Tech Support Forum - View Single Post - Firefox/IE isn't working & has malware pop-ups

ElessarDunadan · 08-05-2008, 10:40 PM

Sorry about the quote tags.

Here is the ComboFix log:

ComboFix 08-08-04.09 - Family 2008-08-05 22:13:31.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.542 [GMT -6:00]
Running from: C:\Documents and Settings\Family\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMabd9e110.txt
C:\WINDOWS\BMabd9e110.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\actskn43.ocx
C:\WINDOWS\system32\cebxtqph.ini
C:\WINDOWS\system32\DghQqBeg.ini
C:\WINDOWS\system32\DghQqBeg.ini2
C:\WINDOWS\system32\hgaldgef.ini
C:\WINDOWS\system32\hqtpcsqp.ini
C:\WINDOWS\system32\lvyqgytr.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\uomlrbbd.ini
C:\WINDOWS\system32\vqingubq.ini
C:\WINDOWS\system32\wmyulvhb.ini
C:\WINDOWS\system32\wwkevlww.ini

.
((((((((((((((((((((((((( Files Created from 2008-07-06 to 2008-08-06 )))))))))))))))))))))))))))))))
.

2008-08-05 22:21 . 0 C:\WINDOWS\system32\wmyulvhb.tmp
2008-08-05 22:20 . 2008-08-05 22:20 111,577 --a------ C:\WINDOWS\BMabd9e110.xml
2008-08-05 22:20 . 2008-08-05 22:20 22 --a------ C:\WINDOWS\pskt.ini
2008-08-05 19:37 . 2008-08-05 19:37 2,048 --a------ C:\WINDOWS\system32\relsgwvl.exe
2008-08-05 19:34 . 2008-08-05 19:34 83,456 --a------ C:\WINDOWS\system32\bhvluymw.dll
2008-08-05 19:31 . 2008-08-05 19:31 105,472 --a------ C:\WINDOWS\system32\tcsfvb.dll
2008-08-05 19:31 . 2008-08-05 19:31 105,472 --a------ C:\WINDOWS\system32\jiskiiip.dll
2008-08-05 19:28 . 2008-08-05 19:28 91,648 --a------ C:\WINDOWS\system32\vcdblbih.dll
2008-08-04 19:34 . 2008-08-04 19:34 105,472 --a------ C:\WINDOWS\system32\ugqtwg.dll
2008-08-04 19:34 . 2008-08-04 19:34 105,472 --a------ C:\WINDOWS\system32\nqkbjeai.dll
2008-08-04 19:31 . 2008-08-04 19:31 2,048 --a------ C:\WINDOWS\system32\snltmrcd.exe
2008-08-04 19:26 . 2008-08-04 19:26 91,648 --a------ C:\WINDOWS\system32\qcxpovag.dll
2008-08-04 10:44 . 2008-08-04 10:44 <DIR> d-------- C:\LORD-CD
2008-08-03 19:21 . 2008-08-03 19:21 114,176 --a------ C:\WINDOWS\system32\idapesxy.dll
2008-08-03 19:21 . 2008-08-03 19:21 114,176 --a------ C:\WINDOWS\system32\ffqrkh.dll
2008-08-03 19:19 . 2008-08-03 19:19 91,648 --a------ C:\WINDOWS\system32\wuyvtjdu.dll
2008-08-02 18:18 . 2008-08-02 18:18 91,648 --a------ C:\WINDOWS\system32\pjxvastr.dll
2008-08-01 18:22 . 2008-08-01 18:22 114,176 --a------ C:\WINDOWS\system32\jdonphjv.dll
2008-08-01 18:22 . 2008-08-01 18:22 114,176 --a------ C:\WINDOWS\system32\flsblx.dll
2008-08-01 18:19 . 2008-08-01 18:19 91,648 --a------ C:\WINDOWS\system32\uxsdxvsl.dll
2008-07-31 18:04 . 2008-07-31 18:04 105,472 --a------ C:\WINDOWS\system32\bsxuheci.dll
2008-07-31 18:04 . 2008-07-31 18:04 105,472 --a------ C:\WINDOWS\system32\bjemuv.dll
2008-07-31 18:01 . 2008-07-31 18:01 91,648 --a------ C:\WINDOWS\system32\tjartvos.dll
2008-07-31 17:01 . 2008-07-31 17:01 105,472 --a------ C:\WINDOWS\system32\rukcelyy.dll
2008-07-31 17:01 . 2008-07-31 17:01 105,472 --a------ C:\WINDOWS\system32\mnrbcb.dll
2008-07-30 20:08 . 2008-07-30 20:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-30 19:30 . 2008-07-30 19:30 <DIR> d-------- C:\Deckard
2008-07-30 19:09 . 2008-07-30 19:10 <DIR> d-------- C:\ie-spyad_zo
2008-07-30 15:41 . 2008-07-30 15:41 <DIR> d-------- C:\Program Files\Panda Security
2008-07-30 15:41 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-07-30 14:25 . 2008-07-30 14:25 105,472 --a------ C:\WINDOWS\system32\unnffk.dll
2008-07-30 14:25 . 2008-07-30 14:25 105,472 --a------ C:\WINDOWS\system32\mkmgxisw.dll
2008-07-30 14:22 . 2008-07-30 14:22 91,648 --a------ C:\WINDOWS\system32\onfrbhxd.dll
2008-07-29 21:09 . 2008-07-29 21:09 1,096 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-29 12:33 . 2008-07-29 12:35 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-29 12:02 . 2008-07-29 12:02 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-07-29 11:27 . 2008-07-29 11:27 105,472 --a------ C:\WINDOWS\system32\pngvbl.dll
2008-07-29 11:27 . 2008-07-29 11:27 105,472 --a------ C:\WINDOWS\system32\ahjpppua.dll
2008-07-29 11:25 . 2008-07-29 11:25 91,648 --a------ C:\WINDOWS\system32\vdlcvhpu.dll
2008-07-29 10:48 . 2008-07-29 10:48 <DIR> d-------- C:\Documents and Settings\Family\Application Data\Bitdefender
2008-07-29 10:31 . 2008-07-29 10:31 <DIR> d-------- C:\Program Files\Softwin
2008-07-28 21:50 . 2008-07-28 21:50 113,180 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-07-28 19:49 . 2008-07-28 19:49 91,648 --a------ C:\WINDOWS\system32\roeiyidj.dll
2008-07-28 19:47 . 2008-07-28 19:47 314,880 --a------ C:\WINDOWS\system32\geBqQhgD.dll
2008-07-28 19:42 . 2008-07-28 20:14 <DIR> d-------- C:\WINDOWS\RmFtaWx5
2008-07-27 09:07 . 2008-07-27 09:07 132 --a------ C:\WINDOWS\liveup.ini
2008-07-24 19:15 . 2008-07-24 19:17 <DIR> d-------- C:\Program Files\Strawberry Prolog
2008-07-20 21:12 . 2008-07-20 21:30 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-07-19 21:10 . 2008-07-31 12:43 <DIR> d-------- C:\Program Files\Safari

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-06 03:30 --------- d-----w C:\Program Files\MSECache
2008-08-06 02:21 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-07-29 17:57 --------- d-----w C:\Program Files\Windows Live
2008-07-29 16:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\BitDefender
2008-07-29 16:31 --------- d-----w C:\Program Files\Common Files\Softwin
2008-07-23 02:24 --------- d-----w C:\Program Files\HiDownload
2008-07-20 04:25 --------- d-----w C:\Documents and Settings\Family\Application Data\Apple Computer
2008-07-20 03:17 --------- d-----w C:\Program Files\QuickTime
2008-07-20 03:04 --------- d-----w C:\Program Files\Apple Software Update
2008-07-11 01:02 --------- d-----w C:\Program Files\Winamp
2008-07-05 20:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\AGS Demo Game
2008-07-01 17:21 --------- d-----w C:\Program Files\NoteWorthy Composer
2008-06-27 01:41 --------- d-----w C:\Documents and Settings\Family\Application Data\ICAClient
2008-05-22 04:29 906 ----a-w C:\Documents and Settings\Family\Application Data\wklnhst.dat
2006-09-22 15:42 421,888 ----a-w C:\Program Files\putty.exe
2005-02-04 02:35 5,808 ----a-w C:\Program Files\dad.rvn
2005-02-02 22:21 7,387 ----a-w C:\Program Files\ryan.rvn
2005-02-02 22:00 7,190 ----a-w C:\Program Files\keri.rvn
2000-01-15 23:03 4,770 ----a-w C:\Program Files\SOUND.DRV
2000-01-15 23:03 14,743 ----a-w C:\Program Files\MUSIC.DRV
2005-09-09 16:04 56 --sh--r C:\WINDOWS\system32\02836ADAB6.sys
2008-02-20 02:51 56 --sh--r C:\WINDOWS\system32\401AA90494.sys
2008-02-20 02:51 9,188 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E54B445-359D-4385-BF81-1E534E6CDBBC}]
2008-07-28 19:47 314880 --a------ C:\WINDOWS\system32\geBqQhgD.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8620ec8c-0939-4028-9099-714d1b2a1b94}]
2008-08-05 19:31 105472 --a------ C:\WINDOWS\system32\tcsfvb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
@="{30351346-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
@="{30351347-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
@="{30351348-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
@="{3035134B-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
@="{3035134C-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
@="{3035134D-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
@="{3035134E-7B7D-4FCC-81B4-1E394CA267EB}"
[HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IECheck"="C:\WINDOWS\IECheck.exe" [2005-11-17 20:40 108544]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"FLMK08KB"="C:\Program Files\Muiltmedia keyboard utility\1.3\MMKEYBD.EXE" [2008-03-16 11:38 207360]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 14:49 69632]
"a8ead28c"="C:\WINDOWS\system32\bhvluymw.dll" [2008-08-05 19:34 83456]
"BMabd9e110"="C:\WINDOWS\system32\vcdblbih.dll" [2008-08-05 19:28 91648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=sockspy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.avis"= ff_acm.acm

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Uakos"="C:\Documents and Settings\Family\Application Data\F?nts\j?vaw.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"runner1"=C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
"NI.UGA6P_0001_N122M2802"="C:\DOCUME~1\Family\LOCALS~1\Temp\winvsnet.exe"
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
"nwiz"=nwiz.exe /install
"Cmaudio"=RunDll32 cmicnfg.cpl,CMICtrlWnd
"BMabd9e110"=Rundll32.exe "C:\WINDOWS\system32\roeiyidj.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3724:TCP"= 3724:TCP:Blizzard Downloader
"6112:TCP"= 6112:TCP:Blizzard Downloader

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
S3 CardReaderFilter;Card Reader Filter;C:\WINDOWS\system32\Drivers\USBCRFT.SYS [2008-03-13 14:10]
S3 UKBFLT;UKBFLT;C:\WINDOWS\system32\DRIVERS\UKBFLT.sys [2003-12-19 16:13]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2006-12-02 06:17]
.
Contents of the 'Scheduled Tasks' folder

2008-07-27 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\oc56v5j0.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.ca

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-05 22:20:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\wmyulvhb.ini 1487794 bytes
C:\WINDOWS\system32\mucltui.dll 271224 bytes executable
C:\WINDOWS\system32\mucltui.dll.mui 30072 bytes executable

scan completed successfully
hidden files: 3

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\bhvluymw.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Muiltmedia keyboard utility\1.3\KBDAP32A.EXE
.
**************************************************************************
.
Completion time: 2008-08-05 22:28:40 - machine was rebooted [Family]
ComboFix-quarantined-files.txt 2008-08-06 04:28:33
ComboFix2.txt 2008-07-29 17:22:24

Pre-Run: 247,272,251,392 bytes free
Post-Run: 247,185,887,232 bytes free

243

And here is the HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:35:53 PM, on 08/05/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Program Files\Muiltmedia keyboard utility\1.3\KbdAp32A.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.3\MMKEYBD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKLM\..\Run: [BMabd9e110] Rundll32.exe "C:\WINDOWS\system32\ntkgclwh.dll",s
O4 - HKLM\..\Run: [a8ead28c] rundll32.exe "C:\WINDOWS\system32\obnmlwbh.dll",b
O4 - HKCU\..\Run: [IECheck] C:\WINDOWS\IECheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Download All Files by HiDownload - C:\Program Files\HiDownload\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\Program Files\HiDownload\HDGet.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files\Eltima Software\Flash Decompiler Trillix\saveflash\iebt.dll (file missing)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files\Eltima Software\Flash Decompiler Trillix\saveflash\iebt.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Program Files\HiDownload\hidownload.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.cicero.ca/
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.virusschlacht.com
O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - http://www.lotrdvd.com/dvdkey/extend...s/iaieplay.dll
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1193323682406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1193323659546
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft Terminal Services Client Control (redist)) - http://engrwww.usask.ca/department/s...y/ts/msrdp.cab
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SQL Server Browser (SQLBrowser) - Unknown owner - c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

--
End of file - 6763 bytes

08-05-2008, 10:40 PM	#6 (permalink)
ElessarDunadan Registered User Join Date: Jul 2008 Posts: 10 OS: Windows XP SP2	Re: Firefox/IE isn't working & has malware pop-ups Sorry about the quote tags. Here is the ComboFix log: ComboFix 08-08-04.09 - Family 2008-08-05 22:13:31.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.542 [GMT -6:00] Running from: C:\Documents and Settings\Family\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\BMabd9e110.txt C:\WINDOWS\BMabd9e110.xml C:\WINDOWS\cookies.ini C:\WINDOWS\pskt.ini C:\WINDOWS\system32\actskn43.ocx C:\WINDOWS\system32\cebxtqph.ini C:\WINDOWS\system32\DghQqBeg.ini C:\WINDOWS\system32\DghQqBeg.ini2 C:\WINDOWS\system32\hgaldgef.ini C:\WINDOWS\system32\hqtpcsqp.ini C:\WINDOWS\system32\lvyqgytr.ini C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\uomlrbbd.ini C:\WINDOWS\system32\vqingubq.ini C:\WINDOWS\system32\wmyulvhb.ini C:\WINDOWS\system32\wwkevlww.ini . ((((((((((((((((((((((((( Files Created from 2008-07-06 to 2008-08-06 ))))))))))))))))))))))))))))))) . 2008-08-05 22:21 . 0 C:\WINDOWS\system32\wmyulvhb.tmp 2008-08-05 22:20 . 2008-08-05 22:20 111,577 --a------ C:\WINDOWS\BMabd9e110.xml 2008-08-05 22:20 . 2008-08-05 22:20 22 --a------ C:\WINDOWS\pskt.ini 2008-08-05 19:37 . 2008-08-05 19:37 2,048 --a------ C:\WINDOWS\system32\relsgwvl.exe 2008-08-05 19:34 . 2008-08-05 19:34 83,456 --a------ C:\WINDOWS\system32\bhvluymw.dll 2008-08-05 19:31 . 2008-08-05 19:31 105,472 --a------ C:\WINDOWS\system32\tcsfvb.dll 2008-08-05 19:31 . 2008-08-05 19:31 105,472 --a------ C:\WINDOWS\system32\jiskiiip.dll 2008-08-05 19:28 . 2008-08-05 19:28 91,648 --a------ C:\WINDOWS\system32\vcdblbih.dll 2008-08-04 19:34 . 2008-08-04 19:34 105,472 --a------ C:\WINDOWS\system32\ugqtwg.dll 2008-08-04 19:34 . 2008-08-04 19:34 105,472 --a------ C:\WINDOWS\system32\nqkbjeai.dll 2008-08-04 19:31 . 2008-08-04 19:31 2,048 --a------ C:\WINDOWS\system32\snltmrcd.exe 2008-08-04 19:26 . 2008-08-04 19:26 91,648 --a------ C:\WINDOWS\system32\qcxpovag.dll 2008-08-04 10:44 . 2008-08-04 10:44 <DIR> d-------- C:\LORD-CD 2008-08-03 19:21 . 2008-08-03 19:21 114,176 --a------ C:\WINDOWS\system32\idapesxy.dll 2008-08-03 19:21 . 2008-08-03 19:21 114,176 --a------ C:\WINDOWS\system32\ffqrkh.dll 2008-08-03 19:19 . 2008-08-03 19:19 91,648 --a------ C:\WINDOWS\system32\wuyvtjdu.dll 2008-08-02 18:18 . 2008-08-02 18:18 91,648 --a------ C:\WINDOWS\system32\pjxvastr.dll 2008-08-01 18:22 . 2008-08-01 18:22 114,176 --a------ C:\WINDOWS\system32\jdonphjv.dll 2008-08-01 18:22 . 2008-08-01 18:22 114,176 --a------ C:\WINDOWS\system32\flsblx.dll 2008-08-01 18:19 . 2008-08-01 18:19 91,648 --a------ C:\WINDOWS\system32\uxsdxvsl.dll 2008-07-31 18:04 . 2008-07-31 18:04 105,472 --a------ C:\WINDOWS\system32\bsxuheci.dll 2008-07-31 18:04 . 2008-07-31 18:04 105,472 --a------ C:\WINDOWS\system32\bjemuv.dll 2008-07-31 18:01 . 2008-07-31 18:01 91,648 --a------ C:\WINDOWS\system32\tjartvos.dll 2008-07-31 17:01 . 2008-07-31 17:01 105,472 --a------ C:\WINDOWS\system32\rukcelyy.dll 2008-07-31 17:01 . 2008-07-31 17:01 105,472 --a------ C:\WINDOWS\system32\mnrbcb.dll 2008-07-30 20:08 . 2008-07-30 20:08 <DIR> d-------- C:\Program Files\Trend Micro 2008-07-30 19:30 . 2008-07-30 19:30 <DIR> d-------- C:\Deckard 2008-07-30 19:09 . 2008-07-30 19:10 <DIR> d-------- C:\ie-spyad_zo 2008-07-30 15:41 . 2008-07-30 15:41 <DIR> d-------- C:\Program Files\Panda Security 2008-07-30 15:41 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys 2008-07-30 14:25 . 2008-07-30 14:25 105,472 --a------ C:\WINDOWS\system32\unnffk.dll 2008-07-30 14:25 . 2008-07-30 14:25 105,472 --a------ C:\WINDOWS\system32\mkmgxisw.dll 2008-07-30 14:22 . 2008-07-30 14:22 91,648 --a------ C:\WINDOWS\system32\onfrbhxd.dll 2008-07-29 21:09 . 2008-07-29 21:09 1,096 --a------ C:\WINDOWS\system32\tmp.reg 2008-07-29 12:33 . 2008-07-29 12:35 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP 2008-07-29 12:02 . 2008-07-29 12:02 <DIR> d-------- C:\Program Files\SpywareBlaster 2008-07-29 11:27 . 2008-07-29 11:27 105,472 --a------ C:\WINDOWS\system32\pngvbl.dll 2008-07-29 11:27 . 2008-07-29 11:27 105,472 --a------ C:\WINDOWS\system32\ahjpppua.dll 2008-07-29 11:25 . 2008-07-29 11:25 91,648 --a------ C:\WINDOWS\system32\vdlcvhpu.dll 2008-07-29 10:48 . 2008-07-29 10:48 <DIR> d-------- C:\Documents and Settings\Family\Application Data\Bitdefender 2008-07-29 10:31 . 2008-07-29 10:31 <DIR> d-------- C:\Program Files\Softwin 2008-07-28 21:50 . 2008-07-28 21:50 113,180 --ah----- C:\WINDOWS\system32\mlfcache.dat 2008-07-28 19:49 . 2008-07-28 19:49 91,648 --a------ C:\WINDOWS\system32\roeiyidj.dll 2008-07-28 19:47 . 2008-07-28 19:47 314,880 --a------ C:\WINDOWS\system32\geBqQhgD.dll 2008-07-28 19:42 . 2008-07-28 20:14 <DIR> d-------- C:\WINDOWS\RmFtaWx5 2008-07-27 09:07 . 2008-07-27 09:07 132 --a------ C:\WINDOWS\liveup.ini 2008-07-24 19:15 . 2008-07-24 19:17 <DIR> d-------- C:\Program Files\Strawberry Prolog 2008-07-20 21:12 . 2008-07-20 21:30 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak 2008-07-19 21:10 . 2008-07-31 12:43 <DIR> d-------- C:\Program Files\Safari . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-06 03:30 --------- d-----w C:\Program Files\MSECache 2008-08-06 02:21 --------- d-----w C:\Program Files\Mozilla Thunderbird 2008-07-29 17:57 --------- d-----w C:\Program Files\Windows Live 2008-07-29 16:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\BitDefender 2008-07-29 16:31 --------- d-----w C:\Program Files\Common Files\Softwin 2008-07-23 02:24 --------- d-----w C:\Program Files\HiDownload 2008-07-20 04:25 --------- d-----w C:\Documents and Settings\Family\Application Data\Apple Computer 2008-07-20 03:17 --------- d-----w C:\Program Files\QuickTime 2008-07-20 03:04 --------- d-----w C:\Program Files\Apple Software Update 2008-07-11 01:02 --------- d-----w C:\Program Files\Winamp 2008-07-05 20:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\AGS Demo Game 2008-07-01 17:21 --------- d-----w C:\Program Files\NoteWorthy Composer 2008-06-27 01:41 --------- d-----w C:\Documents and Settings\Family\Application Data\ICAClient 2008-05-22 04:29 906 ----a-w C:\Documents and Settings\Family\Application Data\wklnhst.dat 2006-09-22 15:42 421,888 ----a-w C:\Program Files\putty.exe 2005-02-04 02:35 5,808 ----a-w C:\Program Files\dad.rvn 2005-02-02 22:21 7,387 ----a-w C:\Program Files\ryan.rvn 2005-02-02 22:00 7,190 ----a-w C:\Program Files\keri.rvn 2000-01-15 23:03 4,770 ----a-w C:\Program Files\SOUND.DRV 2000-01-15 23:03 14,743 ----a-w C:\Program Files\MUSIC.DRV 2005-09-09 16:04 56 --sh--r C:\WINDOWS\system32\02836ADAB6.sys 2008-02-20 02:51 56 --sh--r C:\WINDOWS\system32\401AA90494.sys 2008-02-20 02:51 9,188 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E54B445-359D-4385-BF81-1E534E6CDBBC}] 2008-07-28 19:47 314880 --a------ C:\WINDOWS\system32\geBqQhgD.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8620ec8c-0939-4028-9099-714d1b2a1b94}] 2008-08-05 19:31 105472 --a------ C:\WINDOWS\system32\tcsfvb.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN] @="{30351346-7B7D-4FCC-81B4-1E394CA267EB}" [HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}] 2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN] @="{30351347-7B7D-4FCC-81B4-1E394CA267EB}" [HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}] 2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN] @="{30351348-7B7D-4FCC-81B4-1E394CA267EB}" [HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}] 2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN] @="{3035134B-7B7D-4FCC-81B4-1E394CA267EB}" [HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}] 2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN] @="{3035134C-7B7D-4FCC-81B4-1E394CA267EB}" [HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}] 2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN] @="{3035134D-7B7D-4FCC-81B4-1E394CA267EB}" [HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}] 2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN] @="{3035134E-7B7D-4FCC-81B4-1E394CA267EB}" [HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}] 2008-02-16 12:35 536576 --a------ C:\Program Files\TortoiseSVN\bin\tortoisesvn.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "IECheck"="C:\WINDOWS\IECheck.exe" [2005-11-17 20:40 108544] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776] "FLMK08KB"="C:\Program Files\Muiltmedia keyboard utility\1.3\MMKEYBD.EXE" [2008-03-16 11:38 207360] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696] "BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2007-03-26 14:49 69632] "a8ead28c"="C:\WINDOWS\system32\bhvluymw.dll" [2008-08-05 19:34 83456] "BMabd9e110"="C:\WINDOWS\system32\vcdblbih.dll" [2008-08-05 19:28 91648] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] "AllowLegacyWebView"= 1 (0x1) "AllowUnhashedWebView"= 1 (0x1) [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=sockspy.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.avis"= ff_acm.acm [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-] "Uakos"="C:\Documents and Settings\Family\Application Data\F?nts\j?vaw.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] "runner1"=C:\WINDOWS\mrofinu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310 "NI.UGA6P_0001_N122M2802"="C:\DOCUME~1\Family\LOCALS~1\Temp\winvsnet.exe" "NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit "nwiz"=nwiz.exe /install "Cmaudio"=RunDll32 cmicnfg.cpl,CMICtrlWnd "BMabd9e110"=Rundll32.exe "C:\WINDOWS\system32\roeiyidj.dll",s [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 "UpdatesDisableNotify"=dword:00000001 "FirewallOverride"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\Mozilla Firefox\\firefox.exe"= "C:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"= "C:\\WINDOWS\\system32\\sessmgr.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 "3724:TCP"= 3724:TCP:Blizzard Downloader "6112:TCP"= 6112:TCP:Blizzard Downloader R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24] S3 CardReaderFilter;Card Reader Filter;C:\WINDOWS\system32\Drivers\USBCRFT.SYS [2008-03-13 14:10] S3 UKBFLT;UKBFLT;C:\WINDOWS\system32\DRIVERS\UKBFLT.sys [2003-12-19 16:13] S4 msvsmon80;Visual Studio 2005 Remote Debugger;C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2006-12-02 06:17] . Contents of the 'Scheduled Tasks' folder 2008-07-27 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57] . . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\oc56v5j0.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.ca ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-05 22:20:38 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\WINDOWS\system32\wmyulvhb.ini 1487794 bytes C:\WINDOWS\system32\mucltui.dll 271224 bytes executable C:\WINDOWS\system32\mucltui.dll.mui 30072 bytes executable scan completed successfully hidden files: 3 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\explorer.exe -> C:\WINDOWS\system32\bhvluymw.dll . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\ehome\ehrecvr.exe C:\WINDOWS\ehome\ehSched.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\system32\wdfmgr.exe C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe C:\WINDOWS\ehome\mcrdsvc.exe C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe C:\Program Files\Softwin\BitDefender10\vsserv.exe C:\Program Files\TortoiseSVN\bin\TSVNCache.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Muiltmedia keyboard utility\1.3\KBDAP32A.EXE . ************************************************************************ . Completion time: 2008-08-05 22:28:40 - machine was rebooted [Family] ComboFix-quarantined-files.txt 2008-08-06 04:28:33 ComboFix2.txt 2008-07-29 17:22:24 Pre-Run: 247,272,251,392 bytes free Post-Run: 247,185,887,232 bytes free 243 And here is the HiJackThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:35:53 PM, on 08/05/08 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16608) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe C:\Program Files\TortoiseSVN\bin\TSVNCache.exe C:\Program Files\Softwin\BitDefender10\bdagent.exe C:\Program Files\Muiltmedia keyboard utility\1.3\KbdAp32A.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe C:\Program Files\Softwin\BitDefender10\vsserv.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [FLMK08KB] C:\Program Files\Muiltmedia keyboard utility\1.3\MMKEYBD.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe" O4 - HKLM\..\Run: [BMabd9e110] Rundll32.exe "C:\WINDOWS\system32\ntkgclwh.dll",s O4 - HKLM\..\Run: [a8ead28c] rundll32.exe "C:\WINDOWS\system32\obnmlwbh.dll",b O4 - HKCU\..\Run: [IECheck] C:\WINDOWS\IECheck.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O8 - Extra context menu item: Download All Files by HiDownload - C:\Program Files\HiDownload\HDGetAll.htm O8 - Extra context menu item: Download by HiDownload - C:\Program Files\HiDownload\HDGet.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files\Eltima Software\Flash Decompiler Trillix\saveflash\iebt.dll (file missing) O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files\Eltima Software\Flash Decompiler Trillix\saveflash\iebt.dll (file missing) O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\Program Files\HiDownload\hidownload.exe O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://www.cicero.ca/ O15 - Trusted Zone: .amaena.com O15 - Trusted Zone: .avsystemcare.com O15 - Trusted Zone: .onerateld.com O15 - Trusted Zone: .safetydownload.com O15 - Trusted Zone: *.virusschlacht.com O16 - DPF: {2042B57E-6336-459E-B7CE-2A0F6C9E6AF8} (IEPlayInterface Class) - http://www.lotrdvd.com/dvdkey/extend...s/iaieplay.dll O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/micr...?1193323682406 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1193323659546 O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft Terminal Services Client Control (redist)) - http://engrwww.usask.ca/department/s...y/ts/msrdp.cab O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SQL Server Browser (SQLBrowser) - Unknown owner - c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe (file missing) O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe -- End of file - 6763 bytes