00 1050147 --sha-w- c:\windows\system32\nukubufa.exe
2009-07-06 06:00 . 2009-07-06 06:00 1048611 --sha-w- c:\windows\system32\redivipo.exe
2009-07-06 18:01 . 2009-07-06 18:01 50688 --sha-w- c:\windows\system32\tugojogu.dll
2009-07-05 14:59 . 2009-07-05 14:59 1048611 --sha-w- c:\windows\system32\zopirozu.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a6318975-9c6d-4039-990f-e822dd31ec76}]
2009-07-06 18:01 50688 --sha-w- c:\windows\system32\tugojogu.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"QuickenScheduledUpdates"="c:\program files\Quicken\bagent.exe" [2008-10-27 87328]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 86016]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 49263]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-29 2007832]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-02-14 7630848]
"MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2008-04-14 169984]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" - c:\windows\system32\SK9910DM.EXE [2001-01-03 66048]
"Multi-function Keyboard"="GWHotKey.exe" - c:\windows\GWHotKey.exe [2001-08-28 98361]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-29 12:58 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\SecondLife\\SecondLife.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Shenware\\MiTrains.exe"=
"c:\\Program Files\\Quicken\\qw.exe"=
"c:\\Program Files\\Quicken\\bagent.exe"=
"c:\\Program Files\\SecondLifeReleaseCandidate\\SLVoice.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Logitech\\Video\\FxSvr2.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/2/2009 12:33 PM 335240]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/29/2009 9:41 PM 297752]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 mrtRate;mrtRate; [x]
S3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [12/31/1979 8:00 PM 14336]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/16/2009 9:08 PM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-08 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-27 23:06]

2009-10-08 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: WebConnect Pro 6.2.10 - hxxps://secureconnect.csx.com:3443/WebConnectDU.cab
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://jnstrains.no-ip.info:8081/kxhcm10.ocx
FF - ProfilePath - c:\documents and settings\Reus\Application Data\Mozilla\Firefox\Profiles\2uo80nvm.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Reus\Application Data\Mozilla\Firefox\Profiles\2uo80nvm.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-dejamiliw - c:\windows\system32\yirumuno.dll
HKLM-Run-sivomifana - gedogeye.dll
SharedTaskScheduler-{c8b9ac13-5894-49eb-b867-114f22a08f75} - c:\windows\system32\hunayeko.dll
SharedTaskScheduler-{c1dfbcf7-8144-4925-a7bc-92626c605fce} - c:\windows\system32\yirumuno.dll
SSODL-narenozej-{c8b9ac13-5894-49eb-b867-114f22a08f75} - c:\windows\system32\hunayeko.dll
SSODL-gefojokub-{c6841d3c-d027-48ef-88e5-4a98d4669c8b} - (no file)
SSODL-geluyupot-{c1dfbcf7-8144-4925-a7bc-92626c605fce} - c:\windows\system32\yirumuno.dll
Notify-AtiExtEvent - (no file)
AddRemove-My Dollhouse - c:\program files\MyDollhouse\Uninstal.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-08 00:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\TMP0000001822C5BF2EAE330881 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\ÔP*]
"DisplayName"="?\13?\13"
"DeviceDesc"="?\13?\13"
"ProviderName"=""
"MFG"="???\\"
"ReinstallString"="c:\\WINDOWS\\System32\\ReinstallBackups\\?\13\\DriverFiles\\.INF"
"DeviceInstanceIds"=multi:"er\\2kxp_inf\\cx_08171.inf\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3260)
c:\windows\system32\WININET.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Logitech\Video\FxSvr2.exe
c:\program files\Java\jre1.5.0_10\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-10-08 1:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-08 05:00

Pre-Run: 40,226,844,672 bytes free
Post-Run: 40,219,492,352 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

266 --- E O F --- 2009-10-04 04:00

Edited by Becky R., 07 October 2009 - 11:44 PM.


#5 Becky R.

Becky R.

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 08 October 2009 - 12:40 AM

My AVG Resident Shield complained about an infected restore point that something tried to open up after combo fix ran, I clicked heal for it, not sure if it was healed or not.. I can't find a log in AVG Resident Shield

#6 inzanity

inzanity

    ♠♠lost♠♠

  • Malware Team
  • 2,340 posts

Posted 08 October 2009 - 06:46 PM

Hi Becky R.,

You can find the AVG log here -> C:\Documents and Settings\Reus\Application Data\AVG8\Log\

You have uTorrent, a P2P/file sharing programs installed on your computer. P2P applications like it are the largest source of malware we see. You'll be doing yourself a favor by removing it.
P2P (File Sharing ) programs form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P program is not configured correctly you may be sharing more files than you realize. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured program.

Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.

This article from InfoWorld illustrates the dangers of a poorly configured P2P program.
http://www.infoworld...ID-theft_1.html

I would recommend that you uninstall uTorrent, via Control Panel -> Add or Remove Programs.

However, if you do not wish to remove this program please be advised not to use the said program during the course of cleaning your machine.

--Next--

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

http://forums.whatth...e...st&p=601572

Collect::
c:\windows\system32\dulupuhu.dll
c:\windows\system32\nukubufa.exe
c:\windows\system32\redivipo.exe
c:\windows\system32\tugojogu.dll
c:\windows\system32\zopirozu.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a6318975-9c6d-4039-990f-e822dd31ec76}]

DDS::
DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - hxxp://software-dl.real.com/15167acc602526938716/netzip/RdxIE601.cab

DirLook::
c:\docume~1\reus\applic~1\4823416992
c:\documents and settings\All Users\Application Data\31228925


Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

Proud graduate of WTT Classroom


The help we provide here is free, however, if you wish to donate, you can do so here: http://www.whatthetech.com/donate/

ASAP and UNITE member

________________________________________________


!


#7 Becky R.

Becky R.

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 08 October 2009 - 07:11 PM

I thought UTorrent was already uninstalled.. I went to the Add Remove Programs and it is not listed. I remember uninstalling it right after the Swedish Government shutdown Pirate Bay. As For Combo Fix that is running right now, It Asked me to update my Combo Fix program, so I clicked yes, not sure if I was suppose to do that.

#8 inzanity

inzanity

    ♠♠lost♠♠

  • Malware Team
  • 2,340 posts

Posted 08 October 2009 - 07:28 PM

Hi Becky R. Don't worry about uTorrent for now. Yes, you did the right thing. Post the result when ready. Thank you.

Proud graduate of WTT Classroom


The help we provide here is free, however, if you wish to donate, you can do so here: http://www.whatthetech.com/donate/

ASAP and UNITE member

________________________________________________


!


#9 Becky R.

Becky R.

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 08 October 2009 - 07:50 PM

Oh those directories you looked in are Malware Security Tool.. It disabled it once, and it apparently reinstalled it self twice afterwards.

ComboFix 09-10-07.05 - Reus 10/08/2009 21:12.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.435 [GMT -4:00]
Running from: c:\documents and settings\Reus\Desktop\SubsFix.exe
Command switches used :: c:\documents and settings\Reus\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

file zipped: c:\windows\system32\dulupuhu.dll
file zipped: c:\windows\system32\nukubufa.exe
file zipped: c:\windows\system32\redivipo.exe
file zipped: c:\windows\system32\tugojogu.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\dulupuhu.dll
c:\windows\system32\nukubufa.exe
c:\windows\system32\redivipo.exe
c:\windows\system32\tugojogu.dll

.
((((((((((((((((((((((((( Files Created from 2009-09-09 to 2009-10-09 )))))))))))))))))))))))))))))))
.

2009-10-06 18:00 . 2009-10-06 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\31228925
2009-10-06 17:37 . 2009-10-06 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-06 17:37 . 2009-10-06 17:40 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-06 05:57 . 2009-10-06 05:57 -------- d-----w- c:\program files\ERUNT
2009-10-04 15:26 . 2009-10-04 15:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-10-04 15:21 . 2009-10-04 15:21 -------- d-----w- c:\documents and settings\Reus\Application Data\Office Genuine Advantage
2009-10-04 03:15 . 2009-10-04 03:15 -------- d-----w- c:\program files\Microsoft
2009-10-03 06:17 . 2009-10-01 14:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-16 14:03 . 2009-09-16 14:03 -------- d-----w- c:\program files\Common Files\Apple
2009-09-16 14:02 . 2009-09-16 14:02 -------- d-----w- c:\program files\QuickTime
2009-09-14 18:07 . 2009-09-14 20:20 -------- d-----w- c:\documents and settings\Reus\.gimp-2.2
2009-09-10 05:06 . 2009-09-10 05:06 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-08 18:06 . 2008-04-21 23:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-10-06 03:36 . 2005-10-05 15:40 -------- d-----w- c:\program files\Google
2009-10-06 03:35 . 2009-01-08 22:56 -------- d-----w- c:\documents and settings\Reus\Application Data\uTorrent
2009-09-16 14:02 . 2004-11-21 23:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-08-29 12:58 . 2009-01-30 01:41 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-29 12:58 . 2007-03-12 14:02 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-29 12:58 . 2009-01-02 16:33 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-28 02:13 . 2004-08-27 23:45 30520 ----a-w- c:\documents and settings\Reus\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-28 02:02 . 2009-08-28 02:02 -------- d-----w- c:\program files\MSBuild
2009-08-28 02:02 . 2009-08-28 02:02 -------- d-----w- c:\program files\Reference Assemblies
2009-08-24 01:03 . 2004-11-10 20:33 -------- d-----w- c:\program files\Shenware
2009-08-23 16:53 . 2009-08-23 16:53 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-23 16:53 . 2009-08-23 16:53 -------- d-----w- c:\program files\NOS
2009-08-14 17:50 . 2005-11-27 18:46 -------- d-----w- c:\documents and settings\Reus\Application Data\SecondLife
2009-08-06 23:24 . 2004-08-03 19:02 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2004-08-03 18:59 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2005-05-26 08:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2004-08-03 18:59 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2004-08-27 06:11 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 1980-01-01 00:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2004-08-03 19:00 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2009-03-27 07:17 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2009-03-27 07:17 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 23:23 . 2004-08-27 06:11 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2002-12-12 05:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 19:07 . 2009-08-03 19:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-26 20:44 . 2009-07-26 20:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
2009-07-17 19:01 . 1980-01-01 00:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-27 06:27 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2006-01-15 05:50 . 2006-01-15 05:50 56 --sh--r- c:\windows\system32\6474B34A9E.sys
2006-01-15 05:50 . 2006-01-15 05:41 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\docume~1\reus\applic~1\4823416992 ----


---- Directory of c:\documents and settings\All Users\Application Data\31228925 ----

2009-10-06 18:00 . 2009-10-06 18:00 274 ----a-w- c:\documents and settings\All Users\Application Data\31228925\31228925.bat
2009-10-06 18:00 . 2009-10-06 18:00 1050147 ----a-w- c:\documents and settings\All Users\Application Data\31228925\31228925.exe


((((((((((((((((((((((((((((( SnapShot@2009-10-08_04.48.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-09 01:35 . 2009-10-09 01:35 16384 c:\windows\Temp\Perflib_Perfdata_a78.dat
+ 2009-10-08 05:17 . 2009-10-08 05:17 16384 c:\windows\Temp\Perflib_Perfdata_96c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"QuickenScheduledUpdates"="c:\program files\Quicken\bagent.exe" [2008-10-27 87328]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 86016]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 49263]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-08 2023704]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-02-14 7630848]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" - c:\windows\system32\SK9910DM.EXE [2001-01-03 66048]
"Multi-function Keyboard"="GWHotKey.exe" - c:\windows\GWHotKey.exe [2001-08-28 98361]
"sivomifana"="gedogeye.dll" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AtiExtEvent]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-29 12:58 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\SecondLife\\SecondLife.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Shenware\\MiTrains.exe"=
"c:\\Program Files\\Quicken\\qw.exe"=
"c:\\Program Files\\Quicken\\bagent.exe"=
"c:\\Program Files\\SecondLifeReleaseCandidate\\SLVoice.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Logitech\\Video\\FxSvr2.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/2/2009 12:33 PM 335240]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/29/2009 9:41 PM 297752]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 mrtRate;mrtRate; [x]
S3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [12/31/1979 8:00 PM 14336]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/16/2009 9:08 PM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-09 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-27 23:06]

2009-10-09 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: WebConnect Pro 6.2.10 - hxxps://secureconnect.csx.com:3443/WebConnectDU.cab
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://jnstrains.no-ip.info:8081/kxhcm10.ocx
FF - ProfilePath - c:\documents and settings\Reus\Application Data\Mozilla\Firefox\Profiles\2uo80nvm.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Reus\Application Data\Mozilla\Firefox\Profiles\2uo80nvm.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-08 21:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\ÔP*]
"DisplayName"="?\13?\13"
"DeviceDesc"="?\13?\13"
"ProviderName"=""
"MFG"="???\\"
"ReinstallString"="c:\\WINDOWS\\System32\\ReinstallBackups\\?\13\\DriverFiles\\.INF"
"DeviceInstanceIds"=multi:"er\\2kxp_inf\\cx_08171.inf\00"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3744)
c:\windows\system32\WININET.dll
c:\program files\Windows Media Player\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Logitech\Video\FxSvr2.exe
c:\program files\AVG\AVG8\avgui.exe
c:\windows\PCHealth\HelpCtr\Binaries\msconfig.exe
.
**************************************************************************
.
Completion time: 2009-10-09 21:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-09 01:46
ComboFix2.txt 2009-10-08 05:01

Pre-Run: 39,757,860,864 bytes free
Post-Run: 40,089,059,328 bytes free

239 --- E O F --- 2009-10-04 04:00

Edited by Becky R., 08 October 2009 - 08:03 PM.


#10 inzanity

inzanity

    ♠♠lost♠♠

  • Malware Team
  • 2,340 posts

Posted 08 October 2009 - 11:21 PM

Hi Becky R.

Did you install Spybot Search & Destroy? If so, please disable teatimer and other anti malware programs before proceeding with the next step.
If you have difficulty properly disabling your protective programs, refer to this link - How to Disable your Security Programs

Let's do another run for the ComboFix

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Folder::
c:\documents and settings\All Users\Application Data\31228925
c:\documents and settings\Reus\Application Data\uTorrent
c:\docume~1\reus\applic~1\4823416992

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"sivomifana"=-

Save this as "CFScript.txt", and as Type: All Files (*.*) in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


--Next--

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
    Posted Image
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location and post back the log.

Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer, please do so immediately.

--Next--

Please visit this site and follow the instructions for uploading the C:\Qoobox\Quarantine\[4]Submit_2009-10-09@01:46.zip file.

Logs to post in your next reply:
1. Combofix log.
2. Malwarebytes log.

Also, please describe how your computer is doing at the moment. Thank you.

Proud graduate of WTT Classroom


The help we provide here is free, however, if you wish to donate, you can do so here: http://www.whatthetech.com/donate/

ASAP and UNITE member

________________________________________________


!

    Advertisements

Register to Remove


#11 Becky R.

Becky R.

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 09 October 2009 - 06:42 AM

Ok, I am currently in the hotel for work, I will do it when I get home tomorrow afternoon. The computer is running much better, AVG Resident Shield still complains about viruses in the system restore data files though. I Installed SpyBot sometime on the 6th.

Edited by Becky R., 09 October 2009 - 06:42 AM.


#12 Becky R.

Becky R.

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 10 October 2009 - 05:42 AM

I could not find this file: C:\Qoobox\Quarantine\[4]Submit_2009-10-09@01:46.zip, no zip file was in C:\Qoobox\Quarantine\ I checked to see if AVG moved it in one of its nightly scan, but it didn't show up in any of my avg logs either.

ComboFix 09-10-08.04 - Reus 10/10/2009 6:35.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.291 [GMT -4:00]
Running from: c:\documents and settings\Reus\Desktop\SubsFix.exe
Command switches used :: c:\documents and settings\Reus\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\31228925
c:\documents and settings\All Users\Application Data\31228925\31228925.bat
c:\documents and settings\Reus\Application Data\uTorrent
c:\documents and settings\Reus\Application Data\uTorrent\??? ????(Taylor Swift).torrent
c:\documents and settings\Reus\Application Data\uTorrent\A Whole Bunch of TV Themes.torrent
c:\documents and settings\Reus\Application Data\uTorrent\Alabama - Ultimate Alabama 20 #1 Hits (2004).torrent
c:\documents and settings\Reus\Application Data\uTorrent\Alan Jackson.torrent
c:\documents and settings\Reus\Application Data\uTorrent\Animaniacs 1-50.torrent
c:\documents and settings\Reus\Application Data\uTorrent\Atrheas-SE001.rar.torrent
c:\documents and settings\Reus\Application Data\uTorrent\Babes In Toyland.torrent
c:\documents and settings\Reus\Application Data\uTorrent\Banjo057TM.torrent
c:\documents and settings\Reus\Application Data\uTorrent\Charlie Daniels Band - The Roots Remain 3CD Boxed Set.torrent
c:\documents and settings\Reus\Application Data\uTorrent\dht.dat
c:\documents and settings\Reus\Application Data\uTorrent\dht.dat.old
c:\documents and settings\Reus\Application Data\uTorrent\Disney.Princess.Enchanted.Tales.Follow.Your.Dreams.2007.dvdrip.xvid.eng.ws.
zookeeper525.torrent
c:\documents and settings\Reus\Application Data\uTorrent\Disney.Sing.Along.Disneyland.Fun.DVDFull.NTSC.FS.torrent
c:\documents and settings\Reus\Application Data\uTorrent\Disney_prinsessor_förtrollande_äventyr_Nadjas.torrent
c:\documents and settings\Reus\Application Data\uTorrent\DisneyPrincessSingAlongVol2(BouncinBunny).avi.torrent
c:\documents and settings\Reus\Application Data\uTorrent\DisneyPrincessStoriesVol1.avi.torrent
c:\documents and settings\Reus\Application Data\uTorrent\GoddEatsS5.torrent
c:\documents and settings\Reus\Application Data\uTorrent\Good Eats - S06E07 - Amber Waves [digitaldistractions].avi.torrent
c:\documents and settings\Reus\Application Data\uTorrent\Good Eats - S08E22 - Do The Rice Thing.avi.torrent
c:\documents and settings\Reus\Application Data\uTorrent\Good Eats - Season 8.torrent
c:\documents and settings\Reus\Application Data\uTorrent\Good Eats S12E14 Pantry Raid X - Dark Side of the Cane.mp4.torrent
c:\documents and settings\Reus\Application Data\uTorrent\Good Eats Season 10 missing 4.torrent
c:\documents and settings\Reus\Application Data\uTorrent\Good.Eats.S13E01.Crustacean.Nation.4.Crawfish.HDTV.XviD-oOnTz.avi.torrent
c:\documents and settings\Reus\Application Data\uTorrent\Good.Eats.S13E02.Tamale.Never.Dies.HDTV.XviD-oOnTz.avi.torrent
c:\documents and settings\Reus\Application Data\uTorrent\Good_Eats_S13_E01_Tender_Is_The_Pork_HD.avi.torrent
c:\documents and settings\Reus\Application Data\uTorrent\Good_Eats_S13_E04_American_Classics_IV_Spaghetti_With_Meat_Sauce_HD.avi.tor
rent
c:\documents and settings\Reus\Application Data\uTorrent\Good_Eats_S13_E05_Undercover_Veggies_HD.avi.torrent
c:\documents and settings\Reus\Application Data\uTorrent\Good_Eats_S13_E06_Feeling_Punchy_HD.avi.torrent
c:\documents and settings\Reus\Application Data\uTorrent\Good_Eats_Season_01.torrent
c:\documents and settings\Reus\Application Data\uTorrent\GoodEatsS1.torrent
c:\documents and settings\Reus\Application Data\uTorrent\GoodEatsS2.torrent
c:\documents and settings\Reus\Application Data\uTorrent\GoodEatsS3.torrent
c:\documents and settings\Reus\Application Data\uTorrent\GoodEatsS4.torrent
c:\documents and settings\Reus\Application Data\uTorrent\GoodEatsSpecials.torrent
c:\documents and settings\Reus\Application Data\uTorrent\HomeOnTheRange.avi.torrent
c:\documents and settings\Reus\Application Data\uTorrent\Jerry Reed-7 Album.torrent
c:\documents and settings\Reus\Application Data\uTorrent\Jonas Brothers - Lines Vines Trying Times [2009][CD+2 SkidVid_XviD+Cov].torrent
c:\documents and settings\Reus\Application Data\uTorrent\Kenny Rogers - 42 Ultimate Hits.torrent
c:\documents and settings\Reus\Application Data\uTorrent\Lady GaGa- Poker Face.mp3.torrent
c:\documents and settings\Reus\Application Data\uTorrent\Lady Gaga-Love Game(2009)[MP3][www.zonatorrent.com].torrent
c:\documents and settings\Reus\Application Data\uTorrent\ladygaga.torrent
c:\documents and settings\Reus\Application Data\uTorrent\Lonnie Donegan - Puttin On The Style - The Greatest Hits.torrent
c:\documents and settings\Reus\Application Data\uTorrent\Lullabies and Nursery Rhymes.torrent
c:\documents and settings\Reus\Application Data\uTorrent\Mika.torrent
c:\documents and settings\Reus\Application Data\uTorrent\Newsboys.torrent
c:\documents and settings\Reus\Application Data\uTorrent\Nightsongs and Lullabies.torrent
c:\documents and settings\Reus\Application Data\uTorrent\NYWS- 301-Shaker Step Stools.avi.torrent
c:\documents and settings\Reus\Application Data\uTorrent\NYWS- 310-Garden Swing.avi.torrent
c:\documents and settings\Reus\Application Data\uTorrent\NYWS- 410-Umbrella Stand.avi.torrent
c:\documents and settings\Reus\Application Data\uTorrent\NYWS- 412-Dove Cote.avi.torrent
c:\documents and settings\Reus\Application Data\uTorrent\NYWS- 511-Redwood Arbor.avi.1.torrent
c:\documents and settings\Reus\Application Data\uTorrent\NYWS- 511-Redwood Arbor.avi.torrent
c:\documents and settings\Reus\Application Data\uTorrent\NYWS-0605-New Yankee Wallclock.avi.torrent
c:\documents and settings\Reus\Application Data\uTorrent\NYWS-9810-Whirligig(brit).avi.torrent
c:\documents and settings\Reus\Application Data\uTorrent\NYWS-9906-Laundry Center(brit).avi.torrent
c:\documents and settings\Reus\Application Data\uTorrent\NYWS-9907-Bake Center(brit).avi.torrent
c:\documents and settings\Reus\Application Data\uTorrent\Petra.torrent
c:\documents and settings\Reus\Application Data\uTorrent\Radio_Disney_Jams_11_2009_TGCLEADER.torrent
c:\documents and settings\Reus\Application Data\uTorrent\Rascal Flatts.rar.torrent
c:\documents and settings\Reus\Application Data\uTorrent\Reba_McEntire-50_Greatest_Hits-3CD-2008.torrent
c:\documents and settings\Reus\Application Data\uTorrent\resume.dat
c:\documents and settings\Reus\Application Data\uTorrent\resume.dat.old
c:\documents and settings\Reus\Application Data\uTorrent\Rockabye Baby - Lullaby Renditions Of Queen (2009).torrent
c:\documents and settings\Reus\Application Data\uTorrent\rss.dat
c:\documents and settings\Reus\Application Data\uTorrent\rss.dat.old
c:\documents and settings\Reus\Application Data\uTorrent\settings.dat
c:\documents and settings\Reus\Application Data\uTorrent\settings.dat.old
c:\documents and settings\Reus\Application Data\uTorrent\The Country Clump.rar.torrent
c:\documents and settings\Reus\Application Data\uTorrent\The Journey (12 Cd-Box).torrent
c:\documents and settings\Reus\Application Data\uTorrent\The Phantom Of The Opera [2004 Soundtrack] [Special Edition].torrent
c:\documents and settings\Reus\Application Data\uTorrent\utorrent.lng
c:\documents and settings\Reus\Application Data\uTorrent\VA-Motown_the_Complete_No.1s-10CD-Limited_Edition-2008-JUST.torrent
c:\documents and settings\Reus\Application Data\uTorrent\Walt Disney - Song of the South (1946).torrent
c:\documents and settings\Reus\Application Data\uTorrent\Wee Sing in Sillyville.torrent
c:\documents and settings\Reus\Application Data\uTorrent\YCDTOT_D04.ISO.torrent
c:\documents and settings\Reus\Application Data\uTorrent\You Can't Do That On Televison.torrent

.
((((((((((((((((((((((((( Files Created from 2009-09-10 to 2009-10-10 )))))))))))))))))))))))))))))))
.

2009-10-06 17:37 . 2009-10-06 19:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-06 17:37 . 2009-10-06 17:40 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-10-06 05:57 . 2009-10-06 05:57 -------- d-----w- c:\program files\ERUNT
2009-10-04 15:26 . 2009-10-04 15:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-10-04 15:21 . 2009-10-04 15:21 -------- d-----w- c:\documents and settings\Reus\Application Data\Office Genuine Advantage
2009-10-04 03:15 . 2009-10-04 03:15 -------- d-----w- c:\program files\Microsoft
2009-10-03 06:17 . 2009-10-01 14:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-09-16 14:03 . 2009-09-16 14:03 -------- d-----w- c:\program files\Common Files\Apple
2009-09-16 14:02 . 2009-09-16 14:02 -------- d-----w- c:\program files\QuickTime
2009-09-14 18:07 . 2009-09-14 20:20 -------- d-----w- c:\documents and settings\Reus\.gimp-2.2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-09 19:07 . 2008-04-21 23:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-10-06 03:36 . 2005-10-05 15:40 -------- d-----w- c:\program files\Google
2009-09-16 14:02 . 2004-11-21 23:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2009-08-29 12:58 . 2009-01-30 01:41 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-29 12:58 . 2007-03-12 14:02 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-29 12:58 . 2009-01-02 16:33 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-28 02:13 . 2004-08-27 23:45 30520 ----a-w- c:\documents and settings\Reus\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-28 02:02 . 2009-08-28 02:02 -------- d-----w- c:\program files\MSBuild
2009-08-28 02:02 . 2009-08-28 02:02 -------- d-----w- c:\program files\Reference Assemblies
2009-08-24 01:03 . 2004-11-10 20:33 -------- d-----w- c:\program files\Shenware
2009-08-23 16:53 . 2009-08-23 16:53 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-08-23 16:53 . 2009-08-23 16:53 -------- d-----w- c:\program files\NOS
2009-08-14 17:50 . 2005-11-27 18:46 -------- d-----w- c:\documents and settings\Reus\Application Data\SecondLife
2009-08-06 23:24 . 2004-08-03 19:02 327896 ----a-w- c:\windows\system32\wucltui.dll
2009-08-06 23:24 . 2004-08-03 18:59 209632 ----a-w- c:\windows\system32\wuweb.dll
2009-08-06 23:24 . 2005-05-26 08:16 44768 ----a-w- c:\windows\system32\wups2.dll
2009-08-06 23:24 . 2004-08-03 18:59 35552 ----a-w- c:\windows\system32\wups.dll
2009-08-06 23:24 . 2004-08-27 06:11 53472 ------w- c:\windows\system32\wuauclt.exe
2009-08-06 23:24 . 1980-01-01 00:00 96480 ----a-w- c:\windows\system32\cdm.dll
2009-08-06 23:23 . 2004-08-03 19:00 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-08-06 23:23 . 2009-03-27 07:17 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-08-06 23:23 . 2009-03-27 07:17 215920 ----a-w- c:\windows\system32\muweb.dll
2009-08-06 23:23 . 2004-08-27 06:11 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-08-05 09:01 . 2002-12-12 05:14 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 19:07 . 2009-08-03 19:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll
2009-08-03 19:07 . 2009-08-03 19:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll
2009-08-03 19:07 . 2009-08-03 19:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe
2009-07-26 20:44 . 2009-07-26 20:44 48448 ----a-w- c:\windows\system32\sirenacm.dll
2009-07-17 19:01 . 1980-01-01 00:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2004-08-27 06:27 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2006-01-15 05:50 . 2006-01-15 05:50 56 --sh--r- c:\windows\system32\6474B34A9E.sys
2006-01-15 05:50 . 2006-01-15 05:41 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-10-08_04.48.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-09 02:00 . 2009-10-09 02:00 16384 c:\windows\Temp\Perflib_Perfdata_c94.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"QuickenScheduledUpdates"="c:\program files\Quicken\bagent.exe" [2008-10-27 87328]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PRONoMgr.exe"="c:\program files\Intel\NCS\PROSet\PRONoMgr.exe" [2003-03-11 86016]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-03 866584]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 49263]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2005-07-19 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2005-06-08 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2005-06-08 217088]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-08 2023704]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-02-14 7630848]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-14 169984]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" - c:\windows\system32\SK9910DM.EXE [2001-01-03 66048]
"Multi-function Keyboard"="GWHotKey.exe" - c:\windows\GWHotKey.exe [2001-08-28 98361]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AtiExtEvent]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-29 12:58 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\SecondLife\\SecondLife.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\SecondLife\\SLVoice.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Shenware\\MiTrains.exe"=
"c:\\Program Files\\Quicken\\qw.exe"=
"c:\\Program Files\\Quicken\\bagent.exe"=
"c:\\Program Files\\SecondLifeReleaseCandidate\\SLVoice.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Logitech\\Video\\FxSvr2.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [1/2/2009 12:33 PM 335240]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [1/29/2009 9:41 PM 297752]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
S2 mrtRate;mrtRate; [x]
S3 getPlusHelper;getPlus® Helper;c:\windows\System32\svchost.exe -k getPlusHelper [12/31/1979 8:00 PM 14336]
S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]
S4 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/16/2009 9:08 PM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-01-27 23:06]

2009-10-10 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 23:20]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: WebConnect Pro 6.2.10 - hxxps://secureconnect.csx.com:3443/WebConnectDU.cab
DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://jnstrains.no-ip.info:8081/kxhcm10.ocx
FF - ProfilePath - c:\documents and settings\Reus\Application Data\Mozilla\Firefox\Profiles\2uo80nvm.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Reus\Application Data\Mozilla\Firefox\Profiles\2uo80nvm.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07074039.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\Java\jre1.5.0_10\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{a6318975-9c6d-4039-990f-e822dd31ec76} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-10 06:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Reinstall\ÔP*]
"DisplayName"="?\13?\13"
"DeviceDesc"="?\13?\13"
"ProviderName"=""
"MFG"="???\\"
"ReinstallString"="c:\\WINDOWS\\System32\\ReinstallBackups\\?\13\\DriverFiles\\.INF"
"DeviceInstanceIds"=multi:"er\\2kxp_inf\\cx_08171.inf\00"
.
Completion time: 2009-10-10 6:58
ComboFix-quarantined-files.txt 2009-10-10 10:58
ComboFix2.txt 2009-10-09 01:46
ComboFix3.txt 2009-10-08 05:01

Pre-Run: 39,987,122,176 bytes free
Post-Run: 39,934,263,296 bytes free

277 --- E O F --- 2009-10-09 01:55

Malwarebytes' Anti-Malware 1.41
Database version: 2936
Windows 5.1.2600 Service Pack 3

10/10/2009 7:20:07 AM
mbam-log-2009-10-10 (07-19-49).txt

Scan type: Quick Scan
Objects scanned: 98819
Time elapsed: 8 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\The Weather Channel (Adware.Hotbar) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#13 inzanity

inzanity

    ♠♠lost♠♠

  • Malware Team
  • 2,340 posts

Posted 12 October 2009 - 05:08 PM

Hi Becky R.,

Please post the contents of this file -> C:\Qoobox\ComboFix-quarantined-files.txt

--Next--

Please do the following:
  • Click Start then Run.
  • Type in "mbam.exe /developer", without the quotes.
  • Run the same type of scan with Malwarebytes you did before and save the logfile and post it.


Logs to post in your next reply:
1. The contents of C:\Qoobox\ComboFix-quarantined-files.txt
2. MBAM log.
3. Fresh DDS log.

Proud graduate of WTT Classroom


The help we provide here is free, however, if you wish to donate, you can do so here: http://www.whatthetech.com/donate/

ASAP and UNITE member

________________________________________________


!


#14 Becky R.

Becky R.

    New Member

  • Authentic Member
  • Pip
  • 11 posts

Posted 13 October 2009 - 04:10 PM

2009-10-10 10:56:31 . 2009-10-10 10:56:31 157 ----a-w- C:\Qoobox\Quarantine\Registry_backups\BHO-{a6318975-9c6d-4039-990f-e822dd31ec76}.reg.dat 2009-10-10 10:34:50 . 2009-10-10 10:34:50 0 ----a-w- C:\Qoobox\Quarantine\catchme.txt 2009-10-08 04:59:46 . 2009-10-08 04:59:46 452 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-My Dollhouse.reg.dat 2009-10-08 04:59:22 . 2009-10-08 04:59:22 276 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Notify-AtiExtEvent.reg.dat 2009-10-08 04:59:21 . 2009-10-08 04:59:21 373 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SSODL-geluyupot-{c1dfbcf7-8144-4925-a7bc-92626c605fce}.reg.dat 2009-10-08 04:59:21 . 2009-10-08 04:59:21 156 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SSODL-gefojokub-{c6841d3c-d027-48ef-88e5-4a98d4669c8b}.reg.dat 2009-10-08 04:59:21 . 2009-10-08 04:59:21 373 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SSODL-narenozej-{c8b9ac13-5894-49eb-b867-114f22a08f75}.reg.dat 2009-10-08 04:59:19 . 2009-10-08 04:59:19 374 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SharedTaskScheduler-{c1dfbcf7-8144-4925-a7bc-92626c605fce}.reg.dat 2009-10-08 04:59:19 . 2009-10-08 04:59:19 374 ----a-w- C:\Qoobox\Quarantine\Registry_backups\SharedTaskScheduler-{c8b9ac13-5894-49eb-b867-114f22a08f75}.reg.dat 2009-10-08 04:59:12 . 2009-10-08 04:59:12 129 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-sivomifana.reg.dat 2009-10-08 04:59:11 . 2009-10-08 04:59:11 150 ----a-w- C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-dejamiliw.reg.dat 2009-10-08 04:45:29 . 2009-10-08 04:45:29 208 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\_qmgr1_.dat.zip 2009-10-08 04:45:28 . 2009-10-08 04:45:28 208 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\_qmgr0_.dat.zip 2009-10-08 04:40:42 . 2009-10-10 10:49:50 5,957 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg 2009-10-08 04:20:02 . 2009-10-08 04:20:02 1,588 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_rotscxiyqxvjkb.reg.dat 2009-10-08 04:09:42 . 2009-10-10 10:31:36 1,211 ----a-w- C:\Qoobox\Quarantine\catchme.log 2009-10-06 18:00:34 . 2009-10-06 18:00:34 274 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\31228925\31228925.bat.vir 2009-09-17 18:22:14 . 2009-10-06 23:17:01 68 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\rotscxegxtoewr.dat.vir 2009-09-10 04:55:26 . 2009-10-08 04:19:17 427,119 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\rotscxmbbmpfqr.dat.vir 2009-08-11 23:42:12 . 2009-08-11 23:42:04 14,903 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\The Phantom Of The Opera [2004 Soundtrack] [Special Edition].torrent.vir 2009-08-11 20:39:15 . 2009-08-11 20:39:06 29,781 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\A Whole Bunch of TV Themes.torrent.vir 2009-08-11 20:37:01 . 2009-08-11 20:36:29 19,316 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\Nightsongs and Lullabies.torrent.vir 2009-08-11 20:37:00 . 2009-08-11 20:36:37 10,610 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\Lullabies and Nursery Rhymes.torrent.vir 2009-08-11 20:33:22 . 2009-08-11 20:33:19 17,475 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\NYWS- 511-Redwood Arbor.avi.1.torrent.vir 2009-08-11 20:33:10 . 2009-08-11 20:33:07 19,716 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\NYWS- 410-Umbrella Stand.avi.torrent.vir 2009-08-11 20:30:13 . 2009-08-11 20:30:10 10,846 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\Good Eats - S06E07 - Amber Waves [digitaldistractions].avi.torrent.vir 2009-08-11 20:29:23 . 2009-08-11 20:29:16 15,277 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\Good Eats Season 10 missing 4.torrent.vir 2009-08-11 20:28:00 . 2009-08-11 20:27:53 14,647 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\Good Eats - Season 8.torrent.vir 2009-08-11 20:25:32 . 2009-08-11 20:25:22 14,759 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\GoodEatsS1.torrent.vir 2009-08-11 20:24:56 . 2009-08-11 20:24:47 48,408 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\Good Eats S12E14 Pantry Raid X - Dark Side of the Cane.mp4.torrent.vir 2009-08-11 20:24:30 . 2009-08-11 20:24:21 14,450 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\Good Eats - S08E22 - Do The Rice Thing.avi.torrent.vir 2009-08-11 20:22:15 . 2009-08-11 20:22:12 14,600 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\GoddEatsS5.torrent.vir 2009-08-11 20:21:52 . 2009-08-11 20:21:42 14,607 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\GoodEatsS4.torrent.vir 2009-08-11 20:21:30 . 2009-08-11 20:21:11 15,512 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\GoodEatsS3.torrent.vir 2009-08-11 20:21:29 . 2009-08-11 20:21:23 15,531 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\GoodEatsS2.torrent.vir 2009-08-11 20:20:20 . 2009-08-11 20:20:06 19,425 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\GoodEatsSpecials.torrent.vir 2009-08-11 20:19:34 . 2009-08-11 20:19:19 14,602 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\Good.Eats.S13E02.Tamale.Never.Dies.HDTV.XviD-oOnTz.avi.torrent.vir 2009-08-11 20:19:32 . 2009-08-11 20:19:23 14,633 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\Good.Eats.S13E01.Crustacean.Nation.4.Crawfish.HDTV.XviD-oOnTz.avi.torrent.vir 2009-08-11 20:18:21 . 2009-08-11 20:18:05 14,556 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\Good_Eats_S13_E04_American_Classics_IV_Spaghetti_With_Meat_Sauce_HD.avi.tor rent.vir 2009-08-11 20:18:20 . 2009-08-11 20:18:14 14,575 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\Good_Eats_S13_E01_Tender_Is_The_Pork_HD.avi.torrent.vir 2009-08-11 20:17:58 . 2009-08-11 20:17:48 14,475 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\Good_Eats_S13_E05_Undercover_Veggies_HD.avi.torrent.vir 2009-08-11 20:17:22 . 2009-08-11 20:16:35 14,964 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\Good_Eats_S13_E06_Feeling_Punchy_HD.avi.torrent.vir 2009-08-11 20:17:21 . 2009-08-11 20:17:09 12,342 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\Good_Eats_Season_01.torrent.vir 2009-08-04 02:14:39 . 2009-08-04 02:14:33 13,247 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\Rockabye Baby - Lullaby Renditions Of Queen (2009).torrent.vir 2009-08-04 02:14:11 . 2009-08-04 02:14:09 20,162 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\NYWS-0605-New Yankee Wallclock.avi.torrent.vir 2009-08-04 02:13:47 . 2009-08-04 02:13:45 19,540 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\NYWS- 301-Shaker Step Stools.avi.torrent.vir 2009-08-04 02:13:36 . 2009-08-04 02:13:33 19,691 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\NYWS- 412-Dove Cote.avi.torrent.vir 2009-08-04 02:13:06 . 2009-08-04 02:13:04 17,264 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\Jonas Brothers - Lines Vines Trying Times [2009][CD+2 SkidVid_XviD+Cov].torrent.vir 2009-07-31 01:11:32 . 2009-07-31 01:11:06 99,814 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\Animaniacs 1-50.torrent.vir 2009-07-31 00:37:41 . 2009-07-31 00:37:39 27,799 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\Walt Disney - Song of the South (1946).torrent.vir 2009-07-31 00:36:04 . 2009-07-31 00:36:02 14,682 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\Disney.Princess.Enchanted.Tales.Follow.Your.Dreams.2007.dvdrip.xvid.eng.ws. zookeeper525.torrent.vir 2009-07-31 00:35:41 . 2009-07-31 00:35:39 15,327 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\HomeOnTheRange.avi.torrent.vir 2009-07-31 00:35:31 . 2009-07-31 00:35:28 14,623 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\Babes In Toyland.torrent.vir 2009-07-31 00:33:28 . 2009-07-31 00:33:24 14,295 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\Disney_prinsessor_förtrollande_äventyr_Nadjas.torrent.vir 2009-07-31 00:31:12 . 2009-07-31 00:31:10 12,098 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\DisneyPrincessStoriesVol1.avi.torrent.vir 2009-07-31 00:30:49 . 2009-07-31 00:30:40 13,853 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\DisneyPrincessSingAlongVol2(BouncinBunny).avi.torrent.vir 2009-07-31 00:18:36 . 2009-07-31 00:16:08 34,665 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\ladygaga.torrent.vir 2009-07-31 00:18:12 . 2009-07-31 00:18:09 29,317 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\Disney.Sing.Along.Disneyland.Fun.DVDFull.NTSC.FS.torrent.vir 2009-07-31 00:02:56 . 2009-07-31 00:01:12 88,741 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\You Can't Do That On Televison.torrent.vir 2009-07-30 23:58:47 . 2009-07-30 23:57:43 17,475 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\NYWS- 511-Redwood Arbor.avi.torrent.vir 2009-07-19 17:50:54 . 2009-07-19 17:50:48 13,054 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\The Country Clump.rar.torrent.vir 2009-07-19 17:14:21 . 2009-07-19 17:13:35 47,789 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\Petra.torrent.vir 2009-07-19 17:11:31 . 2009-07-19 17:09:41 15,085 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\NYWS-9906-Laundry Center(brit).avi.torrent.vir 2009-07-19 17:07:42 . 2009-07-19 17:07:21 15,760 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\NYWS-9810-Whirligig(brit).avi.torrent.vir 2009-07-19 17:07:42 . 2009-07-19 17:07:27 15,662 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\NYWS-9907-Bake Center(brit).avi.torrent.vir 2009-07-19 17:07:41 . 2009-07-19 17:07:33 19,817 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\NYWS- 310-Garden Swing.avi.torrent.vir 2009-07-06 18:01:06 . 2009-07-06 18:01:06 50,688 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\gedogeye.dll.vir 2009-07-06 18:01:06 . 2009-07-06 18:01:06 50,688 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\jukisoya.dll.vir 2009-07-06 18:01:06 . 2009-07-06 18:01:06 50,688 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\tugojogu.dll.vir 2009-07-06 18:00:29 . 2009-07-06 18:00:29 50,688 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\dulupuhu.dll.vir 2009-07-06 18:00:29 . 2009-07-06 18:00:29 1,050,147 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\nukubufa.exe.vir 2009-07-06 06:00:05 . 2009-07-06 06:00:05 1,048,611 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\redivipo.exe.vir 2009-07-05 14:59:04 . 2009-07-05 14:59:04 26,624 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\deniyiri.dll.vir 2009-06-29 23:52:31 . 2009-06-29 23:01:09 48,911 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\Jerry Reed-7 Album.torrent.vir 2009-06-28 17:09:22 . 2009-06-28 17:09:14 21,797 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\Kenny Rogers - 42 Ultimate Hits.torrent.vir 2009-06-28 17:07:49 . 2009-06-28 17:07:35 65,879 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\The Journey (12 Cd-Box).torrent.vir 2009-06-27 15:58:18 . 2009-06-27 15:57:49 23,796 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\Newsboys.torrent.vir 2009-06-27 15:56:16 . 2009-06-27 15:55:22 976 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\Lady Gaga-Love Game(2009)[MP3][www.zonatorrent.com].torrent.vir 2009-06-27 15:56:12 . 2009-06-27 15:55:37 2,472 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\Lady GaGa- Poker Face.mp3.torrent.vir 2009-04-12 20:05:43 . 2009-04-12 20:05:38 39,994 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\Reba_McEntire-50_Greatest_Hits-3CD-2008.torrent.vir 2009-04-12 20:04:13 . 2009-04-12 20:04:05 20,909 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\Alan Jackson.torrent.vir 2009-04-12 20:02:02 . 2009-04-12 20:01:49 15,308 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\Alabama - Ultimate Alabama 20 #1 Hits (2004).torrent.vir 2009-04-12 20:01:08 . 2009-04-12 19:48:49 22,039 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\??? ????(Taylor Swift).torrent.vir 2009-04-12 20:01:07 . 2009-04-12 19:51:02 38,278 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\Rascal Flatts.rar.torrent.vir 2009-04-09 00:00:41 . 2009-04-08 23:59:44 13,444 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\Radio_Disney_Jams_11_2009_TGCLEADER.torrent.vir 2009-03-28 01:13:52 . 2009-03-28 01:13:34 26,865 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\VA-Motown_the_Complete_No.1s-10CD-Limited_Edition-2008-JUST.torrent.vir 2009-03-17 21:56:11 . 2009-07-19 17:07:51 560,367 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\utorrent.lng.vir 2009-03-17 21:56:00 . 2009-03-17 21:55:20 11,589 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\Mika.torrent.vir 2009-02-11 06:59:30 . 2009-02-11 06:59:19 90,096 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\YCDTOT_D04.ISO.torrent.vir 2009-02-04 20:45:12 . 2009-02-04 20:44:40 27,358 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\Charlie Daniels Band - The Roots Remain 3CD Boxed Set.torrent.vir 2009-01-29 04:48:13 . 2009-01-29 04:47:47 9,213 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\Banjo057TM.torrent.vir 2009-01-28 00:08:05 . 2009-08-28 01:51:30 3,936 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\dht.dat.old.vir 2009-01-28 00:08:05 . 2009-09-01 17:08:35 138 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\dht.dat.vir 2009-01-28 00:08:05 . 2009-08-28 01:51:29 99 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\rss.dat.old.vir 2009-01-28 00:08:05 . 2009-09-01 17:08:35 99 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\rss.dat.vir 2009-01-16 23:15:17 . 2009-01-16 23:15:04 7,645 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\Atrheas-SE001.rar.torrent.vir 2009-01-09 05:40:58 . 2009-01-09 05:40:52 17,584 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\Wee Sing in Sillyville.torrent.vir 2009-01-08 23:26:25 . 2009-09-01 17:08:35 2,089 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\settings.dat.old.vir 2009-01-08 23:26:25 . 2009-10-06 03:35:49 2,054 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\settings.dat.vir 2009-01-08 23:00:23 . 2009-09-01 17:02:14 2,401 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\resume.dat.old.vir 2009-01-08 23:00:23 . 2009-09-01 17:08:35 2,381 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\resume.dat.vir 2009-01-08 22:59:52 . 2009-01-08 22:59:47 52,244 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Reus\Application Data\uTorrent\Lonnie Donegan - Puttin On The Style - The Greatest Hits.torrent.vir 2004-08-27 15:32:29 . 2009-10-08 04:45:59 4,096 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat.vir 2004-08-27 15:32:29 . 2009-10-08 04:45:59 4,096 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat.vir 2004-08-26 16:12:00 . 2004-08-26 16:12:00 126,976 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\popcaploader.dll.vir 2004-08-18 19:47:58 . 2004-08-18 19:47:58 241 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\popcaploader.inf.vir 2004-06-03 14:04:04 . 2004-06-03 14:04:04 520,349 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\Downloaded Program Files\RdxIE.dll.vir Malwarebytes' Anti-Malware 1.41 Database version: 2936 Windows 5.1.2600 Service Pack 3 10/13/2009 5:54:47 PM mbam-log-2009-10-13 (17-54-47).txt Scan type: Quick Scan Objects scanned: 99516 Time elapsed: 9 minute(s), 47 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) DDS (Ver_09-06-26.01) - NTFSx86 Run by Reus at 18:07:36.94 on Tue 10/13/2009 Internet Explorer: 8.0.6001.18702 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.107 [GMT -4:00] AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe -k netsvcs svchost.exe svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE svchost.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\system32\SK9910DM.EXE C:\WINDOWS\GWHotKey.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe C:\WINDOWS\system32\LVCOMSX.EXE C:\Program Files\Logitech\Video\LogiTray.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Logitech\Video\FxSvr2.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe C:\Program Files\Windows Live\Contacts\wlcomm.exe C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE C:\Program Files\AVG\AVG8\avgcsrvx.exe C:\Program Files\Microsoft Office\Office10\WINWORD.EXE C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\Reus\Desktop\dds.scr ============== Pseudo HJT Report =============== uStart Page = about:blank uSearch Page = hxxp://www.google.com uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uSearch Bar = hxxp://www.google.com/ie uInternet Connection Wizard,ShellNext = hxxp://www.google.com/ uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_10\bin\ssv.dll BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: {a6318975-9c6d-4039-990f-e822dd31ec76} - No File BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [LogitechSoftwareUpdate] "c:\program files\logitech\video\ManifestEngine.exe" boot uRun: [QuickenScheduledUpdates] c:\program files\quicken\bagent.exe uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe mRun: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe mRun: [Multi-function Keyboard] GWHotKey.exe mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe" mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.5.0_10\bin\jusched.exe" mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe" mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000 IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_10\bin\ssv.dll IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab DPF: WebConnect Pro 6.2.10 - hxxps://secureconnect.csx.com:3443/WebConnectDU.cab DPF: Yahoo! MahJong Solitaire - hxxp://download.games.yahoo.com/games/clients/y/mjst4_x.cab DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://support.gateway.com/support/profiler/PCPitStop.CAB DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204 DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - hxxp://download.ebay.com/turbo_lister/US/install.cab DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} - hxxp://jnstrains.no-ip.info:8081/kxhcm10.ocx DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc.cab DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093620660625 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} - hxxp://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} - hxxp://apps.corel.com/nos_dl_manager/plugin/IENetOpPlugin.ocx Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll Notify: avgrsstarter - avgrsstx.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\reus\applic~1\mozilla\firefox\profiles\2uo80nvm.default\ FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll FF - plugin: c:\documents and settings\reus\application data\mozilla\firefox\profiles\2uo80nvm.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07074039.dll FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\google\update\1.2.183.7\npGoogleOneClick8.dll FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava11.dll FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava12.dll FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava13.dll FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava14.dll FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava32.dll FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJPI150_10.dll FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPOJI610.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false); c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200); c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess"); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120); c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3); c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0); c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072); c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json"); ============= SERVICES / DRIVERS =============== R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-2 335240] R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-3-12 27784] R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-2-24 353672] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-29 297752] R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?] R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592] S2 mrtRate;mrtRate; [x] S3 getPlusHelper;getPlus® Helper;c:\windows\system32\svchost.exe -k getPlusHelper [1979-12-31 14336] S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?] S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-7-16 133104] =============== Created Last 30 ================ 2009-10-10 07:09 <DIR> --d----- c:\docume~1\reus\applic~1\Malwarebytes 2009-10-10 07:08 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys 2009-10-10 07:08 19,160 a------- c:\windows\system32\drivers\mbam.sys 2009-10-10 07:08 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware 2009-10-10 07:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes 2009-10-08 00:12 <DIR> a-dshr-- C:\cmdcons 2009-10-08 00:10 229,888 a------- c:\windows\PEV.exe 2009-10-08 00:10 161,792 a------- c:\windows\SWREG.exe 2009-10-08 00:10 98,816 a------- c:\windows\sed.exe 2009-10-06 13:37 <DIR> --d----- c:\program files\Spybot - Search & Destroy 2009-10-06 13:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy 2009-10-04 11:21 <DIR> --d----- c:\docume~1\reus\applic~1\Office Genuine Advantage 2009-10-03 23:15 <DIR> --d----- c:\program files\Microsoft 2009-10-03 02:17 195,440 -------- c:\windows\system32\MpSigStub.exe 2009-09-14 14:07 <DIR> --d----- c:\documents and settings\reus\.gimp-2.2 ==================== Find3M ==================== 2009-09-14 14:03 30,520 a------- c:\docume~1\reus\applic~1\GDIPFONTCACHEV1.DAT 2009-08-29 08:58 11,952 a------- c:\windows\system32\avgrsstx.dll 2009-08-29 08:58 335,240 a------- c:\windows\system32\drivers\avgldx86.sys 2009-08-06 19:23 274,288 a------- c:\windows\system32\mucltui.dll 2009-08-06 19:23 215,920 a------- c:\windows\system32\muweb.dll 2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll 2009-08-03 15:07 403,816 a------- c:\windows\system32\OGACheckControl.dll 2009-08-03 15:07 322,928 a------- c:\windows\system32\OGAAddin.dll 2009-08-03 15:07 230,768 a------- c:\windows\system32\OGAEXEC.exe 2009-07-26 16:44 48,448 a------- c:\windows\system32\sirenacm.dll 2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll 2005-09-27 17:25 32 a----r-- c:\documents and settings\all users\hash.dat 2006-01-15 01:50 56 ---shr-- c:\windows\system32\6474B34A9E.sys 2006-01-15 01:50 3,350 a--sh--- c:\windows\system32\KGyGaAvL.sys ============= FINISH: 18:08:10.32 ===============

#15 inzanity

inzanity

    ♠♠lost♠♠

  • Malware Team
  • 2,340 posts

Posted 13 October 2009 - 11:55 PM

Hi,

Please open Notepad then copy/paste the text inside the code box into it

@echo off
for %%i in (
"C:\Qoobox\Quarantine\C\WINDOWS\system32\tugojogu.dll.vir"
"C:\Qoobox\Quarantine\C\WINDOWS\system32\dulupuhu.dll.vir"
"C:\Qoobox\Quarantine\C\WINDOWS\system32\redivipo.exe.vir"
"C:\Qoobox\Quarantine\C\WINDOWS\system32\nukubufa.exe.vir"
) do zip Files_for_submission %%i
del %0

Click File then Save As..., save to your desktop.
Filename: Fix.bat
Save as type: All files
Click Save

Double click Fix.bat to run it. A file named Files_for_submission.zip will be created on your desktop.

--Next--

Please visit this site and follow the instructions for uploading the Files_for_submission.zip file.
  • Please Copy the url for this topic then paste it on the space provided after Link to topic where this file was requested:
  • Browse for this file -> C:\Documents and Settings\Reus\Desktop\Files_for_submission.zip in your computer.
  • Leave the comments blank.

--Next--

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Tha latest version is Java 6 Update 16

Now to Clean out the Java cache:

Go into the Control Panel and double-click the Java Icon.
  • Under Temporary Internet Files, click the Settings... button
  • click the Delete Files button.
  • There are two options in the window to clear the cache - Leave both Checked
    Applications and Applets
    Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Settings
  • Click OK to leave the Java Control Panel.

--Next--

Please do a scan with Kaspersky Online Scanner or from Here.
  • Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run. (At times it may appear to stall)
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
    • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
    • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Once the scan is complete, click on View scan report To obtain the report:
  • Click on: Save Report As
  • Next, in the Save as prompt, Save in area, select: Desktop
  • In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select: Text file [*.txt]
  • Then, click: Save
  • Please post the Kaspersky Online Scanner Report in your reply.

Posted Image


Proud graduate of WTT Classroom


The help we provide here is free, however, if you wish to donate, you can do so here: http://www.whatthetech.com/donate/

ASAP and UNITE member

________________________________________________


!

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users