Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91845 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Limewire and DEEWOO got me!


  • This topic is locked This topic is locked
30 replies to this topic

#1 pdpfishin

pdpfishin

    Authentic Member

  • Authentic Member
  • PipPip
  • 54 posts

Posted 29 April 2008 - 09:52 PM

Using lime wire I picked up DEEWOO and 137 other infected files (according to Malware Anti - Malware)
Also I get this Error Message every 4-5 minutes:

Error Has occured in the script on this Page
Line: 11
Char: 1
Error: Object expected
Code: 0
URL: file///C:Documents%20and%settings/private/Local%20settings/
Temp/NDR7E9.tmp.html

Continue YEs or No?

the same exact error everytime!!


Malwarebytes' Anti-Malware 1.11
Database version: 694

Scan type: Quick Scan
Objects scanned: 40175
Time elapsed: 18 minute(s), 48 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 3
Registry Keys Infected: 49
Registry Values Infected: 9
Registry Data Items Infected: 0
Folders Infected: 16
Files Infected: 65

Memory Processes Infected:
C:\WINDOWS\system32\jkwnw64l.exe (Adware.ZeroSearch) -> No action taken.
C:\WINDOWS\system32\lcntlkdn.exe (Adware.ZeroSearch) -> No action taken.

Memory Modules Infected:
c:\program files\CPV\CPV8.dll (Adware.Bestrevenue) -> No action taken.
c:\WINDOWS\system32\fiungf.dll (Adware.ClickSpring) -> No action taken.
C:\WINDOWS\system32\{d882d8c6-fa56-190d-5bda-ff950c47d6db}.dll (Trojan.Agent) -> No action taken.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Adware.Bestrevenue) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Adware.Bestrevenue) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{97fa6fa3-d34e-d4c0-14e3-aa8f005173c1} (Adware.ClickSpring) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{97fa6fa3-d34e-d4c0-14e3-aa8f005173c1} (Adware.ClickSpring) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{cfcec0a5-e1da-4049-bdb6-8b461e7e1bf3} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{2386c4d3-e53a-4fd6-952b-89cbca337c83} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\AppID\{ff46f4ab-a85f-487e-b399-3f191ac0fe23} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{2e4a04a1-a24d-45ae-aca4-949778400813} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{63334394-3da3-4b29-a041-03535909d361} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\quantic.plug (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\quantic.plug.1 (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{16b435f6-b6ce-4f24-a568-944b27ed919c} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{16b435f6-b6ce-4f24-a568-944b27ed919c} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\testcpv6.bho (Trojan.Agent) -> No action taken.
HKEY_CLASSES_ROOT\testcpv6.bho.1 (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\targetedbanner (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\gooochi (Adware.Rotator) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\speedrunner (Adware.SurfAccuracy) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{0523c7b8-7a52-2283-d85b-6d66d3c5687f} (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0523c7b8-7a52-2283-d85b-6d66d3c5687f} (Trojan.Agent) -> No action taken.
HKEY_CURRENT_USER\Software\SpeedRunner (Adware.SurfAccuracy) -> No action taken.
HKEY_CLASSES_ROOT\AppID\testCPV6.DLL (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\CPV (Trojan.Downloader) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\BO1jiZmwnF2zhi (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Deewoo Network Manager (Adware.Radio) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> No action taken.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo (Adware.PurityScan) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService (Adware.CommAd) -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Network Monitor (Trojan.Service) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaCore (Trojan.Insider) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpeedRunner (Adware.SurfAccuracy) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SfKg6wIP (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cpue (Adware.ClickSpring) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{8F-FD-DA-AF-DW} (Adware.ZeroSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\g]eeV\mWhjlnspB (Adware.ZeroSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runner1 (Trojan.Downloader) -> No action taken.
HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions\{59a40ac9-e67d-4155-b31d-4b7330fcd2d6} (Adware.PurityScan) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spa_start (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Outerinfo (Adware.Outerinfo) -> No action taken.
C:\Program Files\Outerinfo\FF (Adware.Outerinfo) -> No action taken.
C:\Program Files\Outerinfo\FF\components (Adware.Outerinfo) -> No action taken.
C:\Program Files\Network Monitor (Trojan.DNSChanger) -> No action taken.
C:\Program Files\InetGet2 (Trojan.Downloader) -> No action taken.
C:\Program Files\Temporary (Trojan.Agent) -> No action taken.
C:\Program Files\JavaCore (Trojan.Downloader) -> No action taken.
C:\Program Files\CPV (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\ExTmp (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\IDE2 (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\pinz1 (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\wii (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\bharebio18 (Trojan.Agent) -> No action taken.
C:\Documents and Settings\private\Start Menu\Programs\Outerinfo (Malware.Trace) -> No action taken.
C:\Documents and Settings\LocalService\Application Data\NetMon (Trojan.NetMon) -> No action taken.
C:\Documents and Settings\private\Application Data\speedrunner (Adware.SurfAccuracy) -> No action taken.

Files Infected:
c:\program files\CPV\CPV8.dll (Adware.Bestrevenue) -> No action taken.
c:\WINDOWS\system32\fiungf.dll (Adware.ClickSpring) -> No action taken.
C:\WINDOWS\system32\efccbbBq.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\qBbbccfe.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\qBbbccfe.ini2 (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\tpevcpet.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\tepcvept.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\vtUonkhH.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\HhknoUtv.ini (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\HhknoUtv.ini2 (Trojan.Vundo) -> No action taken.
C:\Program Files\JavaCore\JavaCore.exe (Trojan.Insider) -> No action taken.
C:\Documents and Settings\private\Application Data\SpeedRunner\SpeedRunner.exe (Adware.SurfAccuracy) -> No action taken.
C:\Documents and Settings\private\Application Data\Microsoft\Windows\vubex.exe (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\private\My Documents\A?pPatch\logonui.exe (Adware.ClickSpring) -> No action taken.
C:\WINDOWS\system32\jkwnw64l.exe (Adware.ZeroSearch) -> No action taken.
C:\WINDOWS\system32\lcntlkdn.exe (Adware.ZeroSearch) -> No action taken.
C:\WINDOWS\mrofinu1188.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\geBrqrRh.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\nvwgrcao.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\onwnpyjc.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\rwwnw64d.exe (Adware.ZeroSearch) -> No action taken.
C:\WINDOWS\system32\secixwse.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\targetedbanner-uninst.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\{d882d8c6-fa56-190d-5bda-ff950c47d6db}.dll-uninst.exe (Adware.Rotator) -> No action taken.
C:\WINDOWS\b116.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\b152.exe (Trojan.Insider) -> No action taken.
C:\WINDOWS\b153.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\b155.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\b157.exe (Trojan.Dropper) -> No action taken.
C:\Program Files\Common Files\Yazzle1560OinAdmin.exe (Adware.ClickSpring) -> No action taken.
C:\Documents and Settings\private\Local Settings\Temp\outerinfo.ico (Malware.Trace) -> No action taken.
C:\Documents and Settings\private\Local Settings\Temporary Internet Files\Content.IE5\T6ARW6NJ\26453da423d82a5fc6fae941d05f1151[1].zip (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\private\lsass.exe (BackDoor.Bot) -> No action taken.
C:\Program Files\Outerinfo\Terms.rtf (Adware.Outerinfo) -> No action taken.
C:\Program Files\Outerinfo\FF\chrome.manifest (Adware.Outerinfo) -> No action taken.
C:\Program Files\Outerinfo\FF\install.rdf (Adware.Outerinfo) -> No action taken.
C:\Program Files\Outerinfo\FF\components\FF.dll (Adware.Outerinfo) -> No action taken.
C:\Program Files\Outerinfo\FF\components\OuterinfoAds.xpt (Adware.Outerinfo) -> No action taken.
C:\Program Files\Temporary\InsiDERInst.exe (Trojan.Agent) -> No action taken.
C:\Program Files\JavaCore\UnInstall.exe (Trojan.Downloader) -> No action taken.
C:\Program Files\CPV\CPV8.dll.lzma (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\IDE2\mdllcom2.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\pinz1\cegmgr76.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\wii\HTgn1dll.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\bharebio18\bharebio182328.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\private\Start Menu\Programs\Outerinfo\Terms.lnk (Malware.Trace) -> No action taken.
C:\Documents and Settings\private\Start Menu\Programs\Outerinfo\Uninstall.lnk (Malware.Trace) -> No action taken.
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt (Trojan.NetMon) -> No action taken.
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt (Trojan.NetMon) -> No action taken.
C:\Documents and Settings\private\Application Data\speedrunner\config.cfg (Adware.SurfAccuracy) -> No action taken.
C:\Documents and Settings\private\Application Data\speedrunner\SRUninstall.exe (Adware.SurfAccuracy) -> No action taken.
C:\WINDOWS\system32\{d882d8c6-fa56-190d-5bda-ff950c47d6db}.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> No action taken.
C:\WINDOWS\Fonts\x.zip (Trojan.Downloader) -> No action taken.
C:\WINDOWS\Fonts\Setup.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\msnav32.ax (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\zxdnt3d.cfg (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\qommlkji.dll (Trojan.Vundo) -> No action taken.
C:\Program Files\Common Files\Yazzle1560OinUninstaller.exe (Adware.PurityScan) -> No action taken.
C:\WINDOWS\b156.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\drivers\core.cache.dsk (Malware.Trace) -> No action taken.
C:\Documents and Settings\private\Start Menu\Programs\Startup\Deewoo.lnk (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\Deewoo.lnk (Trojan.Agent) -> No action taken.
C:\Documents and Settings\private\Start Menu\Programs\Startup\DW_Start.lnk (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\DW_Start.lnk (Trojan.Agent) -> No action taken.


******************Yes I deleted ALL!! **********************


Logfile of HijackThis v1.99.1
Scan saved at 2:32:43 AM, on 4/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Svconr\Svconr.exe
C:\Program Files\Common Files\a?sembly\m?hta.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Verizon\VSP\VerizonServicepointComHandler.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
C:\DOCUME~1\private\LOCALS~1\Temp\!update.exe
C:\DOCUME~1\private\MYDOCU~1\APPATC~1\logonui.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ads.targetedb...z/bc/123kah.php
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {11635C4A-ECC7-4ED7-A172-FA5D54D3E3EE} - C:\WINDOWS\system32\hgGxWqoo.dll (file missing)
O2 - BHO: HTML Exploits Prevent - {245463AB-6F21-456A-9EB4-FAB802DB8062} - C:\WINDOWS\system32\nsp5C.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Verizon\Verizon Internet Security Suite\pkR.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: IEHlprObj Class - {8CA5ED52-F3FB-4414-A105-2E3491156990} - C:\PROGRA~1\IWINGA~1\IWINGA~1.DLL (file missing)
O2 - BHO: (no name) - {91D2C8E8-3963-4E52-8A7D-3631C50ADE70} - C:\WINDOWS\system32\mlJApQkk.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Ahead\InCD\InCD.exe"
O4 - HKLM\..\Run: [Workflow] E:\Workflow.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [BrMfcWnd] "C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] "C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe"
O4 - HKLM\..\Run: [ControlCenter3] "C:\Program Files\Brother\ControlCenter3\brctrcen.exe" /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [{8F-FD-DA-AF-ZN}] C:\Documents and Settings\Owner\Local Settings\Temp\TIP2D002.exe P2D002
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [Verizon Internet Security Suite] "C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [LSA Shellu] C:\Documents and Settings\Owner\lsass.exe
O4 - HKLM\..\Run: [g]eeV\mWhjlnspB] C:\WINDOWS\system32\lcntlkdn.exe DWramYB
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Svconr] C:\Program Files\Svconr\Svconr.exe
O4 - HKCU\..\Run: [Aauhztyt] "C:\Program Files\Common Files\a?sembly\m?hta.exe"
O4 - HKCU\..\Run: [Cpue] "C:\DOCUME~1\private\MYDOCU~1\APPATC~1\logonui.exe" -vt yazb
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyds...DSL/tgctlcm.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinn...GamesLoader.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.grab.com/...les/222/222.cab
O16 - DPF: {775879E2-7309-4619-BB02-AADE41F4B690} (CPlayFirstdreamControl Object) - http://games.bigfish...web.1.0.0.9.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://www.worldwinn...cubis/cubis.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinn...v45/sol/sol.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinn...man/hangman.cab
O16 - DPF: {B8E71371-F7F7-11D2-A2CE-0060B0FB9D0D} (CDToolCtrl Class) - http://free.aol.com/...5/aolcdt175.cab
O20 - Winlogon Notify: hgGxWqoo - hgGxWqoo.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Verizon Internet Security Suite (Radialpoint Security Services) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\RpsSecurityAware.exe
O23 - Service: Verizon Internet Security Suite Update Service (RPSUpdaterR) - Verizon - C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Verizon - C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe

I can finally type at close to real time and my system is slower than evolution can someone help???

    Advertisements

Register to Remove


#2 Gary R

Gary R

    MRU Administrator

  • MRU Teachers
  • 1,462 posts

Posted 02 May 2008 - 01:49 AM

Looking over your log, back ASAP.
Gary R

Posted Image

#3 Gary R

Gary R

    MRU Administrator

  • MRU Teachers
  • 1,462 posts

Posted 02 May 2008 - 02:10 AM

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.


Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.


Hi pdpfishin

I'm Gary R, I'll be glad to help you with your computer problems.

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • Remember, absence of symptoms does not mean the infection is all gone.
If you can do these things, everything should go smoothly.
  • If you're using XP, you'll need Administrator privileges to perform the fixes. (XP accounts are Administrator by default)
  • If you're using Vista, it will be necessary to right click all tools we use and select ----> Run as Admistrator

You have signs of a RAT (Remote Access Trojan) on your computer.

This means your attacker may have full remote access to your computer and can use it as if he were sat in front of it.

You are strongly advised to do the following immediately:

1. Disconnect infected computer from the internet and from any networked computers until the computer can be cleaned.

2. Call all of your banks, credit card companies, and financial institutions. Inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

3. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer, because the attacker will get the new passwords and transaction information.

IF YOU USE THIS COMPUTER FOR ONLINE BANKING OR OTHER FINANCIAL TRANSACTIONS, OR HAVE DATA OF A CONFIDENTIAL NATURE ON IT, MY RECOMMENDATION IS THAT YOU RE-FORMAT AND RE-INSTALL YOUR OPERATING SYSTEM AND PROGRAMMES. WE CAN NEVER BE TOTALLY SURE WE HAVE GOT RID OF ALL MODIFICATIONS WHICH MAY HAVE BEEN MADE BY THE ATTACKER, AND THEREFORE CANNOT GUARANTEE THE SAFETY OF YOUR DATA.

If you choose to re-format, instructions for doing so can be found HERE (courtesy of wng_z3r0).

If you don't have the resources to reinstall your OS and/or would like me to attempt to clean your machine, I'll be happy to do so.

To help you decide, please take some time to read the following articles, then let me know how you want to proceed.

What are Remote Access Trojans and why are they dangerous
How do I respond to a possible identity theft and how do I prevent it
When should do a reformat and reinstallation of my OS
Where to backup your files
How to backup your files in Windows XP
Restoring your backups
Gary R

Posted Image

#4 pdpfishin

pdpfishin

    Authentic Member

  • Authentic Member
  • PipPip
  • 54 posts

Posted 03 May 2008 - 01:11 PM

Well thank you Gary,, I use this computer for home use and NOT business or online banking. I have music and pictures of my family here only. I use Yahoo. mail for leisure only the only passwords are for baby and family info sites. my wife plays games quite often and that is the limit of it. I understand limewire is where I got "sick" from and plan to stay away from now on. I seem to be able to type better now but the pop ups are still bad and every scan finds more viruses it seems. Yes I would like to clean up what I got And believe me if I do not understand I am not afraid to stop and ask!! thank you , Paul

#5 Gary R

Gary R

    MRU Administrator

  • MRU Teachers
  • 1,462 posts

Posted 03 May 2008 - 01:57 PM

OK, lets get started on getting the junk off your computer.

There are some new infections that damage your ability to boot if they are removed. So before we go any further, I need you to install Recovery Console to your computer. This is purely a precautionary measure, I don't see signs of them on your computer, but it's better to be a little cautious now than regretful later.

Recovery Console gives us the ability to recover your computer if things go wrong.

  • Download combofix.exe by sUBs to your Desktop (it must be in this location).
  • Alternate Download
  • If you already have a previous version, delete it and download a new version.
  • Go to Microsoft's website
  • Select the download that's appropriate for your Operating System (if you have XP Media Centre, use download for XP Pro)

Posted Image

  • Download the file & save it as it's originally named, to your Desktop.
  • Next
  • Disconnect from the Internet.
  • Important! Temporarily disable your anti-virus, and anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its files which may cause unpredictable results.
  • Click here to see a list of programs that should be disabled (ignore the firewalls). The list is not all inclusive. If yours are not listed and you don't know how to disable them, please ask.

Posted Image

  • Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix.
  • When prompted, agree to the End-User License Agreement to install Microsoft Recovery Console.
  • When complete a mesage will pop up asking if you want to continue scanning for Malware.
    • Click Yes
    • Combofix will now run a scan. (Usually takes 15-20 mins, but could be slightly longer)
    • When finished, it will
    • Produce a log for you. (it can also be found at C:\Combofix.txt)
  • Post the log in your next reply please.
  • Now run a new HJT scan and send me the log from that as well please.
[*]Don't forget to re-enable your anti-virus and anti-malware protection before re-connecting to the Internet.
[/list]IMPORTANT
  • Do not use your computer while Combofix is running.
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • If you've lost your Internet connection when Combofix has completely finished, re-start your computer to restore it.
If you have any problems with these instructions, a detailed Tutorial for how to use Combofix is available here.
Gary R

Posted Image

#6 pdpfishin

pdpfishin

    Authentic Member

  • Authentic Member
  • PipPip
  • 54 posts

Posted 03 May 2008 - 03:20 PM

Ok Here we go,





ComboFix 08-05-01.3 - private 2008-05-03 16:55:24.1 - NTFSx86
Running from: C:\Documents and Settings\private\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\private\Desktop\WinXP_EN_HOM_BF.EXE
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\private\My Documents\APPATC~1
C:\Documents and Settings\private\My Documents\APPATC~1\A?pPatch\
C:\Documents and Settings\private\My Documents\APPATC~1\logonui.exe
C:\Program Files\Common Files\asembl~1
C:\Program Files\Common Files\asembl~1\m?hta.exe
C:\WINDOWS\BMeb9bce9c.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\IA
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\adkpbxpf.ini
C:\WINDOWS\system32\arswxueh.dll
C:\WINDOWS\system32\cnukrorv.ini
C:\WINDOWS\system32\cpmrotate.dll
C:\WINDOWS\system32\ecusetcq.dll
C:\WINDOWS\system32\fovndsoa.ini
C:\WINDOWS\system32\hsrioxev.dll
C:\WINDOWS\system32\kkQpAJlm.ini
C:\WINDOWS\system32\kkQpAJlm.ini2
C:\WINDOWS\system32\lqfspybx.dll
C:\WINDOWS\system32\vhufexlq.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE


((((((((((((((((((((((((( Files Created from 2008-04-03 to 2008-05-03 )))))))))))))))))))))))))))))))
.

2008-04-30 23:43 . 2008-04-30 23:43 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-30 15:40 . 2008-04-30 15:40 <DIR> d-------- C:\Program Files\Svconr
2008-04-30 15:40 . 2008-04-30 15:40 <DIR> dr------- C:\Documents and Settings\private\Application Data\Brother
2008-04-29 01:52 . 2008-05-01 23:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-29 01:52 . 2008-04-29 01:52 <DIR> d-------- C:\Documents and Settings\private\Application Data\Malwarebytes
2008-04-29 01:52 . 2008-04-29 01:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-29 00:23 . 2008-04-29 00:23 399,467 --a------ C:\WINDOWS\system32\g18.exe
2008-04-16 18:15 . 2008-04-16 18:15 <DIR> d-------- C:\Documents and Settings\private\Application Data\AdobeUM
2008-04-14 09:31 . 2008-04-14 09:31 9,662 --a------ C:\WINDOWS\system32\iphone-6y.ico
2008-04-14 01:43 . 2008-04-14 01:43 9,662 --a------ C:\WINDOWS\system32\vaio3-011.ico
2008-04-13 18:59 . 2008-04-13 18:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Gogii
2008-04-13 16:51 . 2008-04-13 16:51 <DIR> d-------- C:\Documents and Settings\private\Application Data\Motive
2008-04-10 01:08 . 2008-04-10 01:08 305 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-09 18:30 . 2008-04-09 18:30 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Motive
2008-04-09 18:22 . 2008-04-09 18:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Motive
2008-04-09 18:20 . 2008-04-09 18:22 <DIR> d-------- C:\Program Files\Common Files\Motive
2008-04-07 19:54 . 2008-04-29 00:58 937 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-04-05 23:01 . 2008-04-05 23:01 <DIR> d-------- C:\TEMP\wdlw14
2008-04-05 19:56 . 2008-04-05 19:56 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2008-04-03 22:38 . 2008-04-30 01:01 <DIR> d-------- C:\Documents and Settings\private\Application Data\Yahoo!
2008-04-03 22:33 . 2008-04-17 16:07 <DIR> d-------- C:\Documents and Settings\private\Application Data\ZoomBrowser EX
2008-04-03 22:25 . 2008-04-03 22:25 <DIR> d-------- C:\Documents and Settings\private\Application Data\CANON INC
2008-04-03 22:25 . 2008-04-17 16:06 <DIR> d-------- C:\Documents and Settings\private\Application Data\CameraWindowDC
2008-04-03 18:37 . 2008-04-03 18:37 <DIR> d-------- C:\Documents and Settings\private\Application Data\Verizon
2008-04-03 18:34 . 2004-08-27 05:54 <DIR> d-------- C:\Documents and Settings\private\WINDOWS
2008-04-03 18:34 . 2006-08-02 17:22 <DIR> d-------- C:\Documents and Settings\private\Application Data\SampleView
2008-04-03 18:34 . 2006-08-02 17:21 <DIR> d-------- C:\Documents and Settings\private\Application Data\McAfee
2008-04-03 18:34 . 2008-04-30 15:40 <DIR> d-------- C:\Documents and Settings\private
2008-04-03 18:34 . 2008-05-03 17:03 245,760 --ah----- C:\Documents and Settings\private\ntuser.dat.LOG

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-01 03:14 --------- d-----w C:\Program Files\BFG
2008-05-01 02:58 --------- d-----w C:\Program Files\PokerStars
2008-04-30 19:40 --------- d-----w C:\Program Files\Yahoo!
2008-04-30 05:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-30 05:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-04-27 07:07 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-27 06:52 --------- d-----w C:\Program Files\Top Ten Solitaire
2008-04-13 23:00 --------- d-----w C:\Program Files\iWin.com
2008-04-13 22:50 --------- d-----w C:\Program Files\iWin Games
2008-04-13 19:50 --------- d-----w C:\Documents and Settings\Owner\Application Data\ZoomBrowser EX
2008-04-13 19:48 --------- d-----w C:\Documents and Settings\Owner\Application Data\CameraWindowDC
2008-04-09 22:32 --------- d-----w C:\Program Files\verizon
2008-04-03 21:50 --------- d-----w C:\Program Files\Verizon Online
2008-03-24 18:24 --------- d-----w C:\Documents and Settings\Owner\Application Data\funkitron
2008-03-24 18:22 --------- d-----w C:\Program Files\GamesBar
2008-03-15 04:30 --------- d-----w C:\Documents and Settings\Owner\Application Data\Verizon
2008-03-15 04:15 --------- d-----w C:\Program Files\Common Files\Scanner
2008-03-15 04:10 --------- d-----w C:\Program Files\Raxco
2008-03-15 04:10 --------- d-----w C:\Program Files\Common Files\Authentium
2008-03-15 04:10 --------- d-----w C:\Program Files\CA
2008-03-15 04:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Raxco
2008-03-15 04:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Verizon
2008-03-15 04:06 --------- d-----w C:\Documents and Settings\Owner\Application Data\InstallShield
2008-03-15 03:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-13 06:16 --------- d-----w C:\Program Files\Java
2008-03-05 05:37 0 ----a-w C:\Program Files\temp01
2008-03-05 05:37 --------- d-----w C:\Program Files\bfgclient
2008-03-05 05:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
2007-10-30 03:14 32,408 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2007-08-22 03:27 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2007-06-12 23:18 334 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb1942.dat
2007-06-12 23:17 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb2391.dat
2007-06-12 21:13 439,296 ----a-w C:\Documents and Settings\Owner\GoToAssist_phone__317_en.exe
2007-06-03 22:32 20,480 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb4827.dat
2007-01-25 05:32 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb6334.dat
2007-01-25 05:32 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb5436.dat
2007-01-25 05:32 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb4604.dat
2007-01-25 05:32 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb3902.dat
2007-01-25 05:32 0 ----a-w C:\Documents and Settings\Owner\Application Data\internaldb153.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{11635C4A-ECC7-4ED7-A172-FA5D54D3E3EE}]
C:\WINDOWS\system32\hgGxWqoo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{245463AB-6F21-456A-9EB4-FAB802DB8062}]
2007-09-05 10:27 66048 --a------ C:\WINDOWS\system32\nsp5C.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8CA5ED52-F3FB-4414-A105-2E3491156990}]
C:\PROGRA~1\IWINGA~1\IWINGA~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91D2C8E8-3963-4E52-8A7D-3631C50ADE70}]
C:\WINDOWS\system32\mlJApQkk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-27 15:22 4670968]
"Svconr"="C:\Program Files\Svconr\Svconr.exe" [2008-04-29 00:24 57344]
"Aauhztyt"="C:\Program Files\Common Files\a?sembly\m?hta.exe" [ ]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-10 12:41 223984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-01-29 22:13 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-01-29 22:13 118784]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 16:42 212992]
"NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [2001-07-09 06:50 155648]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2003-04-30 15:36 966706]
"Workflow"="E:\Workflow.exe" [ ]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 11:22 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 15:25 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 15:45 40960]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 08:46 622592]
"SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 19:02 49152]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 13:18 77824]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 16:19 129536]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-06-26 11:14 185632]
"{8F-FD-DA-AF-ZN}"="C:\Documents and Settings\Owner\Local Settings\Temp\TIP2D002.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [2008-02-13 13:03 2065648]
"Verizon Internet Security Suite"="C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe" [2008-02-26 17:10 318704]
"-FreedomNeedsReboot"="C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe" [2008-02-26 17:11 13552]
"g]eeV\mWhjlnspB"="C:\WINDOWS\system32\lcntlkdn.exe" [ ]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-09-28 14:30 936960]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-10 12:41 223984]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{11635C4A-ECC7-4ED7-A172-FA5D54D3E3EE}"= C:\WINDOWS\system32\hgGxWqoo.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgGxWqoo]
hgGxWqoo.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iWin Games\\iWinGames.exe"=
"C:\\Program Files\\iWin Games\\WebUpdater.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 13:50]
R3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys [2006-01-18 23:44]
R3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys [2006-01-19 04:17]
S3 Radialpoint Security Services;Verizon Internet Security Suite;"C:\Program Files\Verizon\Verizon Internet Security Suite\RpsSecurityAware.exe" [2008-02-26 17:10]

.
Contents of the 'Scheduled Tasks' folder
"2006-08-02 21:37:42 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-03 17:02:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"g]eeV\\mWhjlnspB"="C:\\WINDOWS\\system32\\lcntlkdn.exe DWramYB"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\verizon\Verizon Internet Security Suite\Fws.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Ahead\InCD\incdsrv.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Brother\ControlCenter3\BrccMCtl.exe
C:\Program Files\Brother\Brmfcmon\BrMfcMon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\verizon\VSP\VerizonServicepointComHandler.exe
C:\Program Files\verizon\Verizon Internet Security Suite\rpsupdaterR.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-05-03 17:07:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-03 21:06:59

Pre-Run: 34,943,131,648 bytes free
Post-Run: 35,062,870,016 bytes free

WinXP_EN_HOM_BF.EXE
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

215 --- E O F --- 2008-04-12 05:24:36




And here is HJT:




Logfile of HijackThis v1.99.1
Scan saved at 5:11:10 PM, on 5/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Svconr\Svconr.exe
C:\Program Files\Verizon\VSP\VerizonServicepointComHandler.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ads.targetedb...z/bc/123kah.php
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {11635C4A-ECC7-4ED7-A172-FA5D54D3E3EE} - C:\WINDOWS\system32\hgGxWqoo.dll (file missing)
O2 - BHO: HTML Exploits Prevent - {245463AB-6F21-456A-9EB4-FAB802DB8062} - C:\WINDOWS\system32\nsp5C.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Verizon\Verizon Internet Security Suite\pkR.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: IEHlprObj Class - {8CA5ED52-F3FB-4414-A105-2E3491156990} - C:\PROGRA~1\IWINGA~1\IWINGA~1.DLL (file missing)
O2 - BHO: (no name) - {91D2C8E8-3963-4E52-8A7D-3631C50ADE70} - C:\WINDOWS\system32\mlJApQkk.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Ahead\InCD\InCD.exe"
O4 - HKLM\..\Run: [Workflow] E:\Workflow.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [BrMfcWnd] "C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] "C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe"
O4 - HKLM\..\Run: [ControlCenter3] "C:\Program Files\Brother\ControlCenter3\brctrcen.exe" /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [{8F-FD-DA-AF-ZN}] C:\Documents and Settings\Owner\Local Settings\Temp\TIP2D002.exe P2D002
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [Verizon Internet Security Suite] "C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [g]eeV\mWhjlnspB] C:\WINDOWS\system32\lcntlkdn.exe DWramYB
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Svconr] C:\Program Files\Svconr\Svconr.exe
O4 - HKCU\..\Run: [Aauhztyt] "C:\Program Files\Common Files\a?sembly\m?hta.exe"
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyds...DSL/tgctlcm.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinn...GamesLoader.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.grab.com/...les/222/222.cab
O16 - DPF: {775879E2-7309-4619-BB02-AADE41F4B690} (CPlayFirstdreamControl Object) - http://games.bigfish...web.1.0.0.9.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://www.worldwinn...cubis/cubis.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinn...v45/sol/sol.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinn...man/hangman.cab
O16 - DPF: {B8E71371-F7F7-11D2-A2CE-0060B0FB9D0D} (CDToolCtrl Class) - http://free.aol.com/...5/aolcdt175.cab
O20 - Winlogon Notify: hgGxWqoo - hgGxWqoo.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Verizon Internet Security Suite (Radialpoint Security Services) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\RpsSecurityAware.exe
O23 - Service: Verizon Internet Security Suite Update Service (RPSUpdaterR) - Verizon - C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Verizon - C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe



Everything went as planned. When I tried to pull up this website using my Desktop shortcut it said twice "could not find Website" and then another IE window poped up saying Loading......

#7 Gary R

Gary R

    MRU Administrator

  • MRU Teachers
  • 1,462 posts

Posted 04 May 2008 - 01:18 AM

OK looking better but still a lot of work to do.

  • Click Start > Run type Notepad click OK.
  • This will open an empty Notepad file.
  • Copy/Paste the contents of the box below into Notepad.
File::
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\system32\vbzip10.dll
C:\Documents and Settings\Owner\Application Data\internaldb4827.dat
C:\Documents and Settings\Owner\Application Data\internaldb1942.dat
C:\Documents and Settings\Owner\Application Data\internaldb2391.dat
C:\Documents and Settings\Owner\Application Data\internaldb6334.dat
C:\Documents and Settings\Owner\Application Data\internaldb5436.dat
C:\Documents and Settings\Owner\Application Data\internaldb4604.dat
C:\Documents and Settings\Owner\Application Data\internaldb3902.dat
C:\Documents and Settings\Owner\Application Data\internaldb153.dat
C:\WINDOWS\system32\hgGxWqoo.dll
C:\WINDOWS\system32\nsp5C.dll
C:\PROGRA~1\IWINGA~1\IWINGA~1.DLL
C:\WINDOWS\system32\mlJApQkk.dll
C:\WINDOWS\system32\lcntlkdn.exe

Folder::
C:\TEMP\wdlw14
C:\Program Files\temp01
C:\Program Files\Svconr

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{11635C4A-ECC7-4ED7-A172-FA5D54D3E3EE}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{245463AB-6F21-456A-9EB4-FAB802DB8062}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8CA5ED52-F3FB-4414-A105-2E3491156990}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{91D2C8E8-3963-4E52-8A7D-3631C50ADE70}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aauhztyt"=-
"Svconr"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{8F-FD-DA-AF-ZN}"=-
"g]eeV\mWhjlnspB"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{11635C4A-ECC7-4ED7-A172-FA5D54D3E3EE}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgGxWqoo]
  • Click Format and ensure Wordwrap is unchecked.
  • Save as CFScript.txt to your Desktop.
Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Combofix will now process that file.

When finished, it will produce a log for you. Post that log in your next reply please. (it can also be found at C:\Combofix.txt)

You already have Malwarebytes' Anti-Malware installed, so do the following.

  • Click on the Malwarebytes' Anti-Malware icon to launch the programme.
    • Click the Updates tab.
    • Click Check for Updates and allow the programme to download the latest definitions. (This is important)
  • Click the Scanner tab.
    • Check Perform Quick Scan.
    • Click Scan and wait for the scan to complete.
    • When the scan is complete, click OK, then Show Results.
    • Ensure all items are checked then click Remove Selected. (This is essential)
    • A box will pop-up telling you that files have been quarantined.
    • A log will pop-up.
  • Post the log in your next reply please.
[/list]
You can also access the log by doing the following
  • Click on the Logs tab.
  • Click on the log at the bottom of those listed to highlight it.
  • Click Open

Next

Run a new scan with HJT and post me the log please.

Summary of the logs I need from you in your next post:
  • New Combofix log
  • MBAM log
  • New HJT log


Please post each log separately to prevent them being cut off by the forum post size limiter.

Edited by Gary R, 04 May 2008 - 01:22 AM.

Gary R

Posted Image

#8 pdpfishin

pdpfishin

    Authentic Member

  • Authentic Member
  • PipPip
  • 54 posts

Posted 04 May 2008 - 12:20 PM

ok here they are: MBAM alwarebytes' Anti-Malware 1.11 Database version: 715 Scan type: Quick Scan Objects scanned: 35156 Time elapsed: 12 minute(s), 1 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 1 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Antivirus (Rogue.Antivirus2008) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\g]eeV\mWhjlnspB (Trojan.Agent) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

#9 pdpfishin

pdpfishin

    Authentic Member

  • Authentic Member
  • PipPip
  • 54 posts

Posted 04 May 2008 - 12:21 PM

and HJT:



Logfile of HijackThis v1.99.1
Scan saved at 2:14:20 PM, on 5/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Brother\ControlCenter3\brccMCtl.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Brother\Brmfcmon\BrMfcmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Verizon\VSP\VerizonServicepointComHandler.exe
C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ads.targetedb...z/bc/123kah.php
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Verizon\Verizon Internet Security Suite\pkR.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] "C:\Program Files\Ahead\InCD\InCD.exe"
O4 - HKLM\..\Run: [Workflow] E:\Workflow.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [BrMfcWnd] "C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" /AUTORUN
O4 - HKLM\..\Run: [SetDefPrt] "C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe"
O4 - HKLM\..\Run: [ControlCenter3] "C:\Program Files\Brother\ControlCenter3\brctrcen.exe" /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [Verizon Internet Security Suite] "C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe"
O4 - HKLM\..\Run: [g]eeV\mWhjlnspB] C:\WINDOWS\system32\lcntlkdn.exe DWramYB
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Verizon Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyds...DSL/tgctlcm.cab
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinn...GamesLoader.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.grab.com/...les/222/222.cab
O16 - DPF: {775879E2-7309-4619-BB02-AADE41F4B690} (CPlayFirstdreamControl Object) - http://games.bigfish...web.1.0.0.9.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinn...ed/wwlaunch.cab
O16 - DPF: {97438FE9-D361-4279-BA82-98CC0877A717} (Cubis Control) - http://www.worldwinn...cubis/cubis.cab
O16 - DPF: {9903F4ED-B673-456A-A15F-ED90C7DE9EF5} (Sol Control) - http://www.worldwinn...v45/sol/sol.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinn...man/hangman.cab
O16 - DPF: {B8E71371-F7F7-11D2-A2CE-0060B0FB9D0D} (CDToolCtrl Class) - http://free.aol.com/...5/aolcdt175.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD File System Service (InCDsrv) - Unknown owner - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Verizon Internet Security Suite (Radialpoint Security Services) - Radialpoint Inc. - C:\Program Files\Verizon\Verizon Internet Security Suite\RpsSecurityAware.exe
O23 - Service: Verizon Internet Security Suite Update Service (RPSUpdaterR) - Verizon - C:\Program Files\Verizon\Verizon Internet Security Suite\rpsupdaterR.exe
O23 - Service: Verizon Internet Security Suite Firewall (RP_FWS) - Verizon - C:\Program Files\Verizon\Verizon Internet Security Suite\Fws.exe

#10 pdpfishin

pdpfishin

    Authentic Member

  • Authentic Member
  • PipPip
  • 54 posts

Posted 04 May 2008 - 12:29 PM

COMBOFix:


ComboFix 08-05-01.3 - private 2008-05-04 13:43:00.2 - NTFSx86
Running from: C:\Documents and Settings\private\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\private\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\Documents and Settings\Owner\Application Data\internaldb153.dat
C:\Documents and Settings\Owner\Application Data\internaldb1942.dat
C:\Documents and Settings\Owner\Application Data\internaldb2391.dat
C:\Documents and Settings\Owner\Application Data\internaldb3902.dat
C:\Documents and Settings\Owner\Application Data\internaldb4604.dat
C:\Documents and Settings\Owner\Application Data\internaldb4827.dat
C:\Documents and Settings\Owner\Application Data\internaldb5436.dat
C:\Documents and Settings\Owner\Application Data\internaldb6334.dat
C:\PROGRA~1\IWINGA~1\IWINGA~1.DLL
C:\WINDOWS\system32\hgGxWqoo.dll
C:\WINDOWS\system32\lcntlkdn.exe
C:\WINDOWS\system32\mlJApQkk.dll
C:\WINDOWS\system32\nsp5C.dll
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\winpfz33.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Application Data\internaldb153.dat
C:\Documents and Settings\Owner\Application Data\internaldb1942.dat
C:\Documents and Settings\Owner\Application Data\internaldb2391.dat
C:\Documents and Settings\Owner\Application Data\internaldb3902.dat
C:\Documents and Settings\Owner\Application Data\internaldb4604.dat
C:\Documents and Settings\Owner\Application Data\internaldb4827.dat
C:\Documents and Settings\Owner\Application Data\internaldb5436.dat
C:\Documents and Settings\Owner\Application Data\internaldb6334.dat
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\CPV.stt
C:\Documents and Settings\private\Local Settings\Temporary Internet Files\bestwiner.stt
C:\Documents and Settings\private\Local Settings\Temporary Internet Files\CPV.stt
C:\Program Files\Svconr
C:\Program Files\Svconr\Svconr.exe
C:\Program Files\temp01\
C:\TEMP\wdlw14
C:\TEMP\wdlw14\maxN1bo.log
C:\WINDOWS\system32\nsp5C.dll
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\winpfz33.sys

.
((((((((((((((((((((((((( Files Created from 2008-04-04 to 2008-05-04 )))))))))))))))))))))))))))))))
.

2008-04-30 23:43 . 2008-04-30 23:43 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-30 15:40 . 2008-04-30 15:40 <DIR> dr------- C:\Documents and Settings\private\Application Data\Brother
2008-04-29 01:52 . 2008-05-01 23:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-29 01:52 . 2008-04-29 01:52 <DIR> d-------- C:\Documents and Settings\private\Application Data\Malwarebytes
2008-04-29 01:52 . 2008-04-29 01:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-29 00:23 . 2008-04-29 00:23 399,467 --a------ C:\WINDOWS\system32\g18.exe
2008-04-16 18:15 . 2008-04-16 18:15 <DIR> d-------- C:\Documents and Settings\private\Application Data\AdobeUM
2008-04-14 09:31 . 2008-04-14 09:31 9,662 --a------ C:\WINDOWS\system32\iphone-6y.ico
2008-04-14 01:43 . 2008-04-14 01:43 9,662 --a------ C:\WINDOWS\system32\vaio3-011.ico
2008-04-13 18:59 . 2008-04-13 18:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Gogii
2008-04-13 16:51 . 2008-04-13 16:51 <DIR> d-------- C:\Documents and Settings\private\Application Data\Motive
2008-04-10 01:08 . 2008-04-10 01:08 305 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-09 18:30 . 2008-04-09 18:30 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Motive
2008-04-09 18:22 . 2008-04-09 18:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Motive
2008-04-09 18:20 . 2008-04-09 18:22 <DIR> d-------- C:\Program Files\Common Files\Motive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-04 17:43 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-04 10:25 --------- d-----w C:\Program Files\Top Ten Solitaire
2008-05-01 03:14 --------- d-----w C:\Program Files\BFG
2008-05-01 02:58 --------- d-----w C:\Program Files\PokerStars
2008-04-30 19:40 --------- d-----w C:\Program Files\Yahoo!
2008-04-30 05:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-30 05:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-04-30 05:01 --------- d-----w C:\Documents and Settings\private\Application Data\Yahoo!
2008-04-17 20:07 --------- d-----w C:\Documents and Settings\private\Application Data\ZoomBrowser EX
2008-04-17 20:06 --------- d-----w C:\Documents and Settings\private\Application Data\CameraWindowDC
2008-04-13 23:00 --------- d-----w C:\Program Files\iWin.com
2008-04-13 22:50 --------- d-----w C:\Program Files\iWin Games
2008-04-13 19:50 --------- d-----w C:\Documents and Settings\Owner\Application Data\ZoomBrowser EX
2008-04-13 19:48 --------- d-----w C:\Documents and Settings\Owner\Application Data\CameraWindowDC
2008-04-09 22:32 --------- d-----w C:\Program Files\verizon
2008-04-04 02:25 --------- d-----w C:\Documents and Settings\private\Application Data\CANON INC
2008-04-03 22:37 --------- d-----w C:\Documents and Settings\private\Application Data\Verizon
2008-04-03 21:50 --------- d-----w C:\Program Files\Verizon Online
2008-03-24 18:24 --------- d-----w C:\Documents and Settings\Owner\Application Data\funkitron
2008-03-24 18:22 --------- d-----w C:\Program Files\GamesBar
2008-03-15 04:30 --------- d-----w C:\Documents and Settings\Owner\Application Data\Verizon
2008-03-15 04:15 --------- d-----w C:\Program Files\Common Files\Scanner
2008-03-15 04:10 --------- d-----w C:\Program Files\Raxco
2008-03-15 04:10 --------- d-----w C:\Program Files\Common Files\Authentium
2008-03-15 04:10 --------- d-----w C:\Program Files\CA
2008-03-15 04:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Raxco
2008-03-15 04:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Verizon
2008-03-15 04:06 --------- d-----w C:\Documents and Settings\Owner\Application Data\InstallShield
2008-03-15 03:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-13 06:16 --------- d-----w C:\Program Files\Java
2008-03-05 05:37 0 ----a-w C:\Program Files\temp01
2008-03-05 05:37 --------- d-----w C:\Program Files\bfgclient
2008-03-05 05:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\BigFishGamesCache
2007-10-30 03:14 32,408 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2007-08-22 03:27 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2007-06-12 21:13 439,296 ----a-w C:\Documents and Settings\Owner\GoToAssist_phone__317_en.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-27 15:22 4670968]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-10 12:41 223984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-01-29 22:13 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-01-29 22:13 118784]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 16:42 212992]
"NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [2001-07-09 06:50 155648]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2003-04-30 15:36 966706]
"Workflow"="E:\Workflow.exe" [ ]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 11:22 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 15:25 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 15:45 40960]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 08:46 622592]
"SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 19:02 49152]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 13:18 77824]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 16:19 129536]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-06-26 11:14 185632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [2008-02-13 13:03 2065648]
"Verizon Internet Security Suite"="C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe" [2008-02-26 17:10 318704]
"-FreedomNeedsReboot"="C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe" [2008-02-26 17:11 13552]
"g]eeV\mWhjlnspB"="C:\WINDOWS\system32\lcntlkdn.exe" [ ]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-09-28 14:30 936960]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-10 12:41 223984]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iWin Games\\iWinGames.exe"=
"C:\\Program Files\\iWin Games\\WebUpdater.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 13:50]
R3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys [2006-01-18 23:44]
R3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys [2006-01-19 04:17]
S3 Radialpoint Security Services;Verizon Internet Security Suite;"C:\Program Files\Verizon\Verizon Internet Security Suite\RpsSecurityAware.exe" [2008-02-26 17:10]

.
Contents of the 'Scheduled Tasks' folder
"2006-08-02 21:37:42 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-04 13:49:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"g]eeV\\mWhjlnspB"="C:\\WINDOWS\\system32\\lcntlkdn.exe DWramYB"
.
Completion time: 2008-05-04 13:52:33
ComboFix-quarantined-files.txt 2008-05-04 17:52:26
ComboFix2.txt 2008-05-03 21:07:07

Pre-Run: 35,230,973,952 bytes free
Post-Run: 35,255,738,368 bytes free

171 --- E O F --- 2008-04-12 05:24:36

When finished Scan my desktop did not pop back up??
When I got it up it stated "windows could not find '/idlist,:0:27287,C:Documents:"


thanks again for your Help!! :thumbup:

    Advertisements

Register to Remove


#11 Gary R

Gary R

    MRU Administrator

  • MRU Teachers
  • 1,462 posts

Posted 05 May 2008 - 01:01 AM

OK, most of what needed removing has been removed, however one of the entries has re-appeared, so we'll need to have another try using a different script.

  • Click Start > Run type Notepad click OK.
  • This will open an empty Notepad file.
  • Copy/Paste the contents of the box below into Notepad.
Rootkit::
C:\WINDOWS\system32\lcntlkdn.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"g]eeV\\mWhjlnspB"=-
  • Click Format and ensure Wordwrap is unchecked.
  • Save as CFScript.txt to your Desktop.
Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Combofix will now process that file.

When finished, it will produce a log for you. Post that log in your next reply please. (it can also be found at C:\Combofix.txt)

Next

  • Click Start > Run and type cleanmgr then click OK.
  • This will bring up the Disk Cleanup window.
  • Check the following entries.
    • Temporary Internet Files.
    • Recycle Bin.
    • Temporary Files.
  • Click OK.
  • When a prompt pops up click Yes.

Then

Please do an online scan with Kaspersky Online Scanner

Note: You must be using Internet Explorer as your browser as it will be necessary to install an Active X component to your computer.

Important If you have previously used Kaspersky Online Scanner (before 8th Aug 2006), you will have to uninstall the old version using Add/Remove Programs in Control Panel before you can use the new version.

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings.
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK.
  • Now under select a target to scan select My Computer.
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As... button (see red arrow below)

    Posted Image
  • In the Save as... prompt, select Desktop
  • In the File name box, name the file KAVScan
  • In the Save as type prompt, select Text file (see below)

    Posted Image
  • Copy and paste that information in your next post please.

Note: The Kaspersky online scanner is not yet fully compatible with IE7. You may get returned to a window without the Accept/Decline buttons after allowing the ActiveX control. The buttons are there - you just can't see them! Click on the zoom button (bottom, right of the window) and change it from 100% to 75%. You should now see the buttons. Reset to 100% once the license has been accepted.

Finally

Run a new scan with HJT and post me the log please.

Summary of the logs I need from you in your next post:
  • New Combofix log
  • Kaspersky log
  • New HJT log


Please post each log separately to prevent them being cut off by the forum post size limiter.

Edited by Gary R, 05 May 2008 - 01:02 AM.

Gary R

Posted Image

#12 pdpfishin

pdpfishin

    Authentic Member

  • Authentic Member
  • PipPip
  • 54 posts

Posted 05 May 2008 - 07:02 PM

Real quick -- I have been using a second profile/user on my computer due to the fact that the first one froze up and only allowed me access to control panel. Do I need to scan that side or is all as one here in the wonderful world of XP Home Edition????

#13 Gary R

Gary R

    MRU Administrator

  • MRU Teachers
  • 1,462 posts

Posted 06 May 2008 - 12:06 AM

Thanks for letting me know. Continue the instructions as I posted them, we'll look at the other account once this one looks clean.
Gary R

Posted Image

#14 pdpfishin

pdpfishin

    Authentic Member

  • Authentic Member
  • PipPip
  • 54 posts

Posted 06 May 2008 - 08:21 PM

OK here we are :unsure:


ComboFix 08-05-01.3 - private 2008-05-06 19:38:02.3 - NTFSx86
Running from: C:\Documents and Settings\private\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\private\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\lcntlkdn.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-06 to 2008-05-06 )))))))))))))))))))))))))))))))
.

2008-04-30 23:43 . 2008-04-30 23:43 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-30 15:40 . 2008-04-30 15:40 <DIR> dr------- C:\Documents and Settings\private\Application Data\Brother
2008-04-29 01:52 . 2008-05-01 23:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-29 01:52 . 2008-04-29 01:52 <DIR> d-------- C:\Documents and Settings\private\Application Data\Malwarebytes
2008-04-29 01:52 . 2008-04-29 01:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-29 00:23 . 2008-04-29 00:23 399,467 --a------ C:\WINDOWS\system32\g18.exe
2008-04-16 18:15 . 2008-04-16 18:15 <DIR> d-------- C:\Documents and Settings\private\Application Data\AdobeUM
2008-04-14 09:31 . 2008-04-14 09:31 9,662 --a------ C:\WINDOWS\system32\iphone-6y.ico
2008-04-14 01:43 . 2008-04-14 01:43 9,662 --a------ C:\WINDOWS\system32\vaio3-011.ico
2008-04-13 18:59 . 2008-04-13 18:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Gogii
2008-04-13 16:51 . 2008-04-13 16:51 <DIR> d-------- C:\Documents and Settings\private\Application Data\Motive
2008-04-10 01:08 . 2008-04-10 01:08 305 --a------ C:\WINDOWS\system32\MRT.INI
2008-04-09 18:30 . 2008-04-09 18:30 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Motive
2008-04-09 18:22 . 2008-04-09 18:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Motive
2008-04-09 18:20 . 2008-04-09 18:22 <DIR> d-------- C:\Program Files\Common Files\Motive

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-06 23:29 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-06 19:20 --------- d-----w C:\Program Files\Top Ten Solitaire
2008-05-04 20:08 --------- d-----w C:\Documents and Settings\private\Application Data\ZoomBrowser EX
2008-05-01 03:14 --------- d-----w C:\Program Files\BFG
2008-05-01 02:58 --------- d-----w C:\Program Files\PokerStars
2008-04-30 19:40 --------- d-----w C:\Program Files\Yahoo!
2008-04-30 05:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-30 05:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-04-30 05:01 --------- d-----w C:\Documents and Settings\private\Application Data\Yahoo!
2008-04-17 20:06 --------- d-----w C:\Documents and Settings\private\Application Data\CameraWindowDC
2008-04-13 23:00 --------- d-----w C:\Program Files\iWin.com
2008-04-13 22:50 --------- d-----w C:\Program Files\iWin Games
2008-04-13 19:50 --------- d-----w C:\Documents and Settings\Owner\Application Data\ZoomBrowser EX
2008-04-13 19:48 --------- d-----w C:\Documents and Settings\Owner\Application Data\CameraWindowDC
2008-04-09 22:32 --------- d-----w C:\Program Files\verizon
2008-04-04 02:25 --------- d-----w C:\Documents and Settings\private\Application Data\CANON INC
2008-04-03 22:37 --------- d-----w C:\Documents and Settings\private\Application Data\Verizon
2008-04-03 21:50 --------- d-----w C:\Program Files\Verizon Online
2008-03-24 18:24 --------- d-----w C:\Documents and Settings\Owner\Application Data\funkitron
2008-03-24 18:22 --------- d-----w C:\Program Files\GamesBar
2008-03-15 04:30 --------- d-----w C:\Documents and Settings\Owner\Application Data\Verizon
2008-03-15 04:15 --------- d-----w C:\Program Files\Common Files\Scanner
2008-03-15 04:10 --------- d-----w C:\Program Files\Raxco
2008-03-15 04:10 --------- d-----w C:\Program Files\Common Files\Authentium
2008-03-15 04:10 --------- d-----w C:\Program Files\CA
2008-03-15 04:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Raxco
2008-03-15 04:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Verizon
2008-03-15 04:06 --------- d-----w C:\Documents and Settings\Owner\Application Data\InstallShield
2008-03-15 03:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-13 06:16 --------- d-----w C:\Program Files\Java
2008-03-05 05:37 0 ----a-w C:\Program Files\temp01
2007-10-30 03:14 32,408 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2007-08-22 03:27 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2007-06-12 21:13 439,296 ----a-w C:\Documents and Settings\Owner\GoToAssist_phone__317_en.exe
.

((((((((((((((((((((((((((((( snapshot@2008-05-03_17.06.14.62 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-03 21:01:20 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-06 23:47:27 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15:00 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-27 15:22 4670968]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-10 12:41 223984]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner"="C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" [2008-02-26 17:10 61168]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-01-29 22:13 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-01-29 22:13 118784]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 16:42 212992]
"NeroCheck"="C:\WINDOWS\system32\\NeroCheck.exe" [2001-07-09 06:50 155648]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2003-04-30 15:36 966706]
"Workflow"="E:\Workflow.exe" [ ]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 11:22 155648]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 15:25 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 15:45 40960]
"BrMfcWnd"="C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe" [2006-06-28 08:46 622592]
"SetDefPrt"="C:\Program Files\Brother\Brmfl06a\BrStDvPt.exe" [2005-01-26 19:02 49152]
"ControlCenter3"="C:\Program Files\Brother\ControlCenter3\brctrcen.exe" [2006-06-29 13:18 77824]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 16:19 129536]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-06-26 11:14 185632]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [2008-02-13 13:03 2065648]
"Verizon Internet Security Suite"="C:\Program Files\Verizon\Verizon Internet Security Suite\Rps.exe" [2008-02-26 17:10 318704]
"-FreedomNeedsReboot"="C:\Program Files\Verizon\Verizon Internet Security Suite\ZkRunOnceR.exe" [2008-02-26 17:11 13552]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-09-28 14:30 936960]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-10 12:41 223984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"IndexCleaner"="C:\Program Files\Verizon\Verizon Internet Security Suite\IdxClnR.exe" [2008-02-26 17:10 61168]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iWin Games\\iWinGames.exe"=
"C:\\Program Files\\iWin Games\\WebUpdater.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys [2004-10-15 13:50]
R3 BrSerIf;Brother MFC Serial Port Interface WDM Driver;C:\WINDOWS\system32\Drivers\BrSerIf.sys [2006-01-18 23:44]
R3 BrUsbSer;Brother MFC USB Serial WDM Driver;C:\WINDOWS\system32\Drivers\BrUsbSer.sys [2006-01-19 04:17]

.
Contents of the 'Scheduled Tasks' folder
"2006-08-02 21:37:42 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\system32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-06 19:58:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\verizon\Verizon Internet Security Suite\Fws.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Ahead\InCD\incdsrv.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Brother\ControlCenter3\BrccMCtl.exe
C:\Program Files\Brother\Brmfcmon\BrMfcMon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\verizon\VSP\VerizonServicepointComHandler.exe
C:\Program Files\verizon\Verizon Internet Security Suite\rpsupdaterR.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\verizon\McciBrowser.exe
.
**************************************************************************
.
Completion time: 2008-05-06 20:05:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-07 00:04:49
ComboFix2.txt 2008-05-04 17:52:34
ComboFix3.txt 2008-05-03 21:07:07

Pre-Run: 35,146,354,688 bytes free
Post-Run: 35,225,874,432 bytes free

162 --- E O F --- 2008-04-12 05:24:36

#15 pdpfishin

pdpfishin

    Authentic Member

  • Authentic Member
  • PipPip
  • 54 posts

Posted 06 May 2008 - 08:24 PM

31 ??? OMG :smack: :pullhair: ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Tuesday, May 06, 2008 10:19:44 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.98.0 Kaspersky Anti-Virus database last update: 7/05/2008 Kaspersky Anti-Virus database records: 743221 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ E:\ F:\ Scan Statistics: Total number of scanned objects: 63614 Number of viruses found: 31 Number of infected objects: 81 Number of suspicious objects: 0 Duration of the scan process: 01:30:35 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\All Users\Application Data\Brother\BrLog\BrCollectDir\BR_cat.bat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Brother\BrLog\BrCollectDir\BR_Compress_20070207_154614_1_1 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Brother\BrLog\BrCollectDir\BR_PC_CHK.txt Object is locked skipped C:\Documents and Settings\All Users\Application Data\Brother\BrLog\BrCollectDir\Progress_log_Compress.txt Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Verizon\Verizon Internet Security Suite\Logs\Firewall - Blocked Packets - 05-06-2008--20-02-35.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Verizon\Verizon Internet Security Suite\Logs\FirewallService05-06-2008--19-47-37.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Verizon\Verizon Internet Security Suite\Logs\rpu-Tuesday May-06-08 20.00.05.txt Object is locked skipped C:\Documents and Settings\All Users\Application Data\Verizon\Verizon Internet Security Suite\Logs\SafetyConsoleLog05-06-2008--20-00-00.log Object is locked skipped C:\Documents and Settings\All Users\Application Data\Verizon\Verizon Internet Security Suite\Logs\ServiceModel05-06-2008--19-59-58.log Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Owner\My Documents\My Music\01 Track 1 (vietam).wma Infected: Trojan-Downloader.WMA.Wimad.l skipped C:\Documents and Settings\Owner\My Documents\My Music\03 Track 3 (vietam).wma Infected: Trojan-Downloader.WMA.Wimad.l skipped C:\Documents and Settings\Owner\My Documents\My Music\Eighties classic (baby).wma Infected: Trojan-Downloader.WMA.Wimad.l skipped C:\Documents and Settings\Owner\My Documents\My Music\Top of Charts - 2004 (vietnam).wma Infected: Trojan-Downloader.WMA.Wimad.l skipped C:\Documents and Settings\Owner\My Documents\My Music\tupac straight ballin new.zip/setup.exe/data0005/stream/data0004 Infected: not-a-virus:AdWare.Win32.TrafficSol.n skipped C:\Documents and Settings\Owner\My Documents\My Music\tupac straight ballin new.zip/setup.exe/data0005/stream Infected: not-a-virus:AdWare.Win32.TrafficSol.n skipped C:\Documents and Settings\Owner\My Documents\My Music\tupac straight ballin new.zip/setup.exe/data0005 Infected: not-a-virus:AdWare.Win32.TrafficSol.n skipped C:\Documents and Settings\Owner\My Documents\My Music\tupac straight ballin new.zip/setup.exe/data0006/stream/data0004 Infected: not-a-virus:AdWare.Win32.BHO.ha skipped C:\Documents and Settings\Owner\My Documents\My Music\tupac straight ballin new.zip/setup.exe/data0006/stream/data0005 Infected: not-a-virus:AdWare.Win32.BHO.lq skipped C:\Documents and Settings\Owner\My Documents\My Music\tupac straight ballin new.zip/setup.exe/data0006/stream Infected: not-a-virus:AdWare.Win32.BHO.lq skipped C:\Documents and Settings\Owner\My Documents\My Music\tupac straight ballin new.zip/setup.exe/data0006 Infected: not-a-virus:AdWare.Win32.BHO.lq skipped C:\Documents and Settings\Owner\My Documents\My Music\tupac straight ballin new.zip/setup.exe Infected: not-a-virus:AdWare.Win32.BHO.lq skipped C:\Documents and Settings\Owner\My Documents\My Music\tupac straight ballin new.zip ZIP: infected - 8 skipped C:\Documents and Settings\Owner\My Documents\My Pictures\2008_03_07\IMG_0107.JPG Object is locked skipped C:\Documents and Settings\Owner\My Documents\My Pictures\2008_03_07\IMG_0108.JPG Object is locked skipped C:\Documents and Settings\Owner\My Documents\My Pictures\2008_03_07\IMG_0109.JPG Object is locked skipped C:\Documents and Settings\Owner\My Documents\My Pictures\2008_03_07\IMG_0111.JPG Object is locked skipped C:\Documents and Settings\Owner\My Documents\My Pictures\2008_03_07\IMG_0112.JPG Object is locked skipped C:\Documents and Settings\Owner\My Documents\My Pictures\2008_03_07\Thumbs.db Object is locked skipped C:\Documents and Settings\Owner\My Documents\My Pictures\2008_03_07\ZbThumbnail.info Object is locked skipped C:\Documents and Settings\private\Application Data\Verizon\VSP\client_gateway.log Object is locked skipped C:\Documents and Settings\private\Cookies\index.dat Object is locked skipped C:\Documents and Settings\private\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\private\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\private\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\private\Local Settings\Temp\~DFE490.tmp Object is locked skipped C:\Documents and Settings\private\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped C:\Documents and Settings\private\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\private\NTUSER.DAT Object is locked skipped C:\Documents and Settings\private\ntuser.dat.LOG Object is locked skipped C:\Program Files\CA\PPRT\logs\2008-05-06.csv Object is locked skipped C:\Program Files\iWin.com\Dream Chronicles 2 The Eternal Maze\GLWorker.exe Infected: Trojan-Spy.Win32.SCKeyLog.cm skipped C:\Program Files\iWin.com\The Hidden Object Show\GLWorker.exe Infected: Trojan-Spy.Win32.SCKeyLog.ca skipped C:\QooBox\Quarantine\C\Documents and Settings\private\My Documents\APPATC~1\logonui.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.fj skipped C:\QooBox\Quarantine\C\Program Files\Common Files\ASEMBL~1\mѕhta.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.hl skipped C:\QooBox\Quarantine\C\WINDOWS\system32\arswxueh.dll.vir Infected: Trojan.Win32.Monder.gen skipped C:\QooBox\Quarantine\C\WINDOWS\system32\ecusetcq.dll.vir Infected: Trojan.Win32.Monder.gen skipped C:\QooBox\Quarantine\C\WINDOWS\system32\hsrioxev.dll.vir Infected: Trojan.Win32.Monder.gen skipped C:\QooBox\Quarantine\C\WINDOWS\system32\lqfspybx.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.mvn skipped C:\QooBox\Quarantine\C\WINDOWS\system32\nsp5C.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.acx skipped C:\QooBox\Quarantine\C\WINDOWS\system32\vhufexlq.dll.vir Infected: Trojan.Win32.Monder.gen skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP13\A0001343.dll Infected: not-a-virus:AdWare.Win32.TrafficSol.s skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP19\A0001672.dll Infected: not-a-virus:AdWare.Win32.Beginto.f skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP19\A0001673.dll Infected: not-a-virus:AdWare.Win32.Beginto.f skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP20\A0003686.exe Infected: not-a-virus:FraudTool.Win32.SpyLocked.as skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP20\A0003694.exe Infected: not-a-virus:FraudTool.Win32.SpyLocked.s skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP59\A0007035.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP60\A0007064.exe Infected: Trojan-Downloader.Win32.Homles.au skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP61\A0007139.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mwq skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP61\A0007229.exe Infected: Trojan-Downloader.Win32.VB.dsk skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP61\A0007230.exe Infected: Trojan-Downloader.Win32.Homles.au skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP61\A0008211.dll Infected: Trojan.Win32.Monder.gen skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP61\A0008226.exe Infected: Trojan-Downloader.Win32.VB.dsk skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP61\A0008229.exe Infected: Trojan-Downloader.Win32.Homles.au skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP63\A0008290.exe Infected: Trojan-Downloader.Win32.Homles.au skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP64\A0008299.dll Infected: Trojan.Win32.Monder.gen skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP64\A0008300.exe Infected: Backdoor.Win32.IRCBot.aro skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP64\A0008368.dll Infected: Trojan.Win32.Monder.gen skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP64\A0008369.dll Infected: Trojan.Win32.Monder.gen skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP64\A0008370.dll Infected: Trojan.Win32.Monder.gen skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP64\A0008371.dll Infected: Trojan.Win32.Monder.gen skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP64\A0008372.dll Infected: Trojan.Win32.Monder.gen skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP64\A0009421.exe Infected: Backdoor.Win32.VB.czs skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP66\A0010779.dll Infected: not-a-virus:AdWare.Win32.TrafficSol.ai skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP69\A0013872.exe Infected: Trojan-Downloader.Win32.Homles.bc skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP71\A0013905.exe Infected: Trojan-Downloader.Win32.Homles.bi skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP73\A0015871.exe Infected: Trojan-Downloader.Win32.Homles.bj skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP73\A0015891.exe Infected: Trojan-Downloader.Win32.Agent.ltf skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP73\A0015896.exe Infected: Trojan.Win32.BHO.bhg skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP73\A0015897.exe Infected: not-a-virus:AdWare.Win32.Insider.c skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP73\A0015898.exe Infected: not-a-virus:AdWare.Win32.Insider.c skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP73\A0015913.exe Infected: Trojan-Downloader.Win32.Homles.bj skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP73\A0015923.exe Infected: Trojan.Win32.Agent.lke skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP75\A0017039.exe Infected: not-a-virus:AdWare.Win32.PurityScan.hl skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP75\A0017045.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.bnu skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP75\A0017045.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.bnu skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP75\A0017045.exe NSIS: infected - 2 skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP75\A0017065.exe Infected: Trojan-Downloader.Win32.Homles.bj skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP75\A0017074.exe Infected: Trojan-Downloader.Win32.Homles.bj skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP78\A0017323.exe Infected: not-a-virus:AdWare.Win32.PurityScan.hl skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP78\A0017327.dll Infected: Trojan.Win32.Monder.gen skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP78\A0017328.dll Infected: Trojan.Win32.Monder.gen skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP78\A0017329.dll Infected: Trojan.Win32.Monder.gen skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP78\A0017330.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mvn skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP78\A0017331.dll Infected: Trojan.Win32.Monder.gen skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP79\A0017411.dll Infected: not-a-virus:AdWare.Win32.BHO.acx skipped C:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP80\change.log Object is locked skipped C:\WINDOWS\20-a7616afeb8af3d01fc29ca5cd91a1414.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.EZula.co skipped C:\WINDOWS\20-a7616afeb8af3d01fc29ca5cd91a1414.exe/stream Infected: not-a-virus:AdWare.Win32.EZula.co skipped C:\WINDOWS\20-a7616afeb8af3d01fc29ca5cd91a1414.exe NSIS: infected - 2 skipped C:\WINDOWS\3-d0105f0375fe6b62fc90f554e10ca5eb.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.Beginto.f skipped C:\WINDOWS\3-d0105f0375fe6b62fc90f554e10ca5eb.exe/stream Infected: not-a-virus:AdWare.Win32.Beginto.f skipped C:\WINDOWS\3-d0105f0375fe6b62fc90f554e10ca5eb.exe NSIS: infected - 2 skipped C:\WINDOWS\6-fcd1eba2a03d5087926f018c645030f1.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Beginto.f skipped C:\WINDOWS\6-fcd1eba2a03d5087926f018c645030f1.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.Beginto.f skipped C:\WINDOWS\6-fcd1eba2a03d5087926f018c645030f1.exe/stream Infected: not-a-virus:AdWare.Win32.Beginto.f skipped C:\WINDOWS\6-fcd1eba2a03d5087926f018c645030f1.exe NSIS: infected - 3 skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\EventCache\{1BB9B67E-8AB7-4B4C-945C-E8FF3CA96C31}.bin Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\Internet.evt Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\g18.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.Agent.bnu skipped C:\WINDOWS\system32\g18.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.bnu skipped C:\WINDOWS\system32\g18.exe NSIS: infected - 2 skipped C:\WINDOWS\system32\h323log.txt Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped D:\System Volume Information\_restore{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP80\change.log Object is locked skipped Scan process completed.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users