Jump to content

Build Theme!
  •  
  • Unreplied Topics
  • Downloads
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93084 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Closed] Hijack This Log

Started by Blindsided623 , Nov 01 2009 09:49 PM

  • This topic is locked This topic is locked
9 replies to this topic

#1 Blindsided623

Blindsided623

    Authentic Member

  • Authentic Member
  • PipPip
  • 37 posts

Posted 01 November 2009 - 09:49 PM

My roommate doesn't know which porn sites are safe to browse and what isn't.

Here's what I've got so far.

1. Some pages hesitate to load, or don't load at all.
2. Random pop up ads that are almost always the same.
3. Everyone once in a while it will redirect me to a random website while going to something.

Here's the HiJackThis Log. Thanks in advance to anyone who helps.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:48:03 PM, on 11/1/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com?o=14196&l=dis
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [83099938] C:\Documents and Settings\All Users\Application Data\83099938\83099938.exe
O4 - HKLM\..\Run: [02480418] C:\Documents and Settings\All Users\Application Data\02480418\02480418.exe
O4 - HKLM\..\Run: [43850323] C:\Documents and Settings\All Users\Application Data\43850323\43850323.exe
O4 - HKLM\..\Run: [10111610] C:\Documents and Settings\All Users\Application Data\10111610\10111610.exe
O4 - HKLM\..\Run: [36329730] C:\Documents and Settings\All Users\Application Data\36329730\36329730.exe
O4 - HKLM\..\Run: [67978643] C:\Documents and Settings\All Users\Application Data\67978643\67978643.exe
O4 - HKLM\..\Run: [87967239] C:\DOCUME~1\ALLUSE~1\APPLIC~1\87967239\87967239.exe
O4 - HKLM\..\Run: [36214723] C:\Documents and Settings\All Users\Application Data\36214723\36214723.exe
O4 - HKLM\..\Run: [34489432] C:\Documents and Settings\All Users\Application Data\34489432\34489432.exe
O4 - HKLM\..\Run: [88727638] C:\Documents and Settings\All Users\Application Data\88727638\88727638.exe
O4 - HKLM\..\Run: [07905324] C:\Documents and Settings\All Users\Application Data\07905324\07905324.exe
O4 - HKLM\..\Run: [motivijis] Rundll32.exe "c:\windows\system32\wamepesi.dll",a
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebo...otoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} (SimCityX Control) - http://simcity.ea.co...ic/SimCityX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0D4CE743-A9FD-4C88-86F7-DC289838F413}: NameServer = 10.106.128.1
O20 - AppInit_DLLs: laladujo.dll c:\windows\system32\wamepesi.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O21 - SSODL: sariyitol - {9e0dfd42-afa2-4037-a96e-a0b90e959c13} - c:\windows\system32\wamepesi.dll
O22 - SharedTaskScheduler: tokatiluy - {9e0dfd42-afa2-4037-a96e-a0b90e959c13} - c:\windows\system32\wamepesi.dll
O23 - Service: Avira AntiVir Scheduler (antivirschedulerservice) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\

--
End of file - 7214 bytes

    Advertisements

Register to Remove

#2 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 03 November 2009 - 09:03 PM

Hello Blindsided623,
Welcome to What the Tech.
My name is OCD, I will be helping you with your log today.

Please be advised, as I am still in training, all my replies to you will be checked for accuracy by one of our experts to ensure that I am giving you the best possible advise.
This may cause a delay, but I will do my best to keep it as short as possible.

I am checking over your HJT log now, I will post back shortly with instructions.
OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.

#3 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 03 November 2009 - 09:55 PM

Hello Blindsided623,
  • You may want to print out these instructions for reference prior to proceeding.
  • This solution is specifically tailored for this particular problem, please do not attempt to use this solution on another computer.
  • If you have any questions, or are uncertain about any steps please ask 'before' proceeding.
- - - - - Next - - - - -

Please download DDS from one of the following links and save it to your desktop.
  • Disable any script blocking protection (How to Disable your Security Programs)
  • Double click DDS icon to run the tool (may take up to 3 minutes to run)
  • When done, DDS.txt will open.
  • After a few moments, attach.txt will open in a second window.
  • Save both reports to your desktop.
- - - - - Next - - - - -

Posted Image
Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

    Posted Image
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop, and post it in your next reply.
**Caution** - Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

- - - - - Next - - - - -

On your next post please provide the following:
  • Post the contents of the DDS.txt report in your next reply
  • Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and the click UPLOAD.
  • Gmer.txt

OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.

#4 Blindsided623

Blindsided623

    Authentic Member

  • Authentic Member
  • PipPip
  • 37 posts

Posted 03 November 2009 - 11:42 PM

DDS (Ver_09-10-26.01) - NTFSx86
Run by Paul at 23:36:41.14 on Tue 11/03/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.66 [GMT -6:00]

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Paul\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.ask.com?o=14196&l=dis
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6] "c:\program files\aim6\aim6.exe" /d locale=en-US ee://aol/imApp
uRun: [AdobeUpdater] c:\program files\common files\adobe\updater5\AdobeUpdater.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [83099938] c:\documents and settings\all users\application data\83099938\83099938.exe
mRun: [02480418] c:\documents and settings\all users\application data\02480418\02480418.exe
mRun: [43850323] c:\documents and settings\all users\application data\43850323\43850323.exe
mRun: [10111610] c:\documents and settings\all users\application data\10111610\10111610.exe
mRun: [36329730] c:\documents and settings\all users\application data\36329730\36329730.exe
mRun: [67978643] c:\documents and settings\all users\application data\67978643\67978643.exe
mRun: [87967239] c:\docume~1\alluse~1\applic~1\87967239\87967239.exe
mRun: [36214723] c:\documents and settings\all users\application data\36214723\36214723.exe
mRun: [88727638] c:\documents and settings\all users\application data\88727638\88727638.exe
mRun: [07905324] c:\documents and settings\all users\application data\07905324\07905324.exe
mRun: [motivijis] Rundll32.exe "c:\windows\system32\feduloke.dll",a
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {BF985246-09BF-11D2-BE62-006097DF57F6} - hxxp://simcity.ea.com/play/classic/SimCityX.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {0D4CE743-A9FD-4C88-86F7-DC289838F413} = 10.106.128.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
AppInit_DLLs: laladujo.dll c:\windows\system32\feduloke.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: nipayomiy - {4f14ae8a-aefa-4c12-8a4c-d417f0147a10} - c:\windows\system32\feduloke.dll
STS: gahurihor: {4f14ae8a-aefa-4c12-8a4c-d417f0147a10} - c:\windows\system32\feduloke.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli gohivoju.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\paul\applic~1\mozilla\firefox\profiles\5gj188sf.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\paul\application data\mozilla\firefox\profiles\5gj188sf.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\paul\application data\mozilla\firefox\profiles\5gj188sf.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\progra~1\yahoo!\common\npyaxmpb.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-10-30 14:48:52 0 d-----w- c:\docume~1\alluse~1\applic~1\07905324
2009-10-30 02:48:55 0 d-----w- c:\docume~1\alluse~1\applic~1\88727638
2009-10-29 14:48:38 0 d-----w- c:\docume~1\alluse~1\applic~1\34489432
2009-10-28 14:48:01 0 d-----w- c:\docume~1\alluse~1\applic~1\36214723
2009-10-28 05:27:46 0 d-----w- c:\docume~1\paul\applic~1\FrostWire
2009-10-26 02:45:50 0 d-----w- c:\docume~1\alluse~1\applic~1\87967239
2009-10-25 14:45:28 0 d-----w- c:\docume~1\alluse~1\applic~1\82153322
2009-10-25 02:45:13 0 d-----w- c:\docume~1\alluse~1\applic~1\17535021
2009-10-25 01:27:48 0 d-----w- c:\docume~1\alluse~1\applic~1\TVU Networks
2009-10-24 14:44:44 0 d-----w- c:\docume~1\alluse~1\applic~1\94004320
2009-10-24 04:21:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-24 04:21:06 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-24 04:21:05 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-24 02:44:21 0 d-----w- c:\docume~1\alluse~1\applic~1\38045020
2009-10-23 14:44:01 0 d-----w- c:\docume~1\alluse~1\applic~1\29178532
2009-10-23 02:44:08 0 d-----w- c:\docume~1\alluse~1\applic~1\74456026
2009-10-22 14:43:38 0 d-----w- c:\docume~1\alluse~1\applic~1\60582425
2009-10-22 02:43:25 0 d-----w- c:\docume~1\alluse~1\applic~1\67978643
2009-10-21 14:43:09 0 d-----w- c:\docume~1\alluse~1\applic~1\36329730
2009-10-21 02:43:00 0 d-----w- c:\docume~1\alluse~1\applic~1\10111610
2009-10-20 14:42:30 0 d-----w- c:\docume~1\alluse~1\applic~1\43850323
2009-10-20 02:42:05 0 d-----w- c:\docume~1\alluse~1\applic~1\02480418
2009-10-19 02:09:49 0 d-----w- c:\docume~1\alluse~1\applic~1\83099938
2009-10-17 05:36:31 0 d-----w- c:\program files\Ultimate MMA Simulator 2 B3

==================== Find3M ====================

2009-10-20 04:29:32 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-09-25 16:41:28 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-09-25 16:41:26 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-09-25 16:41:26 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-09-25 16:41:26 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-09-25 16:41:26 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-09-25 16:41:26 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-09-25 16:41:26 696320 ----a-w- c:\windows\system32\DivX.dll
2009-08-02 14:50:06 90112 --sha-w- c:\windows\system32\badekofi.dll
2009-07-30 02:48:30 89088 --sha-w- c:\windows\system32\benopezu.dll
2009-08-03 02:50:26 90112 --sha-w- c:\windows\system32\bunuyuza.dll
2009-07-26 14:45:57 51712 --sha-w- c:\windows\system32\busofama.dll
2009-08-04 04:07:10 90112 --sha-w- c:\windows\system32\feduloke.dll
2009-07-20 02:41:55 39424 --sha-w- c:\windows\system32\fohuveka.dll
2009-07-27 02:47:04 51200 --sha-w- c:\windows\system32\gohivoju.dll
2009-07-26 14:45:59 38400 --sha-w- c:\windows\system32\hilupana.dll
2009-07-29 02:48:07 37888 --sha-w- c:\windows\system32\lekepegu.dll
2009-07-19 02:09:24 169984 --sha-w- c:\windows\system32\likayube.dll
2009-07-31 14:49:07 37888 --sha-w- c:\windows\system32\mabafaye.dll
2009-07-31 14:49:07 90112 --sha-w- c:\windows\system32\pegeweya.dll
2009-07-20 02:41:55 89600 --sha-w- c:\windows\system32\petobuke.dll
2009-07-19 02:09:24 90112 --sha-w- c:\windows\system32\popajodo.dll
2009-08-02 14:50:06 38912 --sha-w- c:\windows\system32\popapabe.dll
2009-07-19 14:09:20 52224 --sha-w- c:\windows\system32\potawoyi.dll
2009-07-21 14:43:03 52224 --sha-w- c:\windows\system32\pugediro.dll
2009-08-03 02:50:26 38912 --sha-w- c:\windows\system32\punonoho.dll
2009-07-28 02:47:13 37888 --sha-w- c:\windows\system32\rajuguke.dll
2009-07-27 02:46:28 37888 --sha-w- c:\windows\system32\rohawoyu.dll
2009-08-03 16:07:14 89600 --sha-w- c:\windows\system32\rozevowe.dll
2009-07-29 14:48:14 90112 --sha-w- c:\windows\system32\sefavezo.dll
2009-07-27 14:46:51 89088 --sha-w- c:\windows\system32\sisifeme.dll
2009-08-01 02:49:10 89600 --sha-w- c:\windows\system32\suvibala.dll
2009-07-30 14:48:43 38912 --sha-w- c:\windows\system32\tamotumu.dll
2009-07-31 02:48:52 89600 --sha-w- c:\windows\system32\tusafaja.dll
2009-07-27 14:46:51 37888 --sha-w- c:\windows\system32\varareto.dll
2009-08-02 02:49:41 89600 --sha-w- c:\windows\system32\wamepesi.dll
2009-07-25 14:45:19 90112 --sha-w- c:\windows\system32\wemudisi.dll
2009-07-27 02:46:27 89088 --sha-w- c:\windows\system32\wiwediwi.dll
2009-07-30 14:48:43 90112 --sha-w- c:\windows\system32\woferezi.dll
2009-07-20 14:42:24 39424 --sha-w- c:\windows\system32\wokidaro.dll
2009-08-03 16:07:14 38400 --sha-w- c:\windows\system32\wowifoga.dll
2009-08-04 04:07:10 38912 --sha-w- c:\windows\system32\yaroteze.dll
2009-07-20 14:42:24 89600 --sha-w- c:\windows\system32\zogugusa.dll
2009-08-01 14:49:22 89600 --sha-w- c:\windows\system32\zubazolo.dll

============= FINISH: 23:38:50.95 ===============

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-03 23:34:30
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Paul\LOCALS~1\Temp\pxtdapod.sys


---- System - GMER 1.0.15 ----

SSDT FA13EB46 ZwCreateKey
SSDT FA13EB3C ZwCreateThread
SSDT FA13EB4B ZwDeleteKey
SSDT FA13EB55 ZwDeleteValueKey
SSDT FA13EB5A ZwLoadKey
SSDT FA13EB28 ZwOpenProcess
SSDT FA13EB2D ZwOpenThread
SSDT FA13EB64 ZwReplaceKey
SSDT FA13EB5F ZwRestoreKey
SSDT FA13EB50 ZwSetValueKey
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xF42A4DF0]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----

Library C:\WINDOWS\system32\laladujo.dll (*** hidden *** ) @ C:\WINDOWS\system32\pctspk.exe [148] 0x10000000
Library C:\WINDOWS\system32\laladujo.dll (*** hidden *** ) @ C:\Program Files\Viewpoint\Common\ViewpointService.exe [232] 0x10000000
Library C:\WINDOWS\system32\laladujo.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jusched.exe [464] 0x10000000
Library C:\WINDOWS\system32\laladujo.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [576] 0x00520000
Library C:\WINDOWS\system32\laladujo.dll (*** hidden *** ) @ C:\WINDOWS\system32\services.exe [624] 0x00630000
Library C:\WINDOWS\system32\laladujo.dll (*** hidden *** ) @ C:\WINDOWS\system32\lsass.exe [636] 0x10000000
Library C:\WINDOWS\system32\laladujo.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [812] 0x10000000
Library C:\WINDOWS\system32\laladujo.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [876] 0x10000000
Library C:\WINDOWS\system32\laladujo.dll (*** hidden *** ) @ C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [896] 0x00390000
Library C:\WINDOWS\System32\laladujo.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [968] 0x10000000
Library C:\WINDOWS\system32\laladujo.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1012] 0x10000000
Library C:\WINDOWS\system32\laladujo.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1088] 0x10000000
Library C:\WINDOWS\system32\laladujo.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1164] 0x10000000
Library C:\WINDOWS\system32\laladujo.dll (*** hidden *** ) @ C:\Program Files\iTunes\iTunesHelper.exe [1188] 0x003B0000
Library C:\WINDOWS\system32\laladujo.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1256] 0x10000000
Library C:\WINDOWS\system32\laladujo.dll (*** hidden *** ) @ C:\Program Files\Avira\AntiVir Desktop\sched.exe [1308] 0x00920000
Library C:\WINDOWS\system32\laladujo.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1408] 0x10000000
Library C:\WINDOWS\system32\laladujo.dll (*** hidden *** ) @ C:\WINDOWS\system32\cmd.exe [1544] 0x10000000
Library C:\WINDOWS\system32\laladujo.dll (*** hidden *** ) @ C:\WINDOWS\system32\cmd.exe [1656] 0x10000000
Library C:\WINDOWS\System32\laladujo.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [1804] 0x10000000
Library C:\WINDOWS\system32\laladujo.dll (*** hidden *** ) @ C:\Program Files\Avira\AntiVir Desktop\avguard.exe [1820] 0x10000000
Library C:\WINDOWS\system32\laladujo.dll (*** hidden *** ) @ C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [1840] 0x006A0000
Library C:\WINDOWS\system32\laladujo.dll (*** hidden *** ) @ C:\Program Files\iPod\bin\iPodService.exe [1856] 0x10000000
Library C:\WINDOWS\system32\laladujo.dll (*** hidden *** ) @ C:\Program Files\Bonjour\mDNSResponder.exe [1860] 0x006E0000
Library C:\WINDOWS\system32\laladujo.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [1912] 0x006B0000
Library C:\WINDOWS\system32\laladujo.dll (*** hidden *** ) @ C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe [2012] 0x10000000
Library C:\WINDOWS\system32\laladujo.dll (*** hidden *** ) @ C:\WINDOWS\system32\ctfmon.exe [2172] 0x10000000
Library C:\WINDOWS\system32\laladujo.dll (*** hidden *** ) @ C:\WINDOWS\system32\cmd.exe [3868] 0x10000000
Library C:\WINDOWS\system32\laladujo.dll (*** hidden *** ) @ C:\WINDOWS\system32\cmd.exe [3924] 0x10000000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{992D8806-2671-D222-4FDB-0CE7B3E8FBE5}\InprocServer32@ C:\WINDOWS\system32\comaddin.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{992D8806-2671-D222-4FDB-0CE7B3E8FBE5}\InprocServer32@ThreadingModel both
Reg HKLM\SOFTWARE\Classes\CLSID\{992D8806-2671-D222-4FDB-0CE7B3E8FBE5}\ProgID@ MTxAddIn.RegRefresh
Reg HKLM\SOFTWARE\Classes\CLSID\{992D8806-2671-D222-4FDB-0CE7B3E8FBE5}\VersionIndependentProgID@ MTxAddIn.RegRefresh.1
Reg HKLM\SOFTWARE\Classes\CLSID\{A40F8BBE-77CD-78A3-DF6D-3C14B7105899}\Implemented Categories\{00021492-0000-0000-C000-000000000046}
Reg HKLM\SOFTWARE\Classes\CLSID\{A40F8BBE-77CD-78A3-DF6D-3C14B7105899}\InProcServer32@ %SystemRoot%\system32\SHELL32.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{A40F8BBE-77CD-78A3-DF6D-3C14B7105899}\InProcServer32@ThreadingModel Apartment
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B371C4C1-4F55-2EAA-427C-673701621939}

---- EOF - GMER 1.0.15 ----

Attached Files


#5 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 04 November 2009 - 05:23 PM

Hi Blindsided623,

Please download ComboFix from one of these locations:

Link 1
Link 2

A guide can be found here

* IMPORTANT : Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
*Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.
When finished, it will produce a log for you. The log will be located here C:\ComboFix.txt (Provided 'C' is your root directory)
Notes:
  • Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  • ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
  • Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
  • CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Give it at least 20-30 minutes to finish if needed.

Please don't attach the scans / logs, use "copy/paste".

On your next post please provide:
  • ComboFix.txt

OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.

#6 Blindsided623

Blindsided623

    Authentic Member

  • Authentic Member
  • PipPip
  • 37 posts

Posted 04 November 2009 - 09:55 PM

ComboFix 09-11-04.02 - Paul 11/04/2009 20:06.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.30 [GMT -6:00]
Running from: c:\documents and settings\Paul\My Documents\Downloads\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\badekofi.dll
c:\windows\system32\benopezu.dll
c:\windows\system32\binezitu.dll.tmp
c:\windows\system32\bunuyuza.dll
c:\windows\system32\busofama.dll
c:\windows\system32\feduloke.dll
c:\windows\system32\fohuveka.dll
c:\windows\system32\gohivoju.dll
c:\windows\system32\hilupana.dll
c:\windows\system32\hufubebe.dll
c:\windows\system32\lekepegu.dll
c:\windows\system32\likayube.dll
c:\windows\system32\luyizebo.dll.tmp
c:\windows\system32\mabafaye.dll
c:\windows\system32\mulimaka.dll.tmp
c:\windows\system32\pedigeyi.dll.tmp
c:\windows\system32\pegeweya.dll
c:\windows\system32\petobuke.dll
c:\windows\system32\popajodo.dll
c:\windows\system32\popapabe.dll
c:\windows\system32\potawoyi.dll
c:\windows\system32\pugediro.dll
c:\windows\system32\punonoho.dll
c:\windows\system32\rahobeto.dll
c:\windows\system32\rajuguke.dll
c:\windows\system32\rohawoyu.dll
c:\windows\system32\rozevowe.dll
c:\windows\system32\sefavezo.dll
c:\windows\system32\sisifeme.dll
c:\windows\system32\suvibala.dll
c:\windows\system32\tagiboja.dll
c:\windows\system32\tamotumu.dll
c:\windows\system32\tunopovo.dll.tmp
c:\windows\system32\tusafaja.dll
c:\windows\system32\varareto.dll
c:\windows\system32\wamepesi.dll
c:\windows\system32\wemudisi.dll
c:\windows\system32\wiwediwi.dll
c:\windows\system32\woferezi.dll
c:\windows\system32\wokidaro.dll
c:\windows\system32\wowifoga.dll
c:\windows\system32\yaroteze.dll
c:\windows\system32\zaroyisu.dll.tmp
c:\windows\system32\zogugusa.dll
c:\windows\system32\zubazolo.dll

.
((((((((((((((((((((((((( Files Created from 2009-10-05 to 2009-11-05 )))))))))))))))))))))))))))))))
.

2009-11-05 02:28 . 2009-11-05 02:28 -------- d-----w- c:\windows\LastGood
2009-10-30 14:48 . 2009-11-02 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\07905324
2009-10-30 14:48 . 2009-10-30 14:48 274 ----a-w- c:\documents and settings\All Users\Application Data\07905324\07905324.bat
2009-10-30 02:48 . 2009-11-02 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\88727638
2009-10-30 02:48 . 2009-10-30 02:48 274 ----a-w- c:\documents and settings\All Users\Application Data\88727638\88727638.bat
2009-10-29 14:48 . 2009-10-29 14:48 274 ----a-w- c:\documents and settings\All Users\Application Data\34489432\34489432.bat
2009-10-29 14:48 . 2009-11-02 04:03 -------- d-----w- c:\documents and settings\All Users\Application Data\34489432
2009-10-28 14:48 . 2009-11-02 04:03 -------- d-----w- c:\documents and settings\All Users\Application Data\36214723
2009-10-28 14:48 . 2009-10-28 14:48 274 ----a-w- c:\documents and settings\All Users\Application Data\36214723\36214723.bat
2009-10-28 05:35 . 2009-10-28 05:35 0 ----a-w- c:\documents and settings\Paul\Application Data\FrostWire\.NetworkShare\Incomplete\T-4506256-LimeWireWin4.16.6.exe
2009-10-28 05:27 . 2009-10-31 19:07 -------- d-----w- c:\documents and settings\Paul\Application Data\FrostWire
2009-10-26 02:45 . 2009-10-27 05:08 -------- d-----w- c:\documents and settings\All Users\Application Data\87967239
2009-10-25 14:45 . 2009-10-25 14:45 274 ----a-w- c:\documents and settings\All Users\Application Data\82153322\82153322.bat
2009-10-25 14:45 . 2009-10-27 05:04 -------- d-----w- c:\documents and settings\All Users\Application Data\82153322
2009-10-25 02:45 . 2009-10-27 05:04 -------- d-----w- c:\documents and settings\All Users\Application Data\17535021
2009-10-25 02:45 . 2009-10-25 02:45 274 ----a-w- c:\documents and settings\All Users\Application Data\17535021\17535021.bat
2009-10-25 01:27 . 2009-10-25 01:27 -------- d-----w- c:\documents and settings\All Users\Application Data\TVU Networks
2009-10-24 14:44 . 2009-10-24 14:44 274 ----a-w- c:\documents and settings\All Users\Application Data\94004320\94004320.bat
2009-10-24 14:44 . 2009-10-27 05:04 -------- d-----w- c:\documents and settings\All Users\Application Data\94004320
2009-10-24 04:21 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-24 04:21 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-24 04:21 . 2009-10-24 04:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-24 02:44 . 2009-10-24 02:44 274 ----a-w- c:\documents and settings\All Users\Application Data\38045020\38045020.bat
2009-10-24 02:44 . 2009-10-27 05:04 -------- d-----w- c:\documents and settings\All Users\Application Data\38045020
2009-10-23 14:44 . 2009-10-23 14:44 274 ----a-w- c:\documents and settings\All Users\Application Data\29178532\29178532.bat
2009-10-23 14:44 . 2009-10-27 05:04 -------- d-----w- c:\documents and settings\All Users\Application Data\29178532
2009-10-23 02:44 . 2009-10-27 05:04 -------- d-----w- c:\documents and settings\All Users\Application Data\74456026
2009-10-23 02:44 . 2009-10-23 02:44 274 ----a-w- c:\documents and settings\All Users\Application Data\74456026\74456026.bat
2009-10-22 14:43 . 2009-10-22 14:43 274 ----a-w- c:\documents and settings\All Users\Application Data\60582425\60582425.bat
2009-10-22 14:43 . 2009-10-27 05:04 -------- d-----w- c:\documents and settings\All Users\Application Data\60582425
2009-10-22 02:43 . 2009-10-22 02:43 274 ----a-w- c:\documents and settings\All Users\Application Data\67978643\67978643.bat
2009-10-22 02:43 . 2009-10-22 05:44 -------- d-----w- c:\documents and settings\All Users\Application Data\67978643
2009-10-21 14:43 . 2009-10-22 05:44 -------- d-----w- c:\documents and settings\All Users\Application Data\36329730
2009-10-21 14:43 . 2009-10-21 14:43 274 ----a-w- c:\documents and settings\All Users\Application Data\36329730\36329730.bat
2009-10-21 02:43 . 2009-10-21 02:43 274 ----a-w- c:\documents and settings\All Users\Application Data\10111610\10111610.bat
2009-10-21 02:43 . 2009-10-22 05:44 -------- d-----w- c:\documents and settings\All Users\Application Data\10111610
2009-10-20 14:42 . 2009-10-22 05:44 -------- d-----w- c:\documents and settings\All Users\Application Data\43850323
2009-10-20 14:42 . 2009-10-20 14:42 274 ----a-w- c:\documents and settings\All Users\Application Data\43850323\43850323.bat
2009-10-20 02:42 . 2009-10-22 05:44 -------- d-----w- c:\documents and settings\All Users\Application Data\02480418
2009-10-20 02:42 . 2009-10-20 02:42 274 ----a-w- c:\documents and settings\All Users\Application Data\02480418\02480418.bat
2009-10-19 02:09 . 2009-10-19 02:09 274 ----a-w- c:\documents and settings\All Users\Application Data\83099938\83099938.bat
2009-10-19 02:09 . 2009-10-22 05:44 -------- d-----w- c:\documents and settings\All Users\Application Data\83099938
2009-10-17 05:36 . 2009-11-02 03:46 -------- d-----w- c:\program files\Ultimate MMA Simulator 2 B3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-02 03:45 . 2009-03-27 04:10 -------- d-----w- c:\program files\UltimateMMASimulator 1.6.11
2009-11-02 03:45 . 2009-09-18 04:19 -------- d-----w- c:\program files\PokerStars
2009-10-31 18:45 . 2007-11-06 23:38 -------- d-----w- c:\documents and settings\Paul\Application Data\DivX
2009-10-28 20:56 . 2007-11-03 05:56 -------- d-----w- c:\program files\DivX
2009-10-28 20:53 . 2009-08-25 06:28 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-10-27 05:08 . 2009-07-21 04:09 117760 ----a-w- c:\documents and settings\Paul\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-10-27 05:08 . 2009-07-21 04:07 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-25 01:27 . 2008-06-28 04:10 -------- d-----w- c:\program files\TVUPlayer
2009-10-20 04:29 . 2009-07-21 03:06 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-10-08 23:22 . 2008-08-11 16:31 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-25 16:41 . 2009-09-25 16:41 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-09-25 16:41 . 2009-09-25 16:41 856064 ----a-w- c:\windows\system32\divx_xx07.dll
2009-09-25 16:41 . 2009-09-25 16:41 847872 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-09-25 16:41 . 2009-09-25 16:41 843776 ----a-w- c:\windows\system32\divx_xx16.dll
2009-09-25 16:41 . 2009-09-25 16:41 839680 ----a-w- c:\windows\system32\divx_xx11.dll
2009-09-25 16:41 . 2009-09-25 16:41 696320 ----a-w- c:\windows\system32\DivX.dll
2009-08-30 02:14 . 2009-08-30 02:13 5519752 ----a-w- c:\documents and settings\Paul\Application Data\TVU Networks\TVU AutoUpgrade\TVUPlayer2.4.7.2.exe
2009-08-30 02:13 . 2007-09-18 19:49 27512 -c--a-w- c:\documents and settings\Paul\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-29_01.23.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-07 07:19 . 2007-11-07 07:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 62976 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90rus.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 46080 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90kor.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 46592 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90jpn.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 64512 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90ita.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 66048 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90fra.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esp.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 65024 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90esn.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 56832 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90enu.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 66560 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90deu.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 39936 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90cht.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 38912 c:\windows\WinSxS\x86_Microsoft.VC90.MFCLOC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_b0db7d03\mfc90chs.dll
+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90u.dll
+ 2008-07-29 11:07 . 2008-07-29 11:07 59904 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfcm90.dll
+ 2009-11-05 02:24 . 2009-11-05 02:24 16384 c:\windows\temp\Perflib_Perfdata_6a4.dat
+ 2004-08-04 12:00 . 2009-11-05 02:29 40912 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2009-05-17 19:53 40912 c:\windows\system32\perfc009.dat
+ 2009-02-26 19:49 . 2009-08-02 15:47 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
- 2009-02-26 19:49 . 2009-06-03 15:38 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2009-07-29 01:28 . 2008-10-16 20:09 51224 c:\windows\system32\dllcache\cache\wuauclt.exe
+ 2008-07-29 13:05 . 2008-07-29 13:05 161784 c:\windows\WinSxS\x86_Microsoft.VC90.ATL_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_d01483b2\atl90.dll
+ 2009-07-12 06:12 . 2009-07-12 06:12 632656 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll
+ 2009-07-12 06:09 . 2009-07-12 06:09 554832 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcp80.dll
+ 2009-07-12 06:08 . 2009-07-12 06:08 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcm80.dll
+ 2004-08-04 12:00 . 2009-11-05 02:29 313048 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2009-05-17 19:53 313048 c:\windows\system32\perfh009.dat
+ 2009-07-18 03:21 . 2009-07-18 03:21 257440 c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2009-07-29 05:02 . 2009-07-29 05:01 148888 c:\windows\system32\javaws.exe
+ 2009-07-29 05:02 . 2009-07-29 05:01 144792 c:\windows\system32\javaw.exe
+ 2009-07-29 05:02 . 2009-07-29 05:01 144792 c:\windows\system32\java.exe
+ 2005-12-31 22:44 . 2009-10-08 23:22 138056 c:\windows\system32\FNTCACHE.DAT
- 2005-12-31 22:44 . 2009-06-10 08:14 138056 c:\windows\system32\FNTCACHE.DAT
+ 2009-07-29 05:02 . 2009-07-29 05:01 410984 c:\windows\system32\deploytk.dll
+ 2006-01-01 05:09 . 2006-01-01 05:09 233472 c:\windows\system32\config\systemprofile\ntuser.dat
+ 2009-10-28 20:53 . 2009-10-28 20:53 169472 c:\windows\Installer\8893014.msi
+ 2009-07-29 05:01 . 2009-07-29 05:01 536576 c:\windows\Installer\86b64.msi
+ 2009-10-20 04:13 . 2009-10-20 04:13 228352 c:\windows\Installer\39b06d38.msi
+ 2008-07-29 13:05 . 2008-07-29 13:05 3783672 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90u.dll
+ 2008-07-29 13:05 . 2008-07-29 13:05 3768312 c:\windows\WinSxS\x86_Microsoft.VC90.MFC_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_405b0943\mfc90.dll
+ 2009-07-18 03:21 . 2009-07-18 03:21 3883424 c:\windows\system32\Macromed\Flash\NPSWF32.dll
+ 2009-09-15 21:00 . 2009-09-15 21:00 15709696 c:\windows\Installer\8052e37a.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-10-27 2000112]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-29 148888]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-10-27 05:08 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\startupfolder\c:^documents and settings^all users^start menu^programs^startup^microsoft office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\c:^documents and settings^all users^start menu^programs^startup^wireless-g notebook adapter.lnk]
backup=c:\windows\pss\Wireless-G Notebook Adapter.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccapp

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Documents and Settings\\Paul\\Application Data\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\Program Files\\Avira\\AntiVir Desktop\\avcenter.exe"=
"c:\\Program Files\\Avira\\AntiVir Desktop\\update.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"18722:TCP"= 18722:TCP:BitComet 18722 TCP
"18722:UDP"= 18722:UDP:BitComet 18722 UDP

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [6/23/2009 10:01 AM 9968]
R1 saskutil;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [6/23/2009 10:01 AM 74480]
R2 antivirschedulerservice;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/20/2009 9:06 PM 108289]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [4/4/2008 10:49 PM 24652]
R3 Ptserli;PCTEL Serial Device Driver for INTEL;c:\windows\system32\drivers\ptserli.sys [1/2/2006 2:24 AM 128286]
R3 sasenum;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [6/23/2009 10:01 AM 7408]
S2 SerialNW;NW Serial port driver;c:\windows\system32\DRIVERS\serialnw.sys --> c:\windows\system32\DRIVERS\serialnw.sys [?]
S3 TDWXP;WavePlus 802.11b Wireless PCI/PCMCIA Card Driver;c:\windows\system32\drivers\wpndis51.sys [8/3/2004 4:24 PM 151552]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*Deregistered* - mbr
.
Contents of the 'Scheduled Tasks' folder

2009-10-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=14196&l=dis
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
TCP: {0D4CE743-A9FD-4C88-86F7-DC289838F413} = 10.106.128.1
FF - ProfilePath - c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\5gj188sf.default\
FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=
FF - prefs.js: browser.search.selectedEngine - AIM Search
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\5gj188sf.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\Paul\Application Data\Mozilla\Firefox\Profiles\5gj188sf.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
- - - - ORPHANS REMOVED - - - -

BHO-{a2a2a7e5-9791-46d6-96e1-5214bf32de17} - janubafo.dll
HKLM-Run-83099938 - c:\documents and settings\All Users\Application Data\83099938\83099938.exe
HKLM-Run-02480418 - c:\documents and settings\All Users\Application Data\02480418\02480418.exe
HKLM-Run-43850323 - c:\documents and settings\All Users\Application Data\43850323\43850323.exe
HKLM-Run-10111610 - c:\documents and settings\All Users\Application Data\10111610\10111610.exe
HKLM-Run-36329730 - c:\documents and settings\All Users\Application Data\36329730\36329730.exe
HKLM-Run-67978643 - c:\documents and settings\All Users\Application Data\67978643\67978643.exe
HKLM-Run-87967239 - c:\docume~1\ALLUSE~1\APPLIC~1\87967239\87967239.exe
HKLM-Run-36214723 - c:\documents and settings\All Users\Application Data\36214723\36214723.exe
HKLM-Run-88727638 - c:\documents and settings\All Users\Application Data\88727638\88727638.exe
HKLM-Run-07905324 - c:\documents and settings\All Users\Application Data\07905324\07905324.exe
SharedTaskScheduler-{ad0f88bb-061f-4692-a9db-7cb3ed0cbe65} - c:\windows\system32\hufubebe.dll
SSODL-bimakodud-{ad0f88bb-061f-4692-a9db-7cb3ed0cbe65} - c:\windows\system32\hufubebe.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-04 20:32
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-583907252-839522115-1343024091-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-583907252-839522115-1343024091-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B371C4C1-4F55-2EAA-427C-673701621939}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(580)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\documents and settings\Paul\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

- - - - - - - > 'explorer.exe'(3756)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
c:\windows\system32\pctspk.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AIM6\aolsoftware.exe
.
**************************************************************************
.
Completion time: 2009-11-05 20:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-05 02:46
ComboFix2.txt 2009-07-29 04:40
ComboFix3.txt 2009-07-29 01:32

Pre-Run: 20,500,508,672 bytes free
Post-Run: 21,196,935,168 bytes free

#7 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 05 November 2009 - 11:28 AM

Hi Blindsided623,

We will be using Combofix again, but will run it differently.

Please follow all previous instructions regarding security programs.

Open a new Notepad session
  • Click the Start button, click Run
  • In the run box type notepad
  • Click OK
  • In the notepad, Click "Format" and be certain that Word Wrap is not checked.
  • Copy and Paste all of the text in the code box below into the Notepad, (including the URL). Do Not copy the word CODE

Dirlook::
c:\documents and settings\All Users\Application Data\07905324
c:\documents and settings\All Users\Application Data\88727638
c:\documents and settings\All Users\Application Data\34489432
c:\documents and settings\All Users\Application Data\36214723
c:\documents and settings\All Users\Application Data\87967239
c:\documents and settings\All Users\Application Data\82153322
c:\documents and settings\All Users\Application Data\17535021
c:\documents and settings\All Users\Application Data\94004320
c:\documents and settings\All Users\Application Data\38045020
c:\documents and settings\All Users\Application Data\29178532
c:\documents and settings\All Users\Application Data\74456026
c:\documents and settings\All Users\Application Data\60582425
c:\documents and settings\All Users\Application Data\67978643
c:\documents and settings\All Users\Application Data\36329730
c:\documents and settings\All Users\Application Data\10111610
c:\documents and settings\All Users\Application Data\43850323
c:\documents and settings\All Users\Application Data\02480418
c:\documents and settings\All Users\Application Data\83099938

Folder::
c:\documents and settings\Paul\Application Data\FrostWire

In the notepad
  • Click File, Save as..., and set the Save in to your Desktop
  • In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
  • Click save
Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close all browser/windows first.

**Note: Do not mouse-click combofix's window while it's running. That may cause it to stall**

Posted Image

- - - - - Next - - - - -

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :contents
c:\documents and settings\All Users\Application Data\07905324\07905324.bat
c:\documents and settings\All Users\Application Data\88727638\88727638.bat
c:\documents and settings\All Users\Application Data\34489432\34489432.bat
c:\documents and settings\All Users\Application Data\36214723\36214723.bat
c:\documents and settings\All Users\Application Data\82153322\82153322.bat
c:\documents and settings\All Users\Application Data\17535021\17535021.bat
c:\documents and settings\All Users\Application Data\94004320\94004320.bat
c:\documents and settings\All Users\Application Data\38045020\38045020.bat
c:\documents and settings\All Users\Application Data\29178532\29178532.bat
c:\documents and settings\All Users\Application Data\74456026\74456026.bat
c:\documents and settings\All Users\Application Data\60582425\60582425.bat
c:\documents and settings\All Users\Application Data\67978643\67978643.bat
c:\documents and settings\All Users\Application Data\36329730\36329730.bat
c:\documents and settings\All Users\Application Data\10111610\10111610.bat
c:\documents and settings\All Users\Application Data\43850323\43850323.bat
c:\documents and settings\All Users\Application Data\02480418\02480418.bat
c:\documents and settings\All Users\Application Data\83099938\83099938.bat
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

- - - - - Next - - - - -

On your next post please provide the following:
  • Combofix log
  • SystemLook.txt log
  • Tell me how your computer is running at the moment.
OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.

#8 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 08 November 2009 - 11:36 AM

Hello Blindsided623, It's been a few days, I was just checking to see if you still needed assistance?
OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.

#9 OCD

OCD

    SuperHelper

  • Malware Team
  • 5,574 posts

Posted 10 November 2009 - 09:23 PM

Reason for edit: posted in wrong thread

Edited by OCD, 10 November 2009 - 09:24 PM.

OCD

Proud Graduate of WTT Classroom
Member of UNITE

Threads will be closed if no response after 5 days








If you are satisfied with the help you have received, please consider making a donation.

#10 Tomk

Tomk

    Beguilement Monitor

  • Global Moderator
  • 20,451 posts

Posted 10 November 2009 - 10:46 PM

Due to inactivity this topic will be closed. If you need help please start a new thread.
Tomk
------------------------------------------------------------
Microsoft MVP 2010-2014
 

Related Topics

Back to Virus, Spyware & Malware Removal · Next Unread Topic →

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. What the Tech
  2. Spyware / Malware / Virus Removal
  3. Virus, Spyware & Malware Removal
  4. Privacy Policy
  5. Terms of Use ·