[Resolved] 9 trojans, a worm, and corrupt antivirus! Help!
#16
Posted 05 November 2009 - 11:08 AM
Register to Remove
#17
Posted 05 November 2009 - 04:21 PM
Lets try something else.
- Download OTL to your desktop.
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
- When the window appears, underneath Output at the top change it to Minimal Output.
- Check the boxes beside LOP Check and Purity Check.
- Under the Custom Scan box paste this in
netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions
%SYSTEMDRIVE%\eventlog.dll /s /md5
%SYSTEMDRIVE%\scecli.dll /s /md5
%SYSTEMDRIVE%\netlogon.dll /s /md5
%SYSTEMDRIVE%\cngaudit.dll /s /md5
%SYSTEMDRIVE%\sceclt.dll /s /md5
%SYSTEMDRIVE%\ntelogon.dll /s /md5
%SYSTEMDRIVE%\logevent.dll /s /md5
%SYSTEMDRIVE%\iaStor.sys /s /md5
%SYSTEMDRIVE%\nvstor.sys /s /md5
%SYSTEMDRIVE%\atapi.sys /s /md5
%SYSTEMDRIVE%\IdeChnDr.sys /s /md5
%SYSTEMDRIVE%\viasraid.sys /s /md5
%SYSTEMDRIVE%\AGP440.sys /s /md5
%SYSTEMDRIVE%\vaxscsi.sys /s /md5
- Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.
watch me and tremble, for I bring the purity of oblivion
Sudo apt-get me a sandwich!
Proud graduate of GeekU
If I have helped you, please consider a donation to help continue the fight against malware.#18
Posted 05 November 2009 - 04:58 PM
#20
Posted 05 November 2009 - 05:11 PM
Run by Wenninger at 18:07:29.20 on Thu 11/05/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.195 [GMT -5:00]
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Wenninger\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.aol.com/
uDefault_Search_URL = hxxp://search.msn.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uURLSearchHooks: FCToolbarURLSearchHook Class: {19a0f032-27d7-4227-bbb5-51aa9e5904f5} -
uURLSearchHooks: H - No File
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - No File
BHO: This BHO has been enabled by BHODemon. - No File
TB: Dogpile Toolbar: {c53fe659-316a-4f56-a194-a5be491be866} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [rundll32.exe]
uRun: [WAB] c:\documents and settings\wenninger\application data\macromedia\common\ec0fe01c19.exe
uRun: [AOL Fast Start] "c:\program files\aol 9.1\AOL.EXE" -b
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [<NO NAME>] "c:\program files\internet explorer\iexplore.exe" http://www.symantec....000028.000000D8
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~3.EXE -Update -1103471 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; IEMB3; .NET CLR 1.0.3705; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; NET_mmhpset)" -"http://www.cartoonne...ase/index.html"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [nwiz] nwiz.exe /install
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MyWebSearch Plugin] rundll32 c:\progra~1\mywebs~1\bar\2.bin\M3PLUGIN.DLL,UPF
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HostManager] c:\program files\common files\aol\1157574114\ee\AOLSoftware.exe
mRun: [DwlClient] "c:\program files\common files\dell\eusw\Support.exe"
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [WildTangent CDA] RUNDLL32.exe "c:\program files\wildtangent\apps\cda\cdaEngine0400.dll",cdaEngineMain
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [Microsoft Works Update Detection] "c:\program files\common files\microsoft shared\works shared\WkUFind.exe"
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [LimeShop] wjview /cp:p "c:\program files\limeshop\system\code" main lp: "c:\program files\LimeShop"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [diagent] "c:\program files\creative\sblive\diagnostics\diagent.exe" startup
mRun: [Detect Kbd Daemon] SK2000DM.EXE
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [AOL Spyware Protection] "c:\progra~1\common~1\aol\aolspy~1\AOLSP Scheduler.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NVMCTRAY.DLL,NvTaskbarInit
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc1~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpohmr08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mPolicies-explorer: <NO NAME> =
IE:
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: microsoft.com\v5.windowsupdate
Trusted Zone: windowsupdate.com
DPF: Aces Up! by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/aces/aces-en_US.cab
DPF: Backgammon by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/backgammon/backgammon-en_US.cab
DPF: Bingo Luau by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/freebingo/freebingo-en_US.cab
DPF: Blackjack by pogo - hxxp://game3.pogo.com/v/8.1.7.44/applet/blackjack/blackjack-en_US.cab
DPF: Blackjack Carnival by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/vbjack2/vbjack2-en_US.cab
DPF: Blooop by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/cascade/cascade-en_US.cab
DPF: Canasta by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/canasta/canasta-en_US.cab
DPF: Checkers by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/checkers2/checkers-en_US.cab
DPF: Chess by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/chess2/chess2-en_US.cab
DPF: Dice City Roller by pogo - hxxp://game3.pogo.com/v/8.1.9.1/applet/ytz/ytz-en_US.cab
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Dominoes by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/domino/domino-en_US.cab
DPF: Double Deuce Poker by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/videopoker2/doubledeuce-en_US.cab
DPF: Fortune Bingo by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/superbingo/superbingo-en_US.cab
DPF: Hangman Hijinks by pogo - hxxp://game3.pogo.com/v/8.1.8.10/applet/hangman/hangman-en_US.cab
DPF: Hearts by pogo - hxxp://game3.pogo.com/v/8.1.7.44/applet/hearts/hearts-en_US.cab
DPF: High Stakes Poker by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/drawpoker/drawpoker-en_US.cab
DPF: High Stakes Pool by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/pool2/pool-en_US.cab
DPF: Hog Heaven Slots by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/fancy/fancy-en_US.cab
DPF: Jungle Gin by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/gin2/gin2-en_US.cab
DPF: Lost Temple Poker by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/mhpoker/mhpoker-en_US.cab
DPF: Lottso by pogo - hxxp://game3.pogo.com/v/8.1.9.1/applet/lottso/lottso-en_US.cab
DPF: Makeover Madness by pogo - hxxp://game3.pogo.com/v/8.1.7.44/applet/shoes/shoes-en_US.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: NASCAR Web Racing by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/nascar/nascar-en_US.cab
DPF: No-Limit Texas Hold'em by pogo - hxxp://game1.pogo.com/v/8.1.1.21/applet/allin/allin-en_US.cab
DPF: Pai Gow by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/paigow/paigow-en_US.cab
DPF: Payday Freecell Solitaire by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/freecell2/freecell2-en_US.cab
DPF: Perfect Pair Solitaire by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/waterwheel/waterwheel-en_US.cab
DPF: Phlinx by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/flinger/flinger-en_US.cab
DPF: Poppit by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/poppit2/poppit2-en_US.cab
DPF: Quick Quack by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/hotstreak/hotstreak-en_US.cab
DPF: QWERTY by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/squares/squares-en_US.cab
DPF: Ride The Tide by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/ride/ride-en_US.cab
DPF: Showbiz Slots by pogo - hxxp://game1.pogo.com/v/8.1.0.24/applet/slots/showbiz-en_US.cab
DPF: Spooky Slots - hxxp://game1.pogo.com/v/8.1.1.35/applet/spooky/spooky-en_US.cab
DPF: Squelchies by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/squelchies/squelchies-en_US.cab
DPF: Stax by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/stax/stax-en_US.cab
DPF: Sweet Tooth TM by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/sweettooth/sweettooth-en_US.cab
DPF: Thousand Island Solitaire by pogo - hxxp://game3.pogo.com/v/8.1.9.1/applet/millbrae/millbrae-en_US.cab
DPF: Turbo 21 v2 by pogo - hxxp://game1.pogo.com/v/8.1.9.7/applet/turbo22/turbo22-en_US.cab
DPF: Wonderland Memories by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/memories/memories-en_US.cab
DPF: Word Search Daily by pogo - hxxp://game3.pogo.com/v/8.1.9.4/applet/wordsearch/wordsearch-en_US.cab
DPF: Word Whomp by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/wordwhomp2/whomp2-en_US.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} - hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104984549012
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1157565582500
DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} - hxxp://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
DPF: {F55C25D3-D16A-11D3-81DF-00A0C91F5E7D} - hxxp://www.kiddonet.com/kiddonet/GtekPrt.ocx
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
============= SERVICES / DRIVERS ===============
S2 McShield;McAfee Real-time Scanner; [x]
S3 JL2005C;Dual Mode Camera;c:\windows\system32\drivers\jl2005c.sys [2009-1-3 68954]
S3 RkPavproc1;RkPavproc1;\??\c:\windows\system32\drivers\rkpavproc1.sys --> c:\windows\system32\drivers\RkPavproc1.sys [?]
S3 SKUSBKBF;USB Keyboard Filter Driver;c:\windows\system32\drivers\skusbkbf.sys [2001-7-27 14048]
S4 McSysmon;McAfee SystemGuards; [x]
S4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-8-19 24652]
=============== Created Last 30 ================
2009-11-04 23:50 <DIR> --d----- c:\program files\ESET
2009-11-04 23:23 <DIR> --ds---- C:\ComboFix
2009-11-04 22:32 195,456 -------- c:\windows\system32\MpSigStub.exe
2009-11-04 22:29 <DIR> --d----- c:\program files\Microsoft Security Essentials
2009-11-04 16:16 50,176 a------- c:\windows\system32\proquota.exe
2009-11-04 14:14 <DIR> a-d--r-- C:\cmdcons
2009-11-04 13:49 267,264 a------- c:\windows\PEV.exe
2009-11-04 13:49 161,792 a------- c:\windows\SWREG.exe
2009-11-04 13:49 98,816 a------- c:\windows\sed.exe
2009-11-04 13:49 77,312 a------- c:\windows\MBR.exe
2009-11-04 13:48 <DIR> --d----- C:\Combo-Fix
2009-11-04 12:50 <DIR> --d----- C:\32788R22FWJFW.1.tmp
2009-11-03 22:57 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-03 22:57 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-11-03 22:57 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-11-03 21:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-11-03 01:23 <DIR> --d----- c:\docume~1\wennin~1\applic~1\AVG8
2009-11-02 14:32 <DIR> --d----- c:\program files\Panda Security
2009-11-02 05:07 18,525 a------- c:\windows\system32\wifigewor.db
2009-11-02 05:07 17,974 a------- c:\windows\system32\ubohinake.lib
2009-11-02 05:07 16,269 a------- c:\windows\system32\imukyboq.db
2009-11-02 05:07 11,462 a------- c:\windows\bevepotah.dat
2009-11-02 05:07 13,387 a------- c:\windows\linusimypo.dat
2009-11-02 02:16 <DIR> --d----- c:\docume~1\wennin~1\applic~1\Malwarebytes
2009-11-01 23:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-11-01 02:40 552 a------- c:\windows\system32\d3d8caps.dat
2009-10-31 22:56 12,211 a------- c:\windows\abipy.lib
2009-10-31 22:56 19,953 a------- c:\windows\system32\wifaru.db
==================== Find3M ====================
2009-10-31 22:56 13,578 a------- c:\program files\common files\abawogyrob.lib
2008-12-16 16:22 139,112 ac------ c:\docume~1\wennin~1\applic~1\GDIPFONTCACHEV1.DAT
2004-12-25 19:47 35,121,138 a------- c:\program files\NIS_Retail.EXE
2008-10-17 01:18 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101720081018\index.dat
============= FINISH: 18:09:03.56 ===============
#21
Posted 05 November 2009 - 09:51 PM
#22
Posted 06 November 2009 - 01:58 AM
Can anyone help me??
Sorry, I took some time out to sleep.
Lets see if we can get ComboFix to run in a slightly different way.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
File::
c:\windows\system32\drivers\RkPavproc1.sys
c:\program files\common files\abawogyrob.lib
c:\windows\system32\wifigewor.db
c:\windows\system32\ubohinake.lib
c:\windows\system32\imukyboq.db
c:\windows\bevepotah.dat
c:\windows\linusimypo.dat
Folder::
Registry::
Driver::
RkPavproc1
DDS::
uURLSearchHooks: H - No File
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - No File
BHO: This BHO has been enabled by BHODemon. - No File
TB: Dogpile Toolbar: {c53fe659-316a-4f56-a194-a5be491be866} -
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
KILLALL::
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
watch me and tremble, for I bring the purity of oblivion
Sudo apt-get me a sandwich!
Proud graduate of GeekU
If I have helped you, please consider a donation to help continue the fight against malware.#23
Posted 06 November 2009 - 10:23 AM
#24
Posted 06 November 2009 - 10:48 AM
#25
Posted 06 November 2009 - 11:20 AM
Register to Remove
#26
Posted 06 November 2009 - 12:32 PM
#27
Posted 06 November 2009 - 03:53 PM
ComboFix 09-11-04.02 - Wenninger 11/06/2009 12:25.2.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.225 [GMT -5:00]
Running from: c:\documents and settings\Wenninger\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Wenninger\Desktop\CFScript.txt
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FILE ::
"c:\program files\common files\abawogyrob.lib"
"c:\windows\bevepotah.dat"
"c:\windows\linusimypo.dat"
"c:\windows\system32\drivers\RkPavproc1.sys"
"c:\windows\system32\imukyboq.db"
"c:\windows\system32\ubohinake.lib"
"c:\windows\system32\wifigewor.db"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\common files\abawogyrob.lib
c:\windows\bevepotah.dat
c:\windows\linusimypo.dat
c:\windows\system32\imukyboq.db
c:\windows\system32\ubohinake.lib
c:\windows\system32\wifigewor.db
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\xobexoq.scr
c:\documents and settings\All Users\Application Data\ytajavojap._sy
c:\documents and settings\All Users\Documents\aryly.bat
c:\documents and settings\All Users\Documents\leza._dl
c:\documents and settings\All Users\Documents\ocydeselig.bin
c:\documents and settings\All Users\Documents\uboco.bin
c:\documents and settings\All Users\Documents\wotereq.ban
c:\documents and settings\HelpAssistant\Application Data\emosican.com
c:\documents and settings\HelpAssistant\Application Data\iniasd.txt
c:\documents and settings\HelpAssistant\Application Data\johoduzus.ban
c:\documents and settings\HelpAssistant\Application Data\ociqovax._dl
c:\documents and settings\HelpAssistant\Application Data\otudig._dl
c:\documents and settings\HelpAssistant\Application Data\usewygi.dll
c:\documents and settings\Wenninger\Application Data\emosican.com
c:\documents and settings\Wenninger\Application Data\iniasd.txt
c:\documents and settings\Wenninger\Application Data\johoduzus.ban
c:\documents and settings\Wenninger\Application Data\ociqovax._dl
c:\documents and settings\Wenninger\Application Data\otudig._dl
c:\documents and settings\Wenninger\Application Data\usewygi.dll
c:\documents and settings\Wenninger\Cookies\yvyjimuval.bat
c:\documents and settings\Wenninger\Local Settings\Application Data\perob.bin
c:\documents and settings\Wenninger\Local Settings\Temporary Internet Files\jupa._dl
c:\documents and settings\Wenninger\Local Settings\Temporary Internet Files\mumyrupad._sy
c:\documents and settings\Wenninger\Local Settings\Temporary Internet Files\opyz.bat
c:\documents and settings\Wenninger\Local Settings\Temporary Internet Files\qaraneja.inf
c:\documents and settings\Wenninger\Local Settings\Temporary Internet Files\xogixosen.ban
c:\program files\Common Files\emytecos.bin
c:\program files\Common Files\ijeq.dl
c:\program files\Common Files\itawiqimy._sy
c:\program files\Common Files\jewicelimu.scr
c:\program files\INSTALL.LOG
c:\windows\a3kebook.ini
c:\windows\ajogiz.vbs
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\COUPON~1.OCX
c:\windows\CouponPrinter.ocx
c:\windows\ezihojekiv.exe
c:\windows\ipuba.ban
c:\windows\ixozak.ban
c:\windows\izotepoz.reg
c:\windows\Palace.reg
c:\windows\rasqervy.dll
c:\windows\sdfinacs.dll
c:\windows\sdfixwcs.dll
c:\windows\system\oeminfo.ini
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\_003900_.tmp.dll
c:\windows\system32\_003901_.tmp.dll
c:\windows\system32\_003902_.tmp.dll
c:\windows\system32\_003903_.tmp.dll
c:\windows\system32\_003910_.tmp.dll
c:\windows\system32\_003911_.tmp.dll
c:\windows\system32\_003912_.tmp.dll
c:\windows\system32\_003913_.tmp.dll
c:\windows\system32\_003914_.tmp.dll
c:\windows\system32\_003915_.tmp.dll
c:\windows\system32\_003916_.tmp.dll
c:\windows\system32\_003917_.tmp.dll
c:\windows\system32\_003918_.tmp.dll
c:\windows\system32\_003919_.tmp.dll
c:\windows\system32\_003920_.tmp.dll
c:\windows\system32\_003921_.tmp.dll
c:\windows\system32\_003922_.tmp.dll
c:\windows\system32\_003923_.tmp.dll
c:\windows\system32\_003924_.tmp.dll
c:\windows\system32\_003925_.tmp.dll
c:\windows\system32\_003926_.tmp.dll
c:\windows\system32\_003927_.tmp.dll
c:\windows\system32\_003928_.tmp.dll
c:\windows\system32\_003929_.tmp.dll
c:\windows\system32\_003930_.tmp.dll
c:\windows\system32\_003931_.tmp.dll
c:\windows\system32\_003933_.tmp.dll
c:\windows\system32\_003934_.tmp.dll
c:\windows\system32\_003935_.tmp.dll
c:\windows\system32\_003936_.tmp.dll
c:\windows\system32\_003937_.tmp.dll
c:\windows\system32\_003938_.tmp.dll
c:\windows\system32\_003939_.tmp.dll
c:\windows\system32\_003940_.tmp.dll
c:\windows\system32\_003941_.tmp.dll
c:\windows\system32\_003942_.tmp.dll
c:\windows\system32\_003943_.tmp.dll
c:\windows\system32\_003944_.tmp.dll
c:\windows\system32\_003945_.tmp.dll
c:\windows\system32\_003946_.tmp.dll
c:\windows\system32\_003947_.tmp.dll
c:\windows\system32\_003948_.tmp.dll
c:\windows\system32\_003949_.tmp.dll
c:\windows\system32\_003950_.tmp.dll
c:\windows\system32\_003951_.tmp.dll
c:\windows\system32\_003952_.tmp.dll
c:\windows\system32\_003953_.tmp.dll
c:\windows\system32\_003954_.tmp.dll
c:\windows\system32\_003955_.tmp.dll
c:\windows\system32\_003956_.tmp.dll
c:\windows\system32\_003957_.tmp.dll
c:\windows\system32\_003958_.tmp.dll
c:\windows\system32\_003959_.tmp.dll
c:\windows\system32\_003961_.tmp.dll
c:\windows\system32\_003962_.tmp.dll
c:\windows\system32\_003963_.tmp.dll
c:\windows\system32\_003964_.tmp.dll
c:\windows\system32\_003965_.tmp.dll
c:\windows\system32\_003966_.tmp.dll
c:\windows\system32\_003967_.tmp.dll
c:\windows\system32\_003968_.tmp.dll
c:\windows\system32\_003969_.tmp.dll
c:\windows\system32\_003970_.tmp.dll
c:\windows\system32\_003971_.tmp.dll
c:\windows\system32\_003973_.tmp.dll
c:\windows\system32\_003974_.tmp.dll
c:\windows\system32\_003975_.tmp.dll
c:\windows\system32\_003976_.tmp.dll
c:\windows\system32\_003977_.tmp.dll
c:\windows\system32\_003979_.tmp.dll
c:\windows\system32\_003981_.tmp.dll
c:\windows\system32\_003982_.tmp.dll
c:\windows\system32\_003983_.tmp.dll
c:\windows\system32\_003984_.tmp.dll
c:\windows\system32\_003985_.tmp.dll
c:\windows\system32\_003986_.tmp.dll
c:\windows\system32\_003987_.tmp.dll
c:\windows\system32\_003988_.tmp.dll
c:\windows\system32\_003989_.tmp.dll
c:\windows\system32\_003990_.tmp.dll
c:\windows\system32\_003991_.tmp.dll
c:\windows\system32\_003993_.tmp.dll
c:\windows\system32\_003994_.tmp.dll
c:\windows\system32\_003995_.tmp.dll
c:\windows\system32\_003996_.tmp.dll
c:\windows\system32\_003998_.tmp.dll
c:\windows\system32\_003999_.tmp.dll
c:\windows\system32\_004000_.tmp.dll
c:\windows\system32\_004001_.tmp.dll
c:\windows\system32\_004002_.tmp.dll
c:\windows\system32\_004003_.tmp.dll
c:\windows\system32\_004004_.tmp.dll
c:\windows\system32\_004005_.tmp.dll
c:\windows\system32\_004006_.tmp.dll
c:\windows\system32\_004008_.tmp.dll
c:\windows\system32\_004009_.tmp.dll
c:\windows\system32\_004010_.tmp.dll
c:\windows\system32\_004011_.tmp.dll
c:\windows\system32\_004012_.tmp.dll
c:\windows\system32\_004014_.tmp.dll
c:\windows\system32\_004016_.tmp.dll
c:\windows\system32\_004017_.tmp.dll
c:\windows\system32\_004018_.tmp.dll
c:\windows\system32\_004019_.tmp.dll
c:\windows\system32\_004020_.tmp.dll
c:\windows\system32\_004021_.tmp.dll
c:\windows\system32\_004022_.tmp.dll
c:\windows\system32\_004023_.tmp.dll
c:\windows\system32\_004024_.tmp.dll
c:\windows\system32\_004025_.tmp.dll
c:\windows\system32\_004026_.tmp.dll
c:\windows\system32\_004028_.tmp.dll
c:\windows\system32\_004029_.tmp.dll
c:\windows\system32\_004030_.tmp.dll
c:\windows\system32\_004031_.tmp.dll
c:\windows\system32\_004033_.tmp.dll
c:\windows\system32\_004034_.tmp.dll
c:\windows\system32\_004035_.tmp.dll
c:\windows\system32\_004036_.tmp.dll
c:\windows\system32\_004038_.tmp.dll
c:\windows\system32\_004039_.tmp.dll
c:\windows\system32\_004043_.tmp.dll
c:\windows\system32\_004044_.tmp.dll
c:\windows\system32\_004046_.tmp.dll
c:\windows\system32\_004049_.tmp.dll
c:\windows\system32\_004051_.tmp.dll
c:\windows\system32\_004052_.tmp.dll
c:\windows\system32\_004053_.tmp.dll
c:\windows\system32\_004054_.tmp.dll
c:\windows\system32\_004057_.tmp.dll
c:\windows\system32\_004058_.tmp.dll
c:\windows\system32\_004059_.tmp.dll
c:\windows\system32\_004060_.tmp.dll
c:\windows\system32\_004061_.tmp.dll
c:\windows\system32\_004066_.tmp.dll
c:\windows\system32\_004068_.tmp.dll
c:\windows\system32\_004069_.tmp.dll
c:\windows\system32\_006235_.tmp.dll
c:\windows\system32\_006236_.tmp.dll
c:\windows\system32\_006237_.tmp.dll
c:\windows\system32\_006238_.tmp.dll
c:\windows\system32\_006245_.tmp.dll
c:\windows\system32\_006246_.tmp.dll
c:\windows\system32\_006247_.tmp.dll
c:\windows\system32\_006248_.tmp.dll
c:\windows\system32\_006250_.tmp.dll
c:\windows\system32\_006251_.tmp.dll
c:\windows\system32\_006254_.tmp.dll
c:\windows\system32\_006255_.tmp.dll
c:\windows\system32\_006257_.tmp.dll
c:\windows\system32\_006258_.tmp.dll
c:\windows\system32\_006259_.tmp.dll
c:\windows\system32\_006261_.tmp.dll
c:\windows\system32\_006263_.tmp.dll
c:\windows\system32\_006264_.tmp.dll
c:\windows\system32\_006265_.tmp.dll
c:\windows\system32\_006269_.tmp.dll
c:\windows\system32\_006270_.tmp.dll
c:\windows\system32\_006272_.tmp.dll
c:\windows\system32\_006275_.tmp.dll
c:\windows\system32\_006277_.tmp.dll
c:\windows\system32\_006278_.tmp.dll
c:\windows\system32\_006279_.tmp.dll
c:\windows\system32\_006280_.tmp.dll
c:\windows\system32\_006281_.tmp.dll
c:\windows\system32\_006284_.tmp.dll
c:\windows\system32\_006285_.tmp.dll
c:\windows\system32\_006286_.tmp.dll
c:\windows\system32\_006287_.tmp.dll
c:\windows\system32\_006288_.tmp.dll
c:\windows\system32\_006293_.tmp.dll
c:\windows\system32\_006295_.tmp.dll
c:\windows\system32\_006296_.tmp.dll
c:\windows\system32\logs\Events.dat
c:\windows\system32\Ultra.dll
c:\windows\tepavil.pif
c:\windows\ycizuxyk._sy
-- Previous Run --
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe
--------
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Legacy_RKPAVPROC1
-------\Service_RkPavproc1
((((((((((((((((((((((((( Files Created from 2009-10-06 to 2009-11-06 )))))))))))))))))))))))))))))))
.
2009-11-06 18:18 . 2009-11-06 18:18 -------- d-----w- c:\windows\LastGood
2009-11-05 04:50 . 2009-11-05 04:50 -------- d-----w- c:\program files\ESET
2009-11-05 03:32 . 2009-11-03 01:42 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-05 03:29 . 2009-11-05 03:30 -------- d-----w- c:\program files\Microsoft Security Essentials
2009-11-04 21:16 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-11-04 18:48 . 2009-11-04 22:11 -------- d-----w- C:\Combo-Fix
2009-11-04 17:50 . 2009-11-04 17:56 -------- d-----w- C:\32788R22FWJFW.1.tmp
2009-11-04 04:35 . 2009-11-04 04:35 -------- d-----w- c:\program files\ERUNT
2009-11-04 03:57 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-04 03:57 . 2009-11-04 03:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-04 03:57 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-04 02:38 . 2009-11-04 02:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-11-04 02:32 . 2009-11-04 02:32 -------- d-----w- c:\program files\Windows Live Safety Center
2009-11-03 16:35 . 2009-11-03 16:35 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\AVG8
2009-11-03 06:23 . 2009-11-03 06:23 -------- d-----w- c:\documents and settings\Wenninger\Application Data\AVG8
2009-11-03 04:27 . 2009-11-06 18:31 16384 ----a-w- c:\documents and settings\HelpAssistant\Application Data\Macromedia\Common\ec0fe01c19.exe
2009-11-03 04:27 . 2009-11-03 03:14 101888 ----a-w- c:\documents and settings\HelpAssistant\Application Data\Macromedia\Common\ec0fe01c1.dll
2009-11-03 03:30 . 2009-11-03 03:30 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\AOL
2009-11-03 03:14 . 2009-11-06 18:48 16384 ----a-w- c:\documents and settings\Wenninger\Application Data\Macromedia\Common\ec0fe01c19.exe
2009-11-03 03:14 . 2009-11-03 03:14 101888 ----a-w- c:\documents and settings\Wenninger\Application Data\Macromedia\Common\ec0fe01c1.dll
2009-11-02 19:32 . 2009-11-03 04:00 -------- d-----w- c:\program files\Panda Security
2009-11-02 09:37 . 2009-11-02 09:37 -------- d-----w- c:\documents and settings\Administrator.ALEVISSA\Local Settings\Application Data\AOL
2009-11-02 07:27 . 2009-11-02 07:27 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Malwarebytes
2009-11-02 07:16 . 2009-11-04 03:58 -------- d-----w- c:\documents and settings\Wenninger\Application Data\Malwarebytes
2009-11-02 04:30 . 2009-11-02 04:30 -------- d-----w- c:\documents and settings\Administrator.ALEVISSA\Application Data\Malwarebytes
2009-11-02 04:29 . 2009-11-04 03:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-02 04:22 . 2009-11-02 04:22 -------- d-sh--w- c:\documents and settings\Administrator.ALEVISSA\PrivacIE
2009-11-01 23:15 . 2009-11-02 01:30 -------- d-----w- c:\windows\BDOSCAN8
2009-11-01 07:40 . 2009-11-01 07:40 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-11-01 06:41 . 2009-11-01 06:41 -------- d-sh--w- c:\documents and settings\Administrator.ALEVISSA\IETldCache
2009-11-01 05:49 . 2009-11-01 05:49 -------- d-----w- c:\documents and settings\Administrator.ALEVISSA\Local Settings\Application Data\Shareaza
2009-11-01 05:49 . 2009-11-01 05:49 -------- d-----w- c:\documents and settings\Administrator.ALEVISSA\Application Data\Shareaza
2009-10-20 16:54 . 2009-10-20 16:54 59992 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Internet Security 2010 9.0.0.736\English\setup.exe
2009-10-11 05:45 . 2009-10-11 05:45 -------- d-----w- c:\documents and settings\HelpAssistant\WINDOWS
2009-10-11 05:45 . 2009-10-11 05:45 -------- d-----w- c:\documents and settings\HelpAssistant\UserData
2009-10-11 05:45 . 2009-10-11 05:45 -------- d-----w- c:\documents and settings\HelpAssistant\System
2009-10-11 05:44 . 2009-11-02 07:29 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
2009-10-08 23:41 . 2009-10-08 23:41 -------- d-----w- c:\documents and settings\HelpAssistant\IETldCache
2009-10-08 23:41 . 2009-10-08 23:41 -------- d-----w- c:\documents and settings\HelpAssistant\IECompatCache
2009-10-08 23:20 . 2009-10-08 23:20 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\SmartDraw
2009-10-08 23:20 . 2009-10-08 23:20 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Shareaza
2009-10-08 23:08 . 2009-10-08 23:20 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\SecondLife
2009-10-08 23:08 . 2009-10-08 23:08 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Roxio
2009-10-08 23:06 . 2009-10-08 23:06 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\PokerCreations
2009-10-08 23:06 . 2009-10-08 23:06 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\PlayFirst
2009-10-08 23:06 . 2009-10-08 23:06 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\NLOP
2009-10-08 23:06 . 2009-10-08 23:06 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Netscape
2009-10-08 23:06 . 2009-10-08 23:06 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\NCH Swift Sound
2009-10-08 23:06 . 2009-10-08 23:06 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\MSN6
2009-10-08 23:04 . 2008-10-18 04:40 34063 ----a-w- c:\documents and settings\HelpAssistant\Application Data\Move Networks\ie_bin\Uninst.exe
2009-10-08 23:04 . 2008-09-17 16:03 975736 ----a-w- c:\documents and settings\HelpAssistant\Application Data\Move Networks\ie_bin\qsp2ie071101000055.dll
2009-10-08 23:04 . 2009-10-08 23:06 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Move Networks
2009-10-08 23:04 . 2008-09-17 16:03 99704 ----a-w- c:\documents and settings\HelpAssistant\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-10-08 23:04 . 2008-03-19 22:03 10134 ----a-r- c:\documents and settings\HelpAssistant\Application Data\Microsoft\Installer\{16BE87BC-69F5-4D36-8CF0-E1CB3ACD5ED3}\ARPPRODUCTICON.exe
2009-10-08 23:04 . 2007-06-24 15:51 19360 ----a-w- c:\documents and settings\HelpAssistant\Application Data\Microsoft\IdentityCRL\ppcrlconfig.dll
2009-10-08 23:03 . 2009-10-08 23:03 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Microgaming
2009-10-08 22:47 . 2009-10-08 23:01 -------- d-----w- c:\documents and settings\HelpAssistant\.jpi_cache
2009-10-08 22:47 . 2009-10-08 22:47 -------- d-----w- c:\documents and settings\HelpAssistant\.javaws
2009-10-08 22:47 . 2009-10-08 22:47 -------- d-----w- c:\documents and settings\HelpAssistant\.java
2009-10-08 22:46 . 2009-10-08 22:47 -------- d-----w- c:\documents and settings\HelpAssistant\.housecall6.6
2009-10-08 22:43 . 2009-11-06 18:13 -------- d-----w- c:\documents and settings\HelpAssistant
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-03 04:05 . 2008-06-25 18:15 -------- d-----w- c:\program files\Freecell Buddy Pogo
2009-11-03 04:02 . 2008-02-15 19:49 -------- d-----w- c:\program files\PokerStars
2009-11-03 02:41 . 2003-06-11 00:45 -------- d-----w- c:\program files\Common Files\aol
2009-11-02 09:59 . 2008-02-09 00:41 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-11-02 09:41 . 2005-11-17 22:25 139112 -c--a-w- c:\documents and settings\Administrator.ALEVISSA\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-08 23:37 . 2009-10-08 23:37 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Zero Knowledge
2009-10-08 23:37 . 2009-10-08 23:37 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\You've Got Pictures Screensaver
2009-10-08 23:37 . 2009-10-08 23:37 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Yahoo! Messenger
2009-10-08 23:37 . 2009-10-08 23:37 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Yahoo!
2009-10-08 23:37 . 2009-10-08 23:37 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\WeatherBug
2009-10-08 23:37 . 2009-10-08 23:37 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Viewpoint
2009-10-08 23:37 . 2009-10-08 23:37 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Uniblue
2009-10-08 23:37 . 2009-10-08 23:37 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\Ulead Systems
2009-10-08 23:37 . 2009-10-08 23:37 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\U3
2009-10-08 23:37 . 2009-10-08 23:37 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\test
2009-10-08 23:37 . 2009-10-08 23:37 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\teamspeak2
2009-10-08 23:37 . 2009-10-08 23:37 -------- d-----w- c:\documents and settings\HelpAssistant\Application Data\System Tweaker
2009-09-11 14:18 . 2009-09-11 14:18 136192 ------w- c:\windows\system32\SET22.tmp
2009-08-20 20:09 . 2009-08-20 20:09 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-08-14 15:51 . 2003-06-13 01:33 139112 -c--a-w- c:\documents and settings\Wenninger\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2004-12-26 00:47 . 2004-12-26 00:47 35121138 ----a-w- c:\program files\NIS_Retail.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WAB"="c:\documents and settings\Wenninger\Application Data\Macromedia\Common\ec0fe01c19.exe" [2009-11-06 16384]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="c:\program files\Internet Explorer\iexplore.exe" [2009-03-08 638816]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LimeShop"="wjview" [X]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2002-08-14 28672]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-11-23 180269]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"PHIME2002ASync"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-09-03 455168]
"PHIME2002A"="c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE" [2002-09-03 455168]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2009-09-13 1048392]
"MSPY2002"="c:\windows\System32\IME\PINTLGNT\ImScInst.exe" [2002-09-03 59392]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 28672]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"HostManager"="c:\program files\Common Files\AOL\1157574114\ee\AOLSoftware.exe" [2008-06-24 41824]
"DwlClient"="c:\program files\Common Files\Dell\EUSW\Support.exe" [2004-05-28 323584]
"diagent"="c:\program files\Creative\SBLive\Diagnostics\diagent.exe" [2002-04-03 135264]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 71216]
"AOL Spyware Protection"="c:\progra~1\COMMON~1\aol\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 79448]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"nwiz"="nwiz.exe" - c:\windows\SYSTEM32\nwiz.exe [2003-10-06 741376]
"Detect Kbd Daemon"="SK2000DM.EXE" - c:\windows\SYSTEM32\SK2000DM.EXE [2001-04-28 36864]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-10-06 49152]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" - c:\windows\SYSTEM32\narrator.exe [2008-04-14 53760]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave1"=c:\docume~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll
"midi1"=c:\docume~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll
"mixer1"=c:\docume~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll
"wave2"=c:\docume~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll
"midi2"=c:\docume~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll
"aux2"=c:\docume~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll
"mixer2"=c:\docume~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll
"aux1"=c:\docume~1\WENNIN~1\APPLIC~1\MACROM~1\Common\ec0fe01c1.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
backup=c:\windows\pss\AOL Companion.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Free WebSite Tools.lnk]
backup=c:\windows\pss\Free WebSite Tools.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GStartup.lnk]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Register Kazaa Upgrade Suite3.exe]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Verizon Online.lnk]
backup=c:\windows\pss\Verizon Online.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AltnetPointsManager
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Antivirus Pro 2010
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CasinoDownloader
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightLAN 01
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPInSightMonitor 01
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\saap
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TBPS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTools
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TBPSSvc"=2 (0x2)
"WinToolsSvc"=2 (0x2)
"MyWebSearchService"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Common Files\\aol\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\aol\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\aol\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\aol\\1157574114\\EE\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\aol\\System Information\\sinf.exe"=
"c:\\Program Files\\Common Files\\aol\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"c:\\Program Files\\Common Files\\aol\\AOL Spyware Protection\\asp.exe"=
"c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"c:\\Program Files\\Common Files\\aol\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\aol\\1157574114\\EE\\aolsoftware.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AOL 9.1\\waol.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:Remote Desktop
R3 SKUSBKBF;USB Keyboard Filter Driver;c:\windows\system32\DRIVERS\SKUSBKBF.sys [2001-07-27 14048]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
--- Other Services/Drivers In Memory ---
*Deregistered* - IPVNMon
*Deregistered* - mbr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
{C62C59F5-FD1B-4823-805FE6BFD520860D}
.
Contents of the 'Scheduled Tasks' folder
2009-11-06 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-02 22:36]
2009-11-06 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Essentials\MpCmdRun.exe [2009-07-02 22:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.aol.com/
uDefault_Search_URL = hxxp://search.msn.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
IE:
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: microsoft.com\v5.windowsupdate
Trusted Zone: windowsupdate.com
DPF: Aces Up! by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/aces/aces-en_US.cab
DPF: Backgammon by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/backgammon/backgammon-en_US.cab
DPF: Bingo Luau by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/freebingo/freebingo-en_US.cab
DPF: Blackjack by pogo - hxxp://game3.pogo.com/v/8.1.7.44/applet/blackjack/blackjack-en_US.cab
DPF: Blackjack Carnival by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/vbjack2/vbjack2-en_US.cab
DPF: Blooop by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/cascade/cascade-en_US.cab
DPF: Canasta by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/canasta/canasta-en_US.cab
DPF: Checkers by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/checkers2/checkers-en_US.cab
DPF: Chess by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/chess2/chess2-en_US.cab
DPF: Dice City Roller by pogo - hxxp://game3.pogo.com/v/8.1.9.1/applet/ytz/ytz-en_US.cab
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Dominoes by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/domino/domino-en_US.cab
DPF: Double Deuce Poker by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/videopoker2/doubledeuce-en_US.cab
DPF: Fortune Bingo by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/superbingo/superbingo-en_US.cab
DPF: Hangman Hijinks by pogo - hxxp://game3.pogo.com/v/8.1.8.10/applet/hangman/hangman-en_US.cab
DPF: Hearts by pogo - hxxp://game3.pogo.com/v/8.1.7.44/applet/hearts/hearts-en_US.cab
DPF: High Stakes Poker by pogo - hxxp://game1.pogo.com/applet-8.0.9.41/drawpoker/drawpoker-en_US.cab
DPF: High Stakes Pool by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/pool2/pool-en_US.cab
DPF: Hog Heaven Slots by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/fancy/fancy-en_US.cab
DPF: Jungle Gin by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/gin2/gin2-en_US.cab
DPF: Lost Temple Poker by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/mhpoker/mhpoker-en_US.cab
DPF: Lottso by pogo - hxxp://game3.pogo.com/v/8.1.9.1/applet/lottso/lottso-en_US.cab
DPF: Makeover Madness by pogo - hxxp://game3.pogo.com/v/8.1.7.44/applet/shoes/shoes-en_US.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: NASCAR Web Racing by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/nascar/nascar-en_US.cab
DPF: No-Limit Texas Hold'em by pogo - hxxp://game1.pogo.com/v/8.1.1.21/applet/allin/allin-en_US.cab
DPF: Pai Gow by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/paigow/paigow-en_US.cab
DPF: Payday Freecell Solitaire by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/freecell2/freecell2-en_US.cab
DPF: Perfect Pair Solitaire by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/waterwheel/waterwheel-en_US.cab
DPF: Phlinx by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/flinger/flinger-en_US.cab
DPF: Poppit by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/poppit2/poppit2-en_US.cab
DPF: Quick Quack by pogo - hxxp://game1.pogo.com/v/8.1.7.44/applet/hotstreak/hotstreak-en_US.cab
DPF: QWERTY by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/squares/squares-en_US.cab
DPF: Ride The Tide by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/ride/ride-en_US.cab
DPF: Showbiz Slots by pogo - hxxp://game1.pogo.com/v/8.1.0.24/applet/slots/showbiz-en_US.cab
DPF: Spooky Slots - hxxp://game1.pogo.com/v/8.1.1.35/applet/spooky/spooky-en_US.cab
DPF: Squelchies by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/squelchies/squelchies-en_US.cab
DPF: Stax by pogo - hxxp://game1.pogo.com/v/8.1.1.1/applet/stax/stax-en_US.cab
DPF: Sweet Tooth TM by pogo - hxxp://game1.pogo.com/v/8.1.1.13/applet/sweettooth/sweettooth-en_US.cab
DPF: Thousand Island Solitaire by pogo - hxxp://game3.pogo.com/v/8.1.9.1/applet/millbrae/millbrae-en_US.cab
DPF: Turbo 21 v2 by pogo - hxxp://game1.pogo.com/v/8.1.9.7/applet/turbo22/turbo22-en_US.cab
DPF: Wonderland Memories by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/memories/memories-en_US.cab
DPF: Word Search Daily by pogo - hxxp://game3.pogo.com/v/8.1.9.4/applet/wordsearch/wordsearch-en_US.cab
DPF: Word Whomp by pogo - hxxp://game1.pogo.com/v/8.1.0.23/applet/wordwhomp2/whomp2-en_US.cab
DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} - hxxp://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
.
- - - - ORPHANS REMOVED - - - -
URLSearchHooks-{19A0F032-27D7-4227-BBB5-51AA9E5904F5} - (no file)
HKCU-Run-rundll32.exe - (no file)
HKLM-Run-WildTangent CDA - c:\program files\WildTangent\Apps\CDA\cdaEngine0400.dll
HKLM-Run-MyWebSearch Plugin - c:\progra~1\MYWEBS~1\bar\2.bin\M3PLUGIN.DLL
AddRemove-VivoActivePlayer20DeinstKey - c:\program files\NETSCAPE\NETSCAPE\Plugins\DeIsL1.isu
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-06 13:18
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\_000012_.tmp.dll 729088 bytes executable
c:\windows\system32\SETF.tmp 56832 bytes executable
scan completed successfully
hidden files: 2
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x82A1BE40]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x82a1be40
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x06FBFEFE
malicious code @ sector 0x06FBFF01 !
PE file found in sector at 0x06FBFF17 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-2624249815-826661598-447150811-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_USERS\S-1-5-21-2624249815-826661598-447150811-1006\Software\Policies\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (S-1-5-21-2624249815-826661598-447150811-1006)
@Allowed: (Read) (S-1-5-21-2624249815-826661598-447150811-1006)
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(676)
c:\windows\System32\ctmp3.acm
c:\windows\system32\vct3216.acm
c:\windows\system32\vct3216.dll
c:\windows\system32\msms001.vwp
c:\windows\system32\mvoice.vwp
- - - - - - - > 'explorer.exe'(3920)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\System32\ctmp3.acm
c:\windows\system32\vct3216.acm
c:\windows\system32\vct3216.dll
c:\windows\system32\msms001.vwp
c:\windows\system32\mvoice.vwp
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\program files\Common Files\AOL\ACS\AOLAcsd.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\CTsvcCDA.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\Sktempdm.exe
c:\program files\Dell\Support\Alert\bin\NotifyAlert.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
c:\windows\system32\dwwin.exe
.
**************************************************************************
.
Completion time: 2009-11-06 15:41 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-06 20:41
Pre-Run: 14,749,184,000 bytes free
Post-Run: 13,790,769,152 bytes free
#28
Posted 06 November 2009 - 11:23 PM
#29
Posted 07 November 2009 - 04:14 AM
1) CFScript
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:
File::
Folder::
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LimeShop"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Antivirus Pro 2010]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTools]
Driver::
WinToolsSvc
MyWebSearchService
MBR::
KILLALL::
Save this as CFScript.txt, in the same location as ComboFix.exe
Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
2) Malwarebytes
Please download Malwarebytes' Anti-Malware from Here.
Double Click mbam-setup.exe to install the application.
- Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
- If an update is found, it will download and install the latest version.
- Once the program has loaded, select "Perform Quick Scan", then click Scan.
- The scan may take some time to finish,so please be patient.
- When the scan is complete, click OK, then Show Results to view the results.
- Make sure that everything is checked, and click Remove Selected.
- When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
- The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
- Copy&Paste the entire report in your next reply.
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.
3) OTL
- Download OTL to your desktop.
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
- When the window appears, underneath Output at the top change it to Minimal Output.
- Check the boxes beside LOP Check and Purity Check.
- Under the Custom Scan box paste this in
netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions
%SYSTEMDRIVE%\eventlog.dll /s /md5
%SYSTEMDRIVE%\scecli.dll /s /md5
%SYSTEMDRIVE%\netlogon.dll /s /md5
%SYSTEMDRIVE%\cngaudit.dll /s /md5
%SYSTEMDRIVE%\sceclt.dll /s /md5
%SYSTEMDRIVE%\ntelogon.dll /s /md5
%SYSTEMDRIVE%\logevent.dll /s /md5
%SYSTEMDRIVE%\iaStor.sys /s /md5
%SYSTEMDRIVE%\nvstor.sys /s /md5
%SYSTEMDRIVE%\atapi.sys /s /md5
%SYSTEMDRIVE%\IdeChnDr.sys /s /md5
%SYSTEMDRIVE%\viasraid.sys /s /md5
%SYSTEMDRIVE%\AGP440.sys /s /md5
%SYSTEMDRIVE%\vaxscsi.sys /s /md5
- Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.
In your reply I would like to see copied and pasted,
1) ComboFix log
2) Malwarebytes log
3) OTL logs
watch me and tremble, for I bring the purity of oblivion
Sudo apt-get me a sandwich!
Proud graduate of GeekU
If I have helped you, please consider a donation to help continue the fight against malware.#30
Posted 07 November 2009 - 09:32 AM
Edited by StormyHaze, 07 November 2009 - 09:33 AM.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users