Old Java, got Virtumonde?

[kornjulio]

Symptoms: Sporadic pop-ups after son played game online.

Actions to date:

Updated to latest Java, removed old versions.
Malwarebytes and Ad-Aware found & removed infections, but popups still happen....

HJT, DDS, GMER logs follow/attached...

Thanks! Kevin

HJT log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:59:43 PM, on 11/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\WINDOWS\TBPanel.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Documents and Settings\Kevin\Application Data\Twain\Twain.exe
C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\ESPMAIN.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SansaDispatch] C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Twain] C:\Documents and Settings\Kevin\Application Data\Twain\Twain.exe
O4 - Startup: MP3 Rocket (silent).lnk = C:\Program Files\MP3 Rocket\MP3Rocket_on_startup.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON SMART PANEL for Scanner.lnk = C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\ESPMAIN.EXE
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: hxxp://*.s-seriesforum.com
O15 - Trusted Zone: hxxp://*.turbotax.com
O16 - DPF: {01016526-5E80-11D8-9E86-0007E96C65AE} (SmartAccess Ctl Class) - hxxps://www.yahoo.com/diskless/bin/ssctlsma.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - hxxp://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - hxxp://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - hxxps://mygmgw.gm.com/http://usabhma...com/iNotes.cab
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - hxxp://www.rovion.com/Controls/Rovion.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - hxxps://mygmgw.gm.com/http://usabhem...m/iNotes6W.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - hxxp://v5.windowsupdate.microsoft.co...?1104357269751
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - hxxp://atv.disney.go.com/global/down.../OTOYAX29b.cab
O16 - DPF: {A30FBBDC-FA29-4606-8565-14AADCCA6708} (Rite Aid One Hour Photo Online Control) - hxxps://photos.riteaid.com/control/R...hotoOnline.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - hxxp://www.sibelius.com/download/sof...iveXPlugin.cab
O16 - DPF: {ABB660B6-6694-407B-950A-EDBA5A159722} (DVCDownloadControl) - hxxp://download.games.yahoo.com/game...oadControl.cab
O16 - DPF: {BB383206-6DA1-4E80-B62A-3DF950FCC697} (Create & Print ActiveX Plug-in) - hxxp://www.imgag.com/cp/install/AxCtp2.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - hxxp://download.games.yahoo.com/game...nematycoon.cab
O16 - DPF: {DBA8E419-0D5F-439B-A3CC-D01C768D9B51} (DVCDownloaderControl Object) - hxxp://www.sonypictures.com/games/th...derControl.cab
O18 - Filter hijack: text/html - {dc8f45bc-32bb-48a9-89dc-35a90d0d7ce1} - (no file)
O20 - AppInit_DLLs: karna.dat jflnql.dll ujpeye.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O24 - Desktop Component 0: (no name) - hxxps://www.natchezss.com/images/misc/background.gif

--
End of file - 9474 bytes

DDS log:

DDS (Version 1.0) - NTFSx86
Run by Kevin at 18:55:44.84 on Thu 11/13/2008
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.767.402 [GMT -5:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\WINDOWS\TBPanel.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Documents and Settings\Kevin\Application Data\Twain\Twain.exe
C:\Program Files\EPSON\EPSON SMART PANEL for Scanner\ESPMAIN.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Kevin\LOCALS~1\Temp\RarSFX0\CHIDE.exe
C:\Documents and Settings\Kevin\Desktop\dds.scr

============== Psuedo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\program files\norton antivirus\NavShExt.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\program files\norton antivirus\NavShExt.dll
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\ahead\ahead\data\xtras\mssysmgr.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\WCESCOMM.EXE"
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe"
uRun: [Twain] c:\documents and settings\kevin\application data\twain\Twain.exe
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [C-Media Mixer] Mixer.exe /startup
mRun: [Gainward] c:\windows\TBPanel.exe /A
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [WinFast Schedule] c:\program files\winfast\wftvfm\WFWIZ.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Symantec NetDriver Monitor] c:\progra~1\symnet~1\SNDMon.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [CloneCDTray] "c:\program files\slysoft\clonecd\CloneCDTray.exe" /s
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [SansaDispatch] c:\program files\sandisk\sansa updater\SansaDispatch.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.6.0_07\bin\jusched.exe
StartupFolder: c:\docume~1\kevin\startm~1\programs\startup\mp3roc~1.lnk - c:\program files\mp3 rocket\MP3Rocket_on_startup.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\epsons~1.lnk - c:\program files\epson\epson smart panel for scanner\ESPMAIN.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~2.lnk - c:\program files\microsoft office\office\FINDFAST.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
uPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
mPolicies-system: DisableTaskMgr = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INetRepl.dll
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\aatp.dll
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\cenetflt.dll
AppInit_DLLs: karna.dat jflnql.dll ujpeye.dll
SSODL: UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - c:\windows\system32\upnpui.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 amdtools;AMD Special Tools Driver;c:\windows\system32\drivers\amdtools.sys
R2 BT848;WinFast TV2000 XP WDM Video Capture;c:\windows\system32\drivers\wf2kvcap.sys
R2 tv2ktunr;WinFast TV2000 XP WDM TVTuner;c:\windows\system32\drivers\wf2ktunr.sys
R2 Tv2kXbar;WinFast TV2000 XP WDM Crossbar;c:\windows\system32\drivers\wf2kxbar.sys
R3 WFIOCTL;WFIOCTL;\??\c:\program files\winfast\wftvfm\WFIOCTL.SYS
S3 JL2005;JL2005A Camera;c:\windows\system32\drivers\toywdm.sys

=============== Created Last 30 ================

2008-11-13 18:12 250 a------- c:\windows\gmer.ini
2008-11-12 21:28 73,728 a------- c:\windows\system32\javacpl.cpl
2008-11-12 21:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Lavasoft
2008-11-12 20:22 <DIR> --d----- c:\program files\Trend Micro
2008-11-12 04:24 <DIR> --d----- c:\windows\oqmm
2008-11-12 04:24 <DIR> --d----- c:\program files\common files\oqmm
2008-11-11 21:14 <DIR> --dsh--- c:\windows\S2V2aW4gQmF1bQ
2008-11-11 20:57 <DIR> --d----- c:\docume~1\kevin\applic~1\Twain
2008-11-08 19:55 54,156 a---h--- c:\windows\QTFont.qfn
2008-11-08 19:55 1,409 a------- c:\windows\QTFont.for
2008-11-01 12:54 164 a------- c:\windows\system32\TDSSosvd.dat
2008-10-17 20:01 <DIR> --d----- c:\docume~1\kevin\applic~1\Malwarebytes
2008-10-17 20:01 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-10-17 20:01 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-17 20:00 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-10-17 20:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-10-17 19:21 <DIR> --d----- c:\program files\Enigma Software Group
2008-10-17 19:18 19,106 a------- c:\windows\system32\feda.db
2008-10-17 19:18 18,938 a------- c:\windows\raqamite.reg
2008-10-17 19:18 17,081 a------- c:\docume~1\kevin\applic~1\pumyzarete.dat
2008-10-17 19:18 16,080 a------- c:\docume~1\kevin\applic~1\zydejoma.pif
2008-10-17 19:18 15,678 a------- c:\docume~1\kevin\applic~1\pypibu.scr
2008-10-17 19:18 15,038 a------- c:\program files\common files\lopylama.pif
2008-10-17 19:18 11,723 a------- c:\docume~1\kevin\applic~1\osivyq.dll
2008-10-17 19:18 11,570 a------- c:\windows\wyjil.scr
2008-10-17 19:18 10,892 a------- c:\windows\uhapazecu.scr
2008-10-17 19:18 18,297 a------- c:\program files\common files\baloqufyw.bin
2008-10-17 19:18 17,752 a------- c:\windows\edoxyd._dl
2008-10-17 19:18 17,720 a------- c:\docume~1\alluse~1\applic~1\omizamit.com
2008-10-17 19:18 17,036 a------- c:\windows\ecoxa.com
2008-10-17 19:18 12,699 a------- c:\program files\common files\xarec.vbs
2008-10-17 08:29 <DIR> --d----- c:\program files\Common

==================== Find3M ====================

2008-11-13 18:08 <DIR> --d----- c:\program files\Norton AntiVirus
2008-11-13 11:08 <DIR> --d----- c:\program files\MP3 Rocket
2008-11-12 21:03 <DIR> --d----- c:\program files\Lavasoft
2008-11-12 21:01 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-09-15 14:55 <DIR> --d----- c:\docume~1\kevin\applic~1\Any Video Converter
2008-09-15 06:57 1,846,016 a------- c:\windows\system32\win32k.sys
2008-08-20 00:38 659,456 a------- c:\windows\system32\wininet.dll
2008-06-11 16:12 <DIR> --d----- c:\docume~1\kevin\applic~1\MP3Rocket
2008-01-31 14:32 <DIR> --d----- c:\docume~1\kevin\applic~1\Qtrax1
2008-01-31 14:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SongbirdVLC
2008-01-07 17:09 <DIR> --d----- c:\docume~1\kevin\applic~1\Intuit
2007-09-23 12:25 <DIR> --d----- c:\docume~1\kevin\applic~1\Printer Info Cache
2007-08-25 20:28 <DIR> --d----- c:\docume~1\kevin\applic~1\PCF-VLC
2007-07-25 12:43 <DIR> --d----- c:\docume~1\kevin\applic~1\Participatory Culture Foundation
2007-03-29 18:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PopCap
2007-03-09 18:22 <DIR> --d----- c:\docume~1\kevin\applic~1\MSN6
2007-03-09 18:22 <DIR> --d----- c:\docume~1\alluse~1\applic~1\MSN6
2007-02-22 14:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SonyPicturesGames
2006-02-01 18:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Intuit
2005-12-16 09:52 <DIR> --d----- c:\docume~1\kevin\applic~1\Snapfish
2005-02-26 10:28 <DIR> --d----- c:\docume~1\kevin\applic~1\Kazaa Lite
2005-01-09 09:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2005-01-09 09:13 <DIR> --d----- c:\docume~1\kevin\applic~1\Symantec
2004-12-29 19:19 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Ahead

============= FINISH: 18:56:09.31 ===============

[tetonbob]

Hello, and Welcome to TSF.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

1. Download ComboFix from one of these locations:
   
   Link 1
   Link 2
   Link 3
   
   * IMPORTANT !!! Place combofix.exe on your Desktop
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
3. Double click on combofix.exe & follow the prompts.
   
4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
   
   Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
   
   
   
   
   
   The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
   
   With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
   
   Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
   
   ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
   
   Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
   
   The Recovery Console was successfully installed.
   
   
   
   Click on Yes, to continue scanning for malware.
   
5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
6. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   ---------------------------------------------------------------------------------------------
   
7. Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.
   

[kornjulio]

Thank You. Did as instructed, no issues and recovery console installed. Log as requested:


ComboFix 08-11-14.01 - Kevin 2008-11-16 8:59:51.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.505 [GMT -5:00]
Running from: c:\documents and settings\Kevin\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Kevin\Cookies\fydejacu.bat
c:\documents and settings\Kevin\Local Settings\Temporary Internet Files\bestwiner.stt
c:\documents and settings\Kevin\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\Kevin\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\Kevin\Local Settings\Temporary Internet Files\sekubu.sys
c:\program files\Common\helper.sig
c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\TDSSosvd.dat
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-10-16 to 2008-11-16 )))))))))))))))))))))))))))))))
.

2008-11-13 18:12 . 2008-11-13 18:13 250 --a------ c:\windows\gmer.ini
2008-11-12 21:28 . 2008-06-10 02:32 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-12 21:02 . 2008-11-12 21:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-12 20:22 . 2008-11-12 20:22 <DIR> d-------- c:\program files\Trend Micro
2008-11-12 04:24 . 2008-11-12 04:24 <DIR> d-------- c:\windows\oqmm
2008-11-12 04:24 . 2008-11-12 10:03 <DIR> d-------- c:\program files\Common Files\oqmm
2008-11-11 21:14 . 2008-11-12 21:38 <DIR> d--hs---- c:\windows\S2V2aW4gQmF1bQ
2008-11-11 20:57 . 2008-11-11 20:57 <DIR> d-------- c:\documents and settings\Kevin\Application Data\Twain
2008-11-08 19:55 . 2008-11-14 18:06 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-08 19:55 . 2008-11-08 19:55 1,409 --a------ c:\windows\QTFont.for
2008-10-17 20:01 . 2008-10-17 20:01 <DIR> d-------- c:\documents and settings\Kevin\Application Data\Malwarebytes
2008-10-17 20:01 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-17 20:01 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-10-17 20:00 . 2008-11-12 18:06 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-10-17 20:00 . 2008-10-17 20:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-17 19:21 . 2008-10-17 19:21 <DIR> d-------- c:\program files\Enigma Software Group
2008-10-17 19:18 . 2008-10-17 19:18 19,106 --a------ c:\windows\system32\feda.db
2008-10-17 19:18 . 2008-10-17 19:18 18,938 --a------ c:\windows\raqamite.reg
2008-10-17 19:18 . 2008-10-17 19:18 18,297 --a------ c:\program files\Common Files\baloqufyw.bin
2008-10-17 19:18 . 2008-10-17 19:18 17,752 --a------ c:\windows\edoxyd._dl
2008-10-17 19:18 . 2008-10-17 19:18 17,720 --a------ c:\documents and settings\All Users\Application Data\omizamit.com
2008-10-17 19:18 . 2008-10-17 19:18 17,081 --a------ c:\documents and settings\Kevin\Application Data\pumyzarete.dat
2008-10-17 19:18 . 2008-10-17 19:18 17,036 --a------ c:\windows\ecoxa.com
2008-10-17 19:18 . 2008-10-17 19:18 16,080 --a------ c:\documents and settings\Kevin\Application Data\zydejoma.pif
2008-10-17 19:18 . 2008-10-17 19:18 15,678 --a------ c:\documents and settings\Kevin\Application Data\pypibu.scr
2008-10-17 19:18 . 2008-10-17 19:18 15,038 --a------ c:\program files\Common Files\lopylama.pif
2008-10-17 19:18 . 2008-10-17 19:18 12,699 --a------ c:\program files\Common Files\xarec.vbs
2008-10-17 19:18 . 2008-10-17 19:18 11,723 --a------ c:\documents and settings\Kevin\Application Data\osivyq.dll
2008-10-17 19:18 . 2008-10-17 19:18 11,570 --a------ c:\windows\wyjil.scr
2008-10-17 19:18 . 2008-10-17 19:18 10,892 --a------ c:\windows\uhapazecu.scr
2008-10-17 08:29 . 2008-11-16 08:59 <DIR> d-------- c:\program files\Common

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-16 14:06 --------- d-----w c:\program files\MP3 Rocket
2008-11-13 23:08 --------- d-----w c:\program files\Norton AntiVirus
2008-11-13 16:50 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-11-13 03:28 --------- d-----w c:\program files\Java
2008-11-13 02:03 --------- d-----w c:\program files\Lavasoft
2008-11-13 02:03 --------- d-----w c:\documents and settings\Kevin\Application Data\Lavasoft
2008-11-13 02:01 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-02 11:24 --------- d-----w c:\program files\Google
2001-11-23 04:08 712,704 ----a-w c:\windows\inf\OTHER\AUDIO3D.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Ahead\Ahead\data\Xtras\mssysmgr.exe" [2004-05-12 196608]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-03 401491]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2004-11-30 1945600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"Gainward"="c:\windows\TBPanel.exe" [2004-12-29 2043904]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-08-02 7110656]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"WinFast Schedule"="c:\program files\WinFast\WFTVFM\WFWIZ.exe" [2004-10-06 176128]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-02-28 68768]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2005-09-03 95960]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-08-02 86016]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 57344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-03-04 155648]
"SansaDispatch"="c:\program files\SanDisk\Sansa Updater\SansaDispatch.exe" [2007-10-22 75584]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"C-Media Mixer"="Mixer.exe" [2002-06-12 c:\windows\mixer.exe]
"nwiz"="nwiz.exe" [2005-08-02 c:\windows\system32\nwiz.exe]

c:\documents and settings\Kevin\Start Menu\Programs\Startup\
MP3 Rocket (silent).lnk - c:\program files\MP3 Rocket\MP3Rocket_on_startup.exe [2006-12-13 66168]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
EPSON SMART PANEL for Scanner.lnk - c:\program files\EPSON\EPSON SMART PANEL for Scanner\ESPMAIN.EXE [2005-01-08 180224]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-07-10 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-07-10 51984]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=karna.dat jflnql.dll ujpeye.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm
"VIDC.MJPG"= jl_mjpg2.drv

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Papyrus\\NASCAR Racing 2003 Season\\NR2003.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
"c:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Microsoft Office\\Office\\WINWORD.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R1 amdtools;AMD Special Tools Driver;c:\windows\system32\DRIVERS\amdtools.sys [2006-01-14 21632]
R2 BT848;WinFast TV2000 XP WDM Video Capture;c:\windows\system32\drivers\wf2kvcap.sys [2004-10-04 75925]
R2 tv2ktunr;WinFast TV2000 XP WDM TVTuner;c:\windows\system32\drivers\wf2ktunr.sys [2004-10-04 36423]
R2 Tv2kXbar;WinFast TV2000 XP WDM Crossbar;c:\windows\system32\drivers\wf2kxbar.sys [2004-10-04 10005]
R3 WFIOCTL;WFIOCTL;\??\c:\program files\WinFast\WFTVFM\WFIOCTL.SYS [2004-12-30 9510]
S3 JL2005;JL2005A Camera;c:\windows\system32\Drivers\toywdm.sys [2005-10-08 71512]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{39b2b980-7727-11da-971e-000d875484b4}]
\Shell\AutoRun\command - J:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-15 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\Navw32.exe [2003-12-04 18:22]

2008-11-15 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 12:24]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Cmaudio - cmicnfg.cpl


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\Microsoft ActiveSync\cenetflt.dll
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\Microsoft ActiveSync\cenetflt.dll
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\Microsoft ActiveSync\cenetflt.dll
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\Microsoft ActiveSync\cenetflt.dll
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\Microsoft ActiveSync\cenetflt.dll
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\Microsoft ActiveSync\cenetflt.dll

c:\windows\system32\ImageControl.dll - c:\windows\system32\AxCtp2.dll
O16 -: {BB383206-6DA1-4E80-B62A-3DF950FCC697}
hxxp://www.imgag.com/cp/install/AxCtp2.cab
c:\windows\Downloaded Program Files\AxCtp2.inf

c:\windows\Downloaded Program Files\DVCDownloaderControl.dll - O16 -: {DBA8E419-0D5F-439B-A3CC-D01C768D9B51}
hxxp://www.sonypictures.com/games/thedavincicode/DVCDownloaderControl.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-16 0939
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\windows\system32\UAService7.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-11-16 9:11:29 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-16 14:10:43

Pre-Run: 43,255,738,368 bytes free
Post-Run: 47,520,686,080 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

194 --- E O F --- 2008-10-25 02:40:09

[tetonbob]

Looks better...next steps.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

1. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
2. Open notepad and copy/paste the text in the quotebox below into it:
   
   
   Quote:

   File::
   c:\windows\system32\feda.db
   c:\windows\raqamite.reg
   c:\Program Files\Common Files\baloqufyw.bin
   c:\windows\edoxyd._dl
   c:\documents and settings\All Users\Application Data\omizamit.com
   c:\documents and settings\Kevin\Application Data\pumyzarete.dat
   c:\windows\ecoxa.com
   c:\documents and settings\Kevin\Application Data\zydejoma.pif
   c:\documents and settings\Kevin\Application Data\pypibu.scr
   c:\Program Files\Common Files\lopylama.pif
   c:\Program Files\Common Files\xarec.vbs
   c:\documents and settings\Kevin\Application Data\osivyq.dll
   c:\windows\wyjil.scr
   c:\windows\uhapazecu.scr
   
   Folder::
   c:\windows\oqmm
   c:\Program Files\Common Files\oqmm
   c:\windows\S2V2aW4gQmF1bQ
   c:\documents and settings\Kevin\Application Data\Twain
   
   DirLook::
   c:\Program Files\Common
   
   Registry::
   [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
   "ForceClassicControlPanel"=-
   [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
   "AppInit_DLLs"=""
   
   

   Save this as CFScript.txt
   
   
   
   
   Referring to the picture above, drag CFScript.txt into ComboFix.exe
   
   
   
3. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
4. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   ---------------------------------------------------------------------------------------------
   
   
5. Please perform this online scan to help look for remnants
   
   Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner
   
   **Note**
   
   To optimize scanning time and produce a more sensible report for review:
   • Close any open programs
   • Turn off the real time scanner of any existing antivirus program while performing the online scan.
   
   Click Accept, when prompted to download and install the program files and database of malware definitions.
   • Click Run at the Security prompt.
   • The program will then begin downloading and installing and will also update the database.
   • Please be patient as this can take several minutes.
   • Once the update is complete, click on Settings. Uncheck Mail databases.
   • Next, click on My Computer under the green Scan bar to the left to start the scan.
   • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
   • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
   • Click View scan report at the bottom.
   • Click the Save Report As... button.
   • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
   
   ---------------------------------------------------------------------------------------------
   
6. Ensure your AntiVirus and AntiSpyware applications are re-enabled. Post logs from ComboFix and Kaspersky online scan.
   

How is the machine behaving now, please?

[kornjulio]

Machine running much better, thank you. No unsolicited pop-ups since running combofix. Here's the logs, as requested:

ComboFix 08-11-14.01 - Kevin 2008-11-16 13:37:37.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.467 [GMT -5:00]
Running from: c:\documents and settings\Kevin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kevin\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\documents and settings\All Users\Application Data\omizamit.com
c:\documents and settings\Kevin\Application Data\osivyq.dll
c:\documents and settings\Kevin\Application Data\pumyzarete.dat
c:\documents and settings\Kevin\Application Data\pypibu.scr
c:\documents and settings\Kevin\Application Data\zydejoma.pif
c:\program files\Common Files\baloqufyw.bin
c:\program files\Common Files\lopylama.pif
c:\program files\Common Files\xarec.vbs
c:\windows\ecoxa.com
c:\windows\edoxyd._dl
c:\windows\raqamite.reg
c:\windows\system32\feda.db
c:\windows\uhapazecu.scr
c:\windows\wyjil.scr
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\omizamit.com
c:\documents and settings\Kevin\Application Data\osivyq.dll
c:\documents and settings\Kevin\Application Data\pumyzarete.dat
c:\documents and settings\Kevin\Application Data\pypibu.scr
c:\documents and settings\Kevin\Application Data\Twain
c:\documents and settings\Kevin\Application Data\Twain\Twain.exe
c:\documents and settings\Kevin\Application Data\zydejoma.pif
c:\program files\Common Files\baloqufyw.bin
c:\program files\Common Files\lopylama.pif
c:\program files\Common Files\oqmm
c:\program files\Common Files\oqmm\oqmma.lck
c:\program files\Common Files\oqmm\oqmmd\class-barrel
c:\program files\Common Files\oqmm\oqmmd\vocabulary
c:\program files\Common Files\oqmm\oqmmh
c:\program files\Common Files\oqmm\oqmml.lck
c:\program files\Common Files\oqmm\oqmmm.lck
c:\program files\Common Files\xarec.vbs
c:\windows\ecoxa.com
c:\windows\edoxyd._dl
c:\windows\oqmm
c:\windows\oqmm\oqmm.dat
c:\windows\oqmm\wu
c:\windows\raqamite.reg
c:\windows\S2V2aW4gQmF1bQ
c:\windows\system32\feda.db
c:\windows\uhapazecu.scr
c:\windows\wyjil.scr

.
((((((((((((((((((((((((( Files Created from 2008-10-16 to 2008-11-16 )))))))))))))))))))))))))))))))
.

2008-11-13 18:12 . 2008-11-13 18:13 250 --a------ c:\windows\gmer.ini
2008-11-12 21:28 . 2008-06-10 02:32 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-12 21:02 . 2008-11-12 21:04 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-11-12 20:22 . 2008-11-12 20:22 <DIR> d-------- c:\program files\Trend Micro
2008-11-08 19:55 . 2008-11-14 18:06 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-08 19:55 . 2008-11-08 19:55 1,409 --a------ c:\windows\QTFont.for
2008-10-17 20:01 . 2008-10-17 20:01 <DIR> d-------- c:\documents and settings\Kevin\Application Data\Malwarebytes
2008-10-17 20:01 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-17 20:01 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-10-17 20:00 . 2008-11-12 18:06 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-10-17 20:00 . 2008-10-17 20:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-17 19:21 . 2008-10-17 19:21 <DIR> d-------- c:\program files\Enigma Software Group
2008-10-17 08:29 . 2008-11-16 08:59 <DIR> d-------- c:\program files\Common

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-16 14:06 --------- d-----w c:\program files\MP3 Rocket
2008-11-13 23:08 --------- d-----w c:\program files\Norton AntiVirus
2008-11-13 16:50 --------- d-----w c:\documents and settings\All Users\Application Data\DVD Shrink
2008-11-13 03:28 --------- d-----w c:\program files\Java
2008-11-13 02:03 --------- d-----w c:\program files\Lavasoft
2008-11-13 02:03 --------- d-----w c:\documents and settings\Kevin\Application Data\Lavasoft
2008-11-13 02:01 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-10-02 11:24 --------- d-----w c:\program files\Google
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-08-20 05:38 659,456 ----a-w c:\windows\system32\wininet.dll
2001-11-23 04:08 712,704 ----a-w c:\windows\inf\OTHER\AUDIO3D.DLL
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\program files\Common ----

2008-11-11 20:37 60928 --a------ c:\program files\Common\_helper.sig


((((((((((((((((((((((((((((( snapshot@2008-11-16_ 9.10.04.56 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Ahead\Ahead\data\Xtras\mssysmgr.exe" [2004-05-12 196608]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-03 401491]
"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2004-11-30 1945600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"Gainward"="c:\windows\TBPanel.exe" [2004-12-29 2043904]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-08-02 7110656]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"WinFast Schedule"="c:\program files\WinFast\WFTVFM\WFWIZ.exe" [2004-10-06 176128]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-02-28 68768]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2005-09-03 95960]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-08-02 86016]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2005-05-19 57344]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-03-04 155648]
"SansaDispatch"="c:\program files\SanDisk\Sansa Updater\SansaDispatch.exe" [2007-10-22 75584]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"C-Media Mixer"="Mixer.exe" [2002-06-12 c:\windows\mixer.exe]
"nwiz"="nwiz.exe" [2005-08-02 c:\windows\system32\nwiz.exe]

c:\documents and settings\Kevin\Start Menu\Programs\Startup\
MP3 Rocket (silent).lnk - c:\program files\MP3 Rocket\MP3Rocket_on_startup.exe [2006-12-13 66168]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
EPSON SMART PANEL for Scanner.lnk - c:\program files\EPSON\EPSON SMART PANEL for Scanner\ESPMAIN.EXE [2005-01-08 180224]
Microsoft Find Fast.lnk - c:\program files\Microsoft Office\Office\FINDFAST.EXE [1997-07-10 111376]
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1997-07-10 51984]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm
"VIDC.MJPG"= jl_mjpg2.drv

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Papyrus\\NASCAR Racing 2003 Season\\NR2003.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"=
"c:\\Program Files\\Ahead\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Microsoft Office\\Office\\WINWORD.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service
"1911:UDP"= 1911:UDP:Windows Media Format SDK (IEXPLORE.EXE)
"1910:UDP"= 1910:UDP:Windows Media Format SDK (IEXPLORE.EXE)
"1915:UDP"= 1915:UDP:Windows Media Format SDK (IEXPLORE.EXE)
"2899:UDP"= 2899:UDP:Windows Media Format SDK (IEXPLORE.EXE)
"2898:UDP"= 2898:UDP:Windows Media Format SDK (IEXPLORE.EXE)
"2903:UDP"= 2903:UDP:Windows Media Format SDK (IEXPLORE.EXE)

R1 amdtools;AMD Special Tools Driver;c:\windows\system32\DRIVERS\amdtools.sys [2006-01-14 21632]
R2 BT848;WinFast TV2000 XP WDM Video Capture;c:\windows\system32\drivers\wf2kvcap.sys [2004-10-04 75925]
R2 tv2ktunr;WinFast TV2000 XP WDM TVTuner;c:\windows\system32\drivers\wf2ktunr.sys [2004-10-04 36423]
R2 Tv2kXbar;WinFast TV2000 XP WDM Crossbar;c:\windows\system32\drivers\wf2kxbar.sys [2004-10-04 10005]
R3 WFIOCTL;WFIOCTL;\??\c:\program files\WinFast\WFTVFM\WFIOCTL.SYS [2004-12-30 9510]
S3 JL2005;JL2005A Camera;c:\windows\system32\Drivers\toywdm.sys [2005-10-08 71512]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{39b2b980-7727-11da-971e-000d875484b4}]
\Shell\AutoRun\command - J:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder

2008-11-15 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\Navw32.exe [2003-12-04 18:22]

2008-11-16 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 12:24]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-16 13:39:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-16 13:41:37
ComboFix-quarantined-files.txt 2008-11-16 18:40:40
ComboFix2.txt 2008-11-16 14:11:30

Pre-Run: 47,469,867,008 bytes free
Post-Run: 47,513,976,832 bytes free

176 --- E O F --- 2008-10-25 02:40:09


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, November 16, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, November 16, 2008 13:43:47
Records in database: 1387799
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
G:\
H:\

Scan statistics:
Files scanned: 64157
Threat name: 6
Infected objects: 8
Suspicious objects: 0
Duration of the scan: 01:46:49


File name / Threat name / Threats count
C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-3138a844 Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Kevin\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3b070a2d-6700d78c.zip Infected: Exploit.Java.Gimsh.b 1
C:\My Shared Folder\Harry Potter and The Deathly Hallows [Full Book].zip Infected: P2P-Worm.Win32.VB.dw 1
C:\Program Files\Eyetide Media\Eyetide Viewer\mgsSetp.EyeTide.exe Infected: not-a-virus:WebToolbar.Win32.MyWebSearch.dr 1
C:\Program Files\Norton AntiVirus\Quarantine\345F471A Infected: Trojan-Downloader.JS.IstBar.j 1
C:\Program Files\Norton AntiVirus\Quarantine\46574E46 Infected: Trojan-Downloader.JS.IstBar.e 1
C:\Program Files\Norton AntiVirus\Quarantine\5B070414 Infected: Trojan-Downloader.JS.IstBar.e 1
C:\Qoobox\Quarantine\C\Documents and Settings\Kevin\Application Data\Twain\Twain.exe.vir Infected: Trojan.Win32.Agent.amwr 1

The selected area was scanned.

[tetonbob]

Hi -

Please delete this folder:

c:\program files\Common

Note the exact name of the folder. This is NOT C:\Program Files\Common Files, which is a legit folder.

---------------------------------------

From where was this next file downloaded? A reliable commercial source?

C:\My Shared Folder\Harry Potter and The Deathly Hallows [Full Book].zip

If it came from a torrent download, which is likely from it's location on the machine, I would delete it. Torrent downloads are often suspect.

---------------------------------------------------------------------------------------------

This file gets flagged because there's a toolbar opt-in on the installation of Eyetide Viewer

C:\Program Files\Eyetide Media\Eyetide Viewer\mgsSetp.EyeTide.exe

I don't see Eyetide Viewer or MySearch in the Add/Remove programs list of the Attach.txt

If Eyetide Viewer has been uninstalled, you can delete this folder, as it seems to leave some junk behind upon uninstall in my testing.

C:\Program Files\Eyetide Media

Otherwise, I think you can let it alone.

---------------------------------------------------------------------------------------------

Please use Symantec's guide to remove the Norton Quarantine files.

---------------------------------------------------------------------------------------------

Go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)

• On the General tab, under Temporary Internet Files, click the Settings button.
• Next, click on the Delete Files button
• There are two options in the window to clear the cache - Leave BOTH Checked
  • Applications and Applets
    Trace and Log Files
• Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
• Click OK to leave the Temporary Files Window
• Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Please download ATF Cleaner by Atribune.

• Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

---------------------------------------------------------------------------------------------

C:\Qoobox is ComboFix quarantine, which will be removed by uninstalling ComboFix as instructed below.

Other than that...

Your logs appear clean.You should be good to go. We still have a few items to address.

Go to -> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

• Microsoft Windows Update - http://www.windowsupdate.com
  Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• SpywareBlaster to help prevent spyware from installing in the first place.
  • Install & update SpywareBlaster with the latest definitions.
    After you have updated, click the button - enable protection for all unprotected items
• Winpatrol
  
  Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.
  
  You can get a free copy of Winpatrol or use the Plus version for more features.
  
  You can read Winpatrol's FAQ if you run into problems.
  
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
  • Download Host.zip to your desktop.
  • From your Desktop right-click (hosts.zip) and select:
    Extract All from the menu.
    
  • Click Next, click Next, select the option:
    "Show Extracted files", click Finish
    
  • This will open the newly created hosts folder on your Desktop.
    
  • Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
    
  • Once updated you should see another prompt that the task was completed.
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.
  
  Do not install more than one AntiVirus program because they will conflict with each other.
  
  
• FIREWALL
  Using a third-party firewall will allow you to give/deny access for applications that want to go online. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here
  
  Do not install more than one firewall program because they will conflict with each other.

Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

Here are some additional utilities that will further enhance your safety.

• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. While Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• MAKING INTERNET EXPLORER SAFER

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

[kornjulio]

Folders & files deleted as directed. No more pop-ups. Please mark as resolved & thanks very much for the help!

[tetonbob]

You're quite welcome for the help.

Surf Safely, and Think Prevention!

Since this issue is resolved, this topic will be archived.