Stronger adware then I thought...

SKaiser · 12-02-2008, 04:26 PM

Having some repairing software related problems knowledge myself, I thought I was was capable of removing adware when some got into my computer, it has however turned out to have been more malicious then I first thought.

Spawning popups to fake antivirus software and other services, interfered with Adaware and AVG's ability to update and scan the computer, caused some websites to not run at all or to be forwarded to yet more fake computer repair software and generally slowed down the entire system. The run speed of processes on the computer seems to vary now, but when it was performing at a more usable speed I finally managed to get a hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:20:05, on 02/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Dell SAS RAID Storage Manager\Framework\VivaldiFramework.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Dell SAS RAID Storage Manager\JRE\bin\javaw.exe
C:\Program Files\Dell SAS RAID Storage Manager\MegaMonitor\mrmonitor.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Dell SAS RAID Storage Manager\MegaPopup\Popup.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\WINDOWS\System32\regsvr32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\prunnet.exe
C:\DOCUME~1\Richard\LOCALS~1\Temp\winlogin.exe
C:\WINDOWS\System32\rs32net.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Richard\Application Data\gadcom\gadcom.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\DOCUME~1\Richard\LOCALS~1\Temp\csrssc.exe
C:\WINDOWS\System32\rs32net.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
C:\WINDOWS\system32\Wtablet\TabUserW.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk/ig/dell?hl=e...uk&ibd=6070720
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig/dell?hl=e...uk&ibd=6070720
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.co.uk/ig/dell?hl=e...uk&ibd=6070720
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/ig/dell?hl=e...uk&ibd=6070720
R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL
O2 - BHO: banners4u browser enhancer - {14A18709-2CF5-E700-1A87-A501B3981CED} - C:\WINDOWS\system32\edirhpvlbn.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {66c005b5-38a5-4a0b-af4b-19815d45a08f} - C:\WINDOWS\system32\gizolama.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\wvUnOHwT.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\sw g.dll
O2 - BHO: pl - {B200799F-9538-403d-9A6E-36F5942EC540} - C:\WINDOWS\system32\fklame32.dll (file missing)
O2 - BHO: {bba7de9e-377a-d028-b664-a2a1082fe18c} - {c81ef280-1a2a-466b-820d-a773e9ed7abb} - C:\WINDOWS\system32\vfqxut.dll
O2 - BHO: (no name) - {D73F49B1-B51B-4d32-A3B7-BD04B8342F53} - (no file)
O2 - BHO: (no name) - {EB1A4997-56B7-4A6C-A35D-3398DED0CAF4} - C:\WINDOWS\system32\fccYoMdD.dll
O2 - BHO: agadoo browser optimizer - {f0c9605b-2ddc-0bd1-0e74-b2416fe60202} - C:\WINDOWS\system32\jtqnitevgoxhz.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O3 - Toolbar: Morpheus Toolbar - {3F3714A9-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [popup] "C:\Program Files\Dell SAS RAID Storage Manager\MegaPopup\Popup.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VER SIO~2.EXE
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [lxczbmgr.exe] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKLM\..\Run: [xsjfn83jkemfofght] C:\DOCUME~1\Richard\LOCALS~1\Temp\winlogin.exe
O4 - HKLM\..\Run: [rs32net] C:\WINDOWS\System32\rs32net.exe
O4 - HKLM\..\Run: [lhgsmxrslbpwvytgo] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\edirhpvlbn.dll"
O4 - HKLM\..\Run: [kuhujadeni] Rundll32.exe "C:\WINDOWS\system32\vokeloso.dll",s
O4 - HKLM\..\Run: [74d4d830] rundll32.exe "C:\WINDOWS\system32\rxlvvjeo.dll",b
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\Richard\Application Data\gadcom\gadcom.exe" 61A847B5BBF728173599284503996897C881250221C8670836 AC4FA7C8833201749139
O4 - HKCU\..\Run: [xsjfn83jkemfofght] C:\DOCUME~1\Richard\LOCALS~1\Temp\winlogin.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\Richard\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [rs32net] C:\WINDOWS\System32\rs32net.exe
O4 - HKUS\S-1-5-19\..\Run: [kuhujadeni] Rundll32.exe "C:\WINDOWS\system32\vokeloso.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [kuhujadeni] Rundll32.exe "C:\WINDOWS\system32\vokeloso.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\ncntlsdl.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rrwnw64p.exe
O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {19A08B4B-EA7C-4C62-B477-D36E5396A1B5} (HGPluginJP24 Class) - http://down.hangame.co.jp/jp/dist/hg...PluginJP24.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1186507059250
O16 - DPF: {D0FD5E32-CABD-4A6E-BD0F-94ACE89CCE03} (HGPluginJP23 Class) - http://down.hangame.co.jp/jp/dist/hg...PluginJP23.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zum...loader_v10.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V020...5034/CTPID.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: vfqxut.dll,C:\WINDOWS\system32\ruvoziyi.dll,avgrss tx.dll
O20 - Winlogon Notify: wvUnOHwT - C:\WINDOWS\SYSTEM32\wvUnOHwT.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: lxcz_device - - C:\WINDOWS\system32\lxczcoms.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MRMonitor (MegaMonitorSrv) - Unknown owner - C:\Program Files\Dell SAS RAID Storage Manager\MegaMonitor\mrmonitor.exe
O23 - Service: SSMFramework (MSMFramework) - Unknown owner - C:\Program Files\Dell SAS RAID Storage Manager\Framework\VivaldiFramework.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Wireless Adapter Configurator - Tech Mahindra- PUNE - C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe

Any expert advice the community could spare would be much appreciated.

tetonbob · 12-03-2008, 08:45 AM

Hello and Welcome.

We want all our members to perform the steps outlined in the link I'll give you below, before posting for assistance. There's a

Quote:

Having problems with spyware and pop-ups? First Steps

link at the top of each page.

---------------------------------------------------------------------------------------------

Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/secu...oval-help.html

After running through all the steps, you shall have a proper set of logs.

After running through all the steps, please post the requested logs.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

SKaiser · 12-03-2008, 10:36 AM

After extracting files, disabling all antivirus software and several attempts after restarts, gmer refused to run in both normal and safe mode and dds appears to not perform any scans.

While I have been attempting this in normal mode I received a trio of popups that would not normally appear before the infection, which I have also included a screenshot for, although I'm unsure how helpful this will be.

tetonbob · 12-03-2008, 10:42 AM

Check your private messages, please.

SKaiser · 12-03-2008, 05:25 PM

My apologies for the delay, the adware has been such a nuisance causing the machine to freeze and the program that I had to unplug any form of connection to the internet from the machine in order to get it to finish.

DDS (Version 1.0) - NTFSx86
Run by Richard at 0:14:10.87 on 04/12/2008
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1464 [GMT 0:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Dell SAS RAID Storage Manager\Framework\VivaldiFramework.exe
C:\Program Files\Dell SAS RAID Storage Manager\JRE\bin\javaw.exe
C:\Program Files\Dell SAS RAID Storage Manager\MegaMonitor\mrmonitor.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Dell SAS RAID Storage Manager\MegaPopup\Popup.exe
C:\Documents and Settings\Richard\Desktop\dds.com
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe

============== Pseudo HJT Report ===============

uStart Page = http://www.google.co.uk/ig/dell?hl=e...uk&ibd=6070720
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Page_URL = http://www.google.co.uk/ig/dell?hl=e...uk&ibd=6070720
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk-rel&channel=uk&ibd=6070720
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {14A18709-2CF5-E700-1A87-A501B3981CED} - c:\windows\system32\edirhpvlbn.dll
BHO: {66c005b5-38a5-4a0b-af4b-19815d45a08f} - c:\windows\system32\gizolama.dll
BHO: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\wvUnOHwT.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {A057A204-BACC-4D26-9990-79A187E2698E} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
BHO: {AA795582-2114-42D3-86DF-56FF78885767} - c:\windows\system32\fccYoMdD.dll
BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: {B200799F-9538-403d-9A6E-36F5942EC540} - c:\windows\system32\fklame32.dll
BHO: {D88E1558-7C2D-407A-953A-C044F5607CEA} - c:\program files\mjcore\Mjcore.dll
BHO: {f0c9605b-2ddc-0bd1-0e74-b2416fe60202} - c:\windows\system32\jtqnitevgoxhz.dll
BHO: {fc4df723-7238-49a3-b301-7384248dcfd1} - c:\windows\system32\vufkso.dll
TB: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
uRun: [<NO NAME>]
uRun: [prunnet] "c:\windows\system32\prunnet.exe"
uRun: [gadcom] "c:\documents and settings\richard\application data\gadcom\gadcom.exe" 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
uRun: [xsjfn83jkemfofght] c:\docume~1\richard\locals~1\temp\winlogin.exe
uRun: [Jnskdfmf9eldfd] c:\docume~1\richard\locals~1\temp\csrssc.exe
uRun: [rs32net] c:\windows\system32\rs32net.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [Popup] "c:\program files\dell sas raid storage manager\megapopup\Popup.exe"
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] c:\program files\scansoft\paperport\pptd40nt.exe
mRun: [IndexSearch] c:\program files\scansoft\paperport\IndexSearch.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [AHQInit] c:\program files\creative\sblive\program\AHQInit.exe
mRun: [AudioHQ] c:\program files\creative\sblive\audiohq\AHQTB.EXE
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [FaxCenterServer] "c:\program files\lexmark fax solutions\fm3032.exe" /s
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [lxczbmgr.exe] "c:\program files\lexmark 1200 series\lxczbmgr.exe"
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [CTSysVol] c:\program files\creative\sbaudigy\surround mixer\CTSysVol.exe /r
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [prunnet] "c:\windows\system32\prunnet.exe"
mRun: [xsjfn83jkemfofght] c:\docume~1\richard\locals~1\temp\winlogin.exe
mRun: [rs32net] c:\windows\system32\rs32net.exe
mRun: [lhgsmxrslbpwvytgo] c:\windows\system32\regsvr32.exe /s "c:\windows\system32\edirhpvlbn.dll"
mRun: [kuhujadeni] Rundll32.exe "c:\windows\system32\vokeloso.dll",s
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [74d4d830] rundll32.exe "c:\windows\system32\lnimkwxr.dll",b
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [Nokia.PCSync] "c:\program files\nokia\nokia pc suite 6\PcSync2.exe" /NoDialog
StartupFolder: c:\docume~1\richard\startm~1\programs\startup\deewoo.lnk - c:\windows\system32\ncntlsdl.exe
StartupFolder: c:\docume~1\richard\startm~1\programs\startup\dw_start.lnk - c:\windows\system32\rrwnw64p.exe
StartupFolder: c:\docume~1\richard\startm~1\programs\startup\hamachi.lnk - c:\program files\hamachi\hamachi.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~2.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueso~1.lnk - c:\program files\ivt corporation\bluesoleil\BlueSoleil.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg311v3\wlancfg5.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tabuse~1.lnk - c:\windows\system32\wtablet\TabUserW.exe
uPolicies-explorer: <NO NAME> =
uPolicies-explorer: NoFolderOptions = 1 (0x1)
uPolicies-system: DisableRegistryTools = 1 (0x1)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: wvUnOHwT - wvUnOHwT.dll
AppInit_DLLs: ,c:\windows\system32\ruvoziyi.dll,avgrsstx.dll vufkso.dll
SEH: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\wvUnOHwT.dll
LSA: Authentication Packages = msv1_0 c:\windows\system32\fccYoMdD
LSA: Notification Packages = scecli c:\windows\system32\ruvoziyi.dll

============= SERVICES / DRIVERS ===============

R0 ati2rtxx;ati2rtxx;c:\windows\system32\drivers\ati2rtxx.sys [2008-12-2 32768]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-2 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-2 26824]
R1 btcusbb;btcusbb;c:\windows\system32\drivers\btcusbb.sys [2008-12-2 86272]
R1 DLARTL_M;DLARTL_M;c:\windows\system32\drivers\DLARTL_M.SYS [2007-7-20 28184]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-12-2 231704]
R2 lxcz_device;lxcz_device;c:\windows\system32\lxczcoms.exe -service []
R2 Network Monitor;Network Monitor;c:\program files\network monitor\netmon.exe service []
S3 kbeepm;kbeepm;\??\c:\docume~1\richard\locals~1\temp\kbeepm.sys [2004-6-7 31744]
S3 restore;restore;\??\c:\windows\system32\drivers\restore.sys []

=============== Created Last 30 ================

2008-12-03 17:39 1,410,833 ---sh--- c:\windows\system32\rxwkminl.ini
2008-12-03 17:39 72,704 a------- c:\windows\system32\lnimkwxr.dll
2008-12-03 17:37 <DIR> --d----- c:\program files\Mjcore
2008-12-03 17:36 129,024 a------- c:\windows\system32\vufkso.dll
2008-12-03 17:36 129,024 a------- c:\windows\system32\najytkxa.dll
2008-12-03 17:36 41,472 a------- c:\windows\system32\yckgqhco.dll
2008-12-02 20:41 <DIR> --d----- C:\HJT
2008-12-02 20:01 <DIR> --d-h--- C:\$AVG8.VAULT$
2008-12-02 20:00 10,520 a------- c:\windows\system32\avgrsstx.dll
2008-12-02 20:00 97,928 a------- c:\windows\system32\drivers\avgldx86.sys
2008-12-02 20:00 <DIR> --d----- c:\windows\system32\drivers\Avg
2008-12-02 20:00 <DIR> --d----- c:\docume~1\richard\applic~1\AVGTOOLBAR
2008-12-02 20:00 <DIR> --d----- c:\program files\AVG
2008-12-02 20:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2008-12-02 18:52 859 a------- c:\windows\system32\winpfz33.sys
2008-12-02 18:52 21 a------- c:\windows\system32\zxdnt3d.cfg
2008-12-02 18:52 64,859 a------- c:\windows\system32\tdccmlvugevz.exe
2008-12-02 18:52 153,484 a------- c:\windows\system32\g30.exe
2008-12-02 17:58 <DIR> --d----- c:\program files\Lavasoft
2008-12-02 17:38 1,377,671 ---sh--- c:\windows\system32\oejvvlxr.ini
2008-12-02 17:37 62,464 a------- c:\windows\system32\~.exe
2008-12-02 17:36 32,768 a------- c:\windows\system32\drivers\ati2rtxx.sys
2008-12-02 17:36 129,024 a------- c:\windows\system32\vfqxut.dll
2008-12-02 17:36 129,024 a------- c:\windows\system32\agucpwos.dll
2008-12-02 17:36 41,472 a------- c:\windows\system32\eagdflvs.dll
2008-12-02 17:35 743,222 a--sh--- c:\windows\system32\DdMoYccf.ini2
2008-12-02 17:35 743,222 a--sh--- c:\windows\system32\DdMoYccf.ini
2008-12-02 17:35 302,592 a------- c:\windows\system32\fccYoMdD.dll
2008-12-02 17:19 1,989 a------- c:\windows\uninstall_nmon.vbs
2008-12-02 17:19 <DIR> --d----- c:\program files\Network Monitor
2008-12-02 17:19 <DIR> --dsh--- c:\windows\UmljaGFyZCBXaWx0c2hpcmU
2008-12-02 17:19 <DIR> --d----- c:\program files\webHancer
2008-12-02 17:19 47,598 a------- c:\windows\system32\ouvirtkzoay.exe
2008-12-02 17:19 <DIR> --d----- c:\temp\tn3
2008-12-02 17:19 282,629 a------- c:\windows\system32\dwwnw64r.exe
2008-12-02 17:18 167,976 a------- c:\windows\system32\drivers\core.cache.dsk
2008-12-02 17:18 86,272 a------- c:\windows\system32\drivers\btcusbb.sys
2008-12-02 17:18 174 a------- c:\windows\system32\msnav32.ax
2008-12-02 17:18 22,528 a------- c:\windows\system32\rs32net.exe
2008-12-02 17:17 104,448 a------- c:\windows\system32\winhlp.exe
2008-12-02 17:17 104,448 a------- C:\qthqdso.exe
2008-12-02 17:17 705 a------- C:\mguvbfr.exe
2008-12-02 17:17 2 a------- C:\1960106143
2008-12-02 17:17 10,000 a------- c:\windows\system32\gs73gfidgf.dll
2008-12-02 17:17 8,192 a------- C:\opdwrpjm.exe
2008-12-02 17:16 <DIR> --d----- c:\docume~1\richard\applic~1\gadcom
2008-12-02 17:16 65,024 a------- c:\windows\system32\xxywWoND.dll
2008-12-02 17:16 34,816 a------- c:\windows\system32\wvUnOHwT.dll
2008-12-02 17:16 35,307 a------- c:\windows\system32\prunnet.exe
2008-11-24 16:27 369,152 a------- c:\windows\system32\edirhpvlbn.dll
2008-11-23 15:15 <DIR> --d----- c:\program files\common files\Philips
2008-11-23 14:51 <DIR> --d----- c:\program files\Philips
2008-11-12 17:26 1,106,944 -------- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 17:11 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-07 18:43 54,156 a---h--- c:\windows\QTFont.qfn
2008-11-07 18:43 1,409 a------- c:\windows\QTFont.for
2008-11-04 21:32 <DIR> --d----- c:\docume~1\richard\applic~1\Damdai
2008-11-04 21:05 14,048 -------- c:\windows\system32\spmsg2.dll
2008-11-04 16:22 <DIR> --d----- C:\vcs5BGEffects
2008-11-04 16:11 <DIR> --d----- c:\program files\AV Vcs 6.0 DIAMOND

==================== Find3M ====================

2008-12-02 17:01 <DIR> --d----- c:\program files\Steam
2008-10-26 12:44 <DIR> --d----- c:\program files\Half Life Player
2008-10-24 20:05 <DIR> --d----- c:\program files\Lexmark 1200 Series
2008-10-19 12:01 <DIR> --d----- c:\program files\common files\PCSuite
2008-10-19 12:01 <DIR> --d----- c:\program files\common files\Nokia
2008-10-19 12:01 <DIR> --d----- c:\program files\Nokia
2008-10-19 11:59 <DIR> --d----- c:\program files\PC Connectivity Solution
2008-10-16 14:13 1,809,944 a------- c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:13 202,776 a------- c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:12 323,608 a------- c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:12 561,688 a------- c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:09 92,696 a------- c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 51,224 a------- c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:08 34,328 a------- c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2008-10-15 16:34 337,408 -------- c:\windows\system32\dllcache\netapi32.dll
2008-10-09 11:05 <DIR> --d----- c:\program files\Creative
2008-10-03 17:41 6,066,176 -------- c:\windows\system32\dllcache\ieframe.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 a------- c:\windows\system32\win32k.sys
2008-09-15 12:12 1,846,400 -------- c:\windows\system32\dllcache\win32k.sys
2008-09-10 01:14 1,307,648 -------- c:\windows\system32\msxml6.dll
2008-09-10 01:14 1,307,648 -------- c:\windows\system32\dllcache\msxml6.dll
2008-09-09 13:39 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Minnetonka Audio Software
2008-09-08 10:41 333,824 -------- c:\windows\system32\dllcache\srv.sys
2008-09-05 23:30 241,704 -------- c:\windows\system32\dllcache\wgaLogon.dll
2008-09-05 23:29 917,032 -------- c:\windows\system32\dllcache\WgaTray.exe
2008-08-15 13:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\BCR
2008-07-30 14:09 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PopCap
2008-05-20 11:03 <DIR> --d-h--- c:\docume~1\richard\applic~1\Hangame
2008-01-23 23:34 <DIR> --d----- c:\docume~1\richard\applic~1\e frontier
2008-01-15 14:56 <DIR> --d----- c:\docume~1\richard\applic~1\Smart Recorder
2008-01-02 16:59 <DIR> --d----- c:\docume~1\richard\applic~1\FaxCtr
2008-01-02 16:41 <DIR> --d----- c:\docume~1\alluse~1\applic~1\FaxCtr
2007-12-12 20:34 <DIR> --d----- c:\docume~1\richard\applic~1\SYSTEMAX Software Development
2007-12-12 20:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SYSTEMAX Software Development
2007-10-31 16:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ALM
2007-09-27 17:10 <DIR> --d----- c:\docume~1\richard\applic~1\Screenshot Sender
2007-09-08 15:32 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Downloaded Installations
2007-09-07 17:12 <DIR> --d--r-- c:\docume~1\richard\applic~1\Brother
2007-08-07 18:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Messenger Plus!
2007-08-03 16:44 <DIR> --d----- c:\docume~1\richard\applic~1\Quark
2007-08-03 16:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Quark
2007-08-03 15:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Brother
2007-08-02 19:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ACD Systems
2004-08-11 16:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SBSI
1999-07-07 00:00 6 ---shr-- c:\windows\@desktop@.dat
2005-05-13 16:12 217,073 a--shr-- c:\windows\meta4.exe
2005-10-24 10:13 66,560 a--shr-- c:\windows\MOTA113.exe
2005-10-13 20:27 422,400 a--shr-- c:\windows\x2.64.exe
2005-10-07 18:14 308,224 a--shr-- c:\windows\system32\avisynth.dll
2005-07-14 11:31 27,648 a--shr-- c:\windows\system32\AVSredirect.dll
2005-06-26 14:32 616,448 a--shr-- c:\windows\system32\cygwin1.dll
2005-06-21 21:37 45,568 a--shr-- c:\windows\system32\cygz.dll
2008-09-02 17:37 64,512 a--sh--- c:\windows\system32\gizolama.dll
2004-01-24 23:00 70,656 a--shr-- c:\windows\system32\i420vfw.dll
2008-09-02 17:37 64,512 a--sh--- c:\windows\system32\ruvoziyi.dll
2005-12-22 19:23 816,640 a--shr-- c:\windows\system32\smab.dll
2008-09-02 17:37 64,512 a--sh--- c:\windows\system32\vokeloso.dll
2005-02-28 12:16 240,128 a--shr-- c:\windows\system32\x.264.exe
2005-08-02 16:46 187,904 a--shr-- c:\windows\umljagfyzcbxawx0c2hpcmu\asappsrv.dll
2005-08-02 16:58 293,888 a--shr-- c:\windows\umljagfyzcbxawx0c2hpcmu\command.exe
2005-07-29 16:24 472 a--shr-- c:\windows\umljagfyzcbxawx0c2hpcmu\oA53u3IVtF1ruqUXwZ1DwAo.vbs

============= FINISH: 0:17:24.14 ===============

tetonbob · 12-03-2008, 05:58 PM

Yes, I can see the problem. You've got a pile of infection on the machine and a nasty rootkit.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

This would work best if you allow an active internet connection to the machine. If you can, skip to Step number 1 below.

If you cannot, download both ComboFix from the link below, and the Microsoft file from this link, and carry them to the infected machine via USB stick.

For XP Pro >> http://www.microsoft.com/downloads/d...displaylang=en

Then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement (EULA) to install the Recovery Console.

Then, pick up the instructions below, beginning with this:

Quote:

The Recovery Console was successfully installed.

====================

This is if you can maintain an active internet connection.

Download ComboFix from this link.

* IMPORTANT !!! Place combofix.exe on your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
Double click on combofix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.

Click on Yes, to continue scanning for malware.
Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

---------------------------------------------------------------------------------------------
Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.

SKaiser · 12-04-2008, 08:53 AM

Well although slow to boot up the system appears to be a little more stable then it was, since it can now read usbs without needing to go into safemode again, as well as the virusguard identifying various copies of the trojen horse 'generic12.UGM' and Downloader Generic2.MYA. The previous issues however are still in effect, such as the popups and I have taken no action to deal with the identified trojen horses at this time:

ComboFix 08-12-03.04 - Richard 2008-12-04 15:40:49.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1514 [GMT 0:00]
Command switches used :: c:\documents and settings\Richard\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\LocalService\Application Data\NetMon
c:\documents and settings\LocalService\Application Data\NetMon\domains.txt
c:\documents and settings\LocalService\Application Data\NetMon\log.txt
c:\documents and settings\Richard\Application Data\gadcom
c:\documents and settings\Richard\Application Data\gadcom\gadcom.exe
c:\documents and settings\Richard\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\Richard\Local Settings\Temporary Internet Files\hgstarterjp_verinfo.dat
c:\documents and settings\Richard\Start Menu\Programs\Startup\Deewoo.lnk
c:\documents and settings\Richard\Start Menu\Programs\Startup\DW_Start.lnk
c:\program files\Mjcore
c:\program files\Mjcore\Mjcore.dll
c:\program files\network monitor
c:\program files\network monitor\netmon.exe
c:\program files\webhancer
c:\program files\webhancer\Programs\license.txt
c:\program files\webhancer\Programs\readme.txt
c:\program files\webhancer\Programs\SET1D9.tmp
c:\temp\tn3
c:\windows\system32\~.exe
c:\windows\system32\agucpwos.dll
c:\windows\system32\DdMoYccf.ini
c:\windows\system32\DdMoYccf.ini2
c:\windows\system32\drivers\ati2rtxx.sys
c:\windows\system32\drivers\TDSSpqlt.sys
c:\windows\system32\dwwnw64r.exe
c:\windows\system32\eagdflvs.dll
c:\windows\system32\fccYoMdD.dll
c:\windows\system32\gizolama.dll
c:\windows\system32\gs73gfidgf.dll
c:\windows\system32\lnimkwxr.dll
c:\windows\system32\lsprst7.dll
c:\windows\system32\msnav32.ax
c:\windows\system32\najytkxa.dll
c:\windows\system32\oejvvlxr.ini
c:\windows\system32\prunnet.exe
c:\windows\system32\rs32net.exe
c:\windows\system32\ruvoziyi.dll
c:\windows\system32\rxwkminl.ini
c:\windows\system32\ssprs.dll
c:\windows\system32\TDSSarxx.dll
c:\windows\system32\TDSScfmm.dll
c:\windows\system32\TDSSkkai.log
c:\windows\system32\TDSSlxcp.dll
c:\windows\system32\TDSSmtve.dat
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSoiqt.dll
c:\windows\system32\TDSSsahc.dll
c:\windows\system32\TDSSvkql.dll
c:\windows\system32\TDSSxhyf.log
c:\windows\system32\vfqxut.dll
c:\windows\system32\vokeloso.dll
c:\windows\system32\vufkso.dll
c:\windows\system32\winpfz33.sys
c:\windows\system32\xxywWoND.dll
c:\windows\system32\yckgqhco.dll
c:\windows\system32\zxdnt3d.cfg
c:\windows\Tasks\jdntzijh.job
c:\windows\Temp\tmp3.tmp
c:\windows\uninstall_nmon.vbs
c:\windows\system32\drivers\core.cache.dsk . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS
-------\Legacy_ATI2RTXX
-------\Legacy_NETWORK_MONITOR
-------\Service_ati2rtxx
-------\Service_Network Monitor
-------\Service_restore

((((((((((((((((((((((((( Files Created from 2008-11-04 to 2008-12-04 )))))))))))))))))))))))))))))))
.

2008-12-04 16:00 . 2008-12-04 16:00 <DIR> d-------- c:\temp\tn3
2008-12-04 15:58 . 2008-12-04 15:58 932 --------- c:\windows\system32\drivers\core.cache.dsk
2008-12-03 17:22 . 2007-12-05 21:32 237,568 --a------ c:\program files\Uninstall Morpheus Toolbar.dll
2008-12-02 20:41 . 2008-12-02 21:20 <DIR> d-------- C:\HJT
2008-12-02 20:24 . 2008-12-02 20:24 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\AVGTOOLBAR
2008-12-02 20:01 . 2008-12-02 20:01 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-02 20:00 . 2008-12-04 16:03 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-12-02 20:00 . 2008-12-02 20:00 <DIR> d-------- c:\program files\AVG
2008-12-02 20:00 . 2008-12-02 20:00 <DIR> d-------- c:\documents and settings\Richard\Application Data\AVGTOOLBAR
2008-12-02 20:00 . 2008-12-02 20:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-02 20:00 . 2008-12-02 20:00 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-02 20:00 . 2008-12-02 20:00 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-02 18:52 . 2008-12-02 18:52 153,484 --a------ c:\windows\system32\g30.exe
2008-12-02 18:52 . 2008-12-02 18:52 64,859 --a------ c:\windows\system32\tdccmlvugevz.exe
2008-12-02 17:58 . 2008-12-02 17:58 <DIR> d-------- c:\program files\Lavasoft
2008-12-02 17:58 . 2008-12-02 17:58 <DIR> d-------- c:\documents and settings\Richard\Application Data\Lavasoft
2008-12-02 17:19 . 2008-12-02 17:19 <DIR> d--hs---- c:\windows\UmljaGFyZCBXaWx0c2hpcmU
2008-12-02 17:19 . 2008-12-02 17:19 47,598 --a------ c:\windows\system32\ouvirtkzoay.exe
2008-12-02 17:18 . 2008-12-02 17:18 86,272 --a------ c:\windows\system32\drivers\btcusbb.sys
2008-12-02 17:17 . 2008-12-02 17:17 104,448 --a------ c:\windows\system32\winhlp.exe
2008-12-02 17:17 . 2008-12-02 17:17 104,448 --a------ C:\qthqdso.exe
2008-12-02 17:17 . 2008-12-02 17:17 8,192 --a------ C:\opdwrpjm.exe
2008-12-02 17:17 . 2008-12-02 17:17 705 --a------ C:\mguvbfr.exe
2008-12-02 17:17 . 2008-12-02 17:17 2 --a------ C:\1960106143
2008-12-02 17:16 . 2008-12-02 17:16 34,816 --a------ c:\windows\system32\wvUnOHwT.dll
2008-11-24 16:27 . 2008-11-24 16:27 369,152 --a------ c:\windows\system32\edirhpvlbn.dll
2008-11-23 15:15 . 2008-11-23 15:15 <DIR> d-------- c:\program files\Common Files\Philips
2008-11-23 14:51 . 2008-11-24 13:33 <DIR> d-------- c:\program files\Philips
2008-11-12 17:26 . 2008-09-04 17:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 17:11 . 2008-10-24 11:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-07 18:43 . 2008-12-01 22:48 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-07 18:43 . 2008-11-07 18:43 1,409 --a------ c:\windows\QTFont.for
2008-11-04 21:32 . 2008-11-04 21:32 <DIR> d-------- c:\documents and settings\Richard\Application Data\Damdai
2008-11-04 21:05 . 2006-06-29 13:07 14,048 --a------ c:\windows\system32\spmsg2.dll
2008-11-04 16:22 . 2008-11-06 20:55 <DIR> d-------- C:\vcs5BGEffects
2008-11-04 16:11 . 2008-11-06 20:38 <DIR> d-------- c:\program files\AV Vcs 6.0 DIAMOND

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-04 15:32 --------- d-----w c:\documents and settings\Richard\Application Data\Hamachi
2008-12-03 17:37 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-02 17:01 --------- d-----w c:\program files\Steam
2008-11-23 15:22 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-23 13:34 --------- d-----w c:\program files\Windows Live Safety Center
2008-10-26 12:44 --------- d-----w c:\program files\Half Life Player
2008-10-24 20:05 --------- d-----w c:\program files\Lexmark 1200 Series
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-19 12:01 --------- d-----w c:\program files\Nokia
2008-10-19 12:01 --------- d-----w c:\program files\Common Files\PCSuite
2008-10-19 12:01 --------- d-----w c:\program files\Common Files\Nokia
2008-10-19 12:01 --------- d-----w c:\documents and settings\All Users\Application Data\Installations
2008-10-19 11:59 --------- d-----w c:\program files\PC Connectivity Solution
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll
2008-10-09 11:05 --------- d-----w c:\program files\Creative
2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-15 12:12 1,846,400 ------w c:\windows\system32\dllcache\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\dllcache\msxml6.dll
2008-09-08 10:41 333,824 ------w c:\windows\system32\dllcache\srv.sys
2008-09-05 23:30 241,704 ------w c:\windows\system32\dllcache\wgaLogon.dll
2008-09-05 23:29 917,032 ------w c:\windows\system32\dllcache\WgaTray.exe
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2006-03-15 13:19 212,992 ----a-w c:\windows\inf\WG311v3\CopyWHQLDriver.exe
2006-01-26 16:55 280,576 ----a-w c:\windows\inf\WG311v3\WG311v3.sys
2005-10-06 14:17 280,576 ----a-w c:\windows\inf\WG311v3\WG311v3XP.sys
1999-07-07 00:00 6 --sh--r c:\windows\@desktop@.dat
2005-05-13 16:12 217,073 --sha-r c:\windows\meta4.exe
2005-10-24 10:13 66,560 --sha-r c:\windows\MOTA113.exe
2005-10-13 20:27 422,400 --sha-r c:\windows\x2.64.exe
2005-10-07 18:14 308,224 --sha-r c:\windows\system32\avisynth.dll
2005-07-14 11:31 27,648 --sha-r c:\windows\system32\AVSredirect.dll
2005-06-26 14:32 616,448 --sha-r c:\windows\system32\cygwin1.dll
2005-06-21 21:37 45,568 --sha-r c:\windows\system32\cygz.dll
2004-01-24 23:00 70,656 --sha-r c:\windows\system32\i420vfw.dll
2005-12-22 19:23 816,640 --sha-r c:\windows\system32\smab.dll
2005-02-28 12:16 240,128 --sha-r c:\windows\system32\x.264.exe
2005-08-02 16:46 187,904 --sha-r c:\windows\UmljaGFyZCBXaWx0c2hpcmU\asappsrv.dll
2005-08-02 16:58 293,888 --sha-r c:\windows\UmljaGFyZCBXaWx0c2hpcmU\command.exe
2005-07-29 16:24 472 --sha-r c:\windows\UmljaGFyZCBXaWx0c2hpcmU\oA53u3IVtF1ruqUXwZ1DwAo.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14A18709-2CF5-E700-1A87-A501B3981CED}]
2008-11-24 16:27 369152 --a------ c:\windows\system32\edirhpvlbn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1B46B97E-69B6-414C-9C71-20BD5B25B5A5}]
2008-12-04 16:12 302592 --a------ c:\windows\system32\vtUkhgeB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
2008-12-02 17:16 34816 --a------ c:\windows\system32\wvUnOHwT.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7c7a4457-e81c-4c0d-b588-b2e81d86bb85}]
2008-12-04 16:18 129024 --a------ c:\windows\system32\mtalbh.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-11 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-08-11 1124352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-29 8466432]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Popup"="c:\program files\Dell SAS RAID Storage Manager\MegaPopup\Popup.exe" [2006-08-15 77920]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"AHQInit"="c:\program files\Creative\SBLive\Program\AHQInit.exe" [2001-05-10 102400]
"AudioHQ"="c:\program files\Creative\SBLive\AudioHQ\AHQTB.EXE" [2001-08-17 180224]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"Adobe_ID0EYTHM"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 1884160]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-02-08 295856]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-29 81920]
"lxczbmgr.exe"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2007-02-08 74672]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]
"lhgsmxrslbpwvytgo"="c:\windows\system32\edirhpvlbn.dll" [2008-11-24 369152]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-02 1261336]
"74d4d830"="c:\windows\system32\ghuejoqa.dll" [2008-12-04 72704]
"WD Button Manager"="WDBtnMgr.exe" [2007-12-03 c:\windows\system32\WDBtnMgr.exe]
"nwiz"="nwiz.exe" [2007-10-29 c:\windows\system32\nwiz.exe]
"P17Helper"="P17.dll" [2005-05-03 c:\windows\system32\P17.DLL]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Richard\Start Menu\Programs\Startup\
hamachi.lnk - c:\program files\Hamachi\hamachi.exe [2008-05-14 624416]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-08-03 110592]
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-08-03 110592]
BlueSoleil.lnk - c:\program files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2008-05-07 1183744]
NETGEAR WG311v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG311v3\wlancfg5.exe [2006-01-26 1486848]
TabUserW.exe.lnk - c:\windows\system32\Wtablet\TabUserW.exe [2003-12-04 77824]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= "c:\windows\system32\wvUnOHwT.dll" [2008-12-02 34816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUnOHwT]
2008-12-02 17:16 34816 c:\windows\system32\wvUnOHwT.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"msacm.divxa32"= divxa32.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 c:\windows\system32\vtUkhgeB

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell SAS RAID Storage Manager\\MegaPopup\\popup.exe"=
"c:\\Program Files\\Croteam\\Serious Sam - The Second Encounter\\Bin\\SeriousSam.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Steam\\SteamApps\\shinkosai\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\WINDOWS\\system32\\lxczcoms.exe"=
"c:\\Program Files\\bmoworld\\BomberMan.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Microsoft Games\\Halo Trial\\halo.exe"=
"c:\\Program Files\\Steam\\SteamApps\\shinkosai\\counter-strike source\\hl2.exe"=
"c:\\UnrealTournament\\System\\UnrealTournament.exe"=
"c:\\Hangame\\JAPANESE\\gunster.exe"=
"c:\\Team17\\Worms2\\frontend.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\LittleFighter2\\LF2_v1.9c\\lf2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\shinkosai\\condition zero\\hl.exe"=
"c:\\Program Files\\Steam\\SteamApps\\shinkosai\\ricochet\\hl.exe"=
"c:\\Program Files\\Steam\\SteamApps\\shinkosai\\day of defeat\\hl.exe"=
"c:\\Program Files\\Steam\\SteamApps\\shinkosai\\condition zero deleted scenes\\hl.exe"=
"c:\\Program Files\\Capcom\\Bionic Commando Rearmed\\bcr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Steam\\SteamApps\\shinkosai\\synergy\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\shinkosai\\zombie panic! source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\shinkosai\\diprip warm up\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\shinkosai\\source 2007 dedicated server\\srcds.exe"=
"c:\\Program Files\\Steam\\SteamApps\\shinkosai\\half-life 2\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\shinkosai\\insurgency\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\shinkosai\\garrysmod\\hl2.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Documents and Settings\\Richard\\Local Settings\\Apps\\2.0\\5MKQLXRC.5B8\\K2Z47TBN.1GC\\2dff..tion_fcdf29b345c9098a_0001.0000_98805a01a3d42574\\2DF FreePlay Client.exe"=
"c:\\Program Files\\Kazaa Lite\\KazaaLite.kpp"=
"c:\\Documents and Settings\\Richard\\Local Settings\\Apps\\2.0\\5MKQLXRC.5B8\\K2Z47TBN.1GC\\2dff..tion_fcdf29b345c9098a_0001.0000_89b83da73a004bb4\\2DF FreePlay Client.exe"=
"c:\\Program Files\\PC Connectivity Solution\\ServiceLayer.exe"=
"c:\\Program Files\\Dell SAS RAID Storage Manager\\JRE\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\services.exe"=
"c:\\Program Files\\Google\\Common\\Google Updater\\GoogleUpdaterService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-02 97928]
R1 btcusbb;btcusbb;c:\windows\system32\drivers\btcusbb.sys [2008-12-02 86272]
R1 DLARTL_M;DLARTL_M;c:\windows\system32\Drivers\DLARTL_M.SYS [2007-07-20 28184]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-02 231704]
R2 lxcz_device;lxcz_device;c:\windows\system32\lxczcoms.exe -service []
S3 kbeepm;kbeepm;\??\c:\docume~1\Richard\LOCALS~1\Temp\kbeepm.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e4233892-ea14-11dc-85e3-001b2f2e029d}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-07-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
- - - - ORPHANS REMOVED - - - -

BHO-{5D1AC792-53F5-44A5-8802-D3ACFC1B3C11} - c:\windows\system32\fccYoMdD.dll
BHO-{66c005b5-38a5-4a0b-af4b-19815d45a08f} - c:\windows\system32\gizolama.dll
BHO-{f0c9605b-2ddc-0bd1-0e74-b2416fe60202} - c:\windows\system32\jtqnitevgoxhz.dll
HKCU-Run-prunnet - c:\windows\system32\prunnet.exe
HKCU-Run-rs32net - c:\windows\System32\rs32net.exe
HKLM-Run-prunnet - c:\windows\system32\prunnet.exe
HKU-Default-Run-Nokia.PCSync - c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe

.
------- Supplementary Scan -------
.
uStart Page = http://www.google.co.uk/ig/dell?hl=e...uk&ibd=6070720
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk-rel&channel=uk&ibd=6070720
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

c:\windows\Downloaded Program Files\hgstartjp24.exe - c:\windows\Downloaded Program Files\hgnotifyjp24.exe
c:\windows\Downloaded Program Files\HGPluginJP24.dll
O16 -: {19A08B4B-EA7C-4C62-B477-D36E5396A1B5}
hxxp://down.hangame.co.jp/jp/dist/hgstart/HGPluginJP24.cab
c:\windows\Downloaded Program Files\HGPluginJP24.inf

c:\windows\Downloaded Program Files\hgstartjp23.exe - c:\windows\Downloaded Program Files\hgnotifyjp23.exe
c:\windows\Downloaded Program Files\HGPluginJP23.dll
O16 -: {D0FD5E32-CABD-4A6E-BD0F-94ACE89CCE03}
hxxp://down.hangame.co.jp/jp/dist/hgstart/HGPluginJP23.cab
c:\windows\Downloaded Program Files\HGPluginJP23.inf
FireFox -: Profile - c:\documents and settings\Richard\Application Data\Mozilla\Firefox\Profiles\vcspei4i.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF -: plugin - c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin.dll
FF -: plugin - c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin2.dll
FF -: plugin - c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin3.dll
FF -: plugin - c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin4.dll
FF -: plugin - c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin5.dll
FF -: plugin - c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF -: plugin - c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF -: plugin - c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-04 16:01:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(948)
c:\windows\system32\MrvGINA.dll
c:\windows\system32\wvUnOHwT.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\brss01a.exe
c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\windows\system32\lxczcoms.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\Tablet.exe
c:\windows\system32\wdfmgr.exe
c:\program files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Dell SAS RAID Storage Manager\Framework\VivaldiFramework.exe
c:\program files\Dell SAS RAID Storage Manager\MegaMonitor\mrmonitor.exe
c:\program files\Dell SAS RAID Storage Manager\JRE\bin\javaw.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Lexmark 1200 Series\LXCZbmon.exe
c:\progra~1\AVG\AVG8\aAvgApi.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-12-04 16:21:53 - machine was rebooted [Richard]
ComboFix-quarantined-files.txt 2008-12-04 16:21:50

Pre-Run: 79,769,960,448 bytes free
Post-Run: 84,061,978,624 bytes free

433 --- E O F --- 2008-11-25 00:32:59

tetonbob · 12-04-2008, 09:14 AM

With as heavily infected as this machine is, it will take a few rounds to get it all.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

http://www.techsupportforum.com/security-center/hijackthis-log-help/319513-stronger-adware-then-i-thought.html#post1837936

File::
C:\1960106143

Folder::
c:\temp\tn3
c:\windows\UmljaGFyZCBXaWx0c2hpcmU

Driver::
btcusbb
kbeepm

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14A18709-2CF5-E700-1A87-A501B3981CED}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1B46B97E-69B6-414C-9C71-20BD5B25B5A5}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7c7a4457-e81c-4c0d-b588-b2e81d86bb85}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lhgsmxrslbpwvytgo"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUnOHwT]

Collect::
c:\windows\system32\drivers\btcusbb.sys
C:\qthqdso.exe
C:\opdwrpjm.exe
C:\mguvbfr.exe
c:\windows\system32\mtalbh.dll
c:\windows\system32\g30.exe
c:\windows\system32\tdccmlvugevz.exe
c:\windows\system32\ouvirtkzoay.exe
c:\windows\system32\winhlp.exe
c:\windows\system32\wvUnOHwT.dll
c:\windows\system32\edirhpvlbn.dll
c:\windows\system32\vtUkhgeB.dll

Save this as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file.
Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.

---------------------------------------------------------------------------------------------

SKaiser · 12-04-2008, 02:24 PM

I think this scan may have solved the problem, since every time I was running the firefox browser since the infection it was asking me if I wanted to make it the default browser (which I normally already have it set as) but it's stopped doing that now, not to mention in preparing this post I have received no signs of any pop-ups and my virus gaurds have been able to update themselves.

ComboFix 08-12-03.04 - Richard 2008-12-04 17:35:37.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1306 [GMT 0:00]
Running from: c:\documents and settings\Richard\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Richard\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\1960106143
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\1960106143
C:\mguvbfr.exe
C:\opdwrpjm.exe
C:\qthqdso.exe
c:\temp\tn3
c:\windows\system32\aqojeuhg.ini
c:\windows\system32\BeghkUtv.ini
c:\windows\system32\BeghkUtv.ini2
c:\windows\system32\drivers\btcusbb.sys
c:\windows\system32\drivers\core.cache.dsk
c:\windows\system32\edirhpvlbn.dll
c:\windows\system32\euspldow.dll
c:\windows\system32\g30.exe
c:\windows\system32\ghuejoqa.dll
c:\windows\system32\mtalbh.dll
c:\windows\system32\nanloaon.dll
c:\windows\system32\ouvirtkzoay.exe
c:\windows\system32\tdccmlvugevz.exe
c:\windows\system32\vtUkhgeB.dll
c:\windows\system32\winhlp.exe
c:\windows\system32\wvUnOHwT.dll
c:\windows\UmljaGFyZCBXaWx0c2hpcmU
c:\windows\UmljaGFyZCBXaWx0c2hpcmU\asappsrv.dll
c:\windows\UmljaGFyZCBXaWx0c2hpcmU\command.exe
c:\windows\UmljaGFyZCBXaWx0c2hpcmU\oA53u3IVtF1ruqUXwZ1DwAo.vbs

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BTCUSBB
-------\Legacy_KBEEPM
-------\Service_btcusbb
-------\Service_kbeepm

((((((((((((((((((((((((( Files Created from 2008-11-04 to 2008-12-04 )))))))))))))))))))))))))))))))
.

2008-12-03 17:22 . 2007-12-05 21:32 237,568 --a------ c:\program files\Uninstall Morpheus Toolbar.dll
2008-12-02 20:41 . 2008-12-02 21:20 <DIR> d-------- C:\HJT
2008-12-02 20:24 . 2008-12-02 20:24 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\AVGTOOLBAR
2008-12-02 20:01 . 2008-12-02 20:01 <DIR> d--h----- C:\$AVG8.VAULT$
2008-12-02 20:00 . 2008-12-04 17:55 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-12-02 20:00 . 2008-12-02 20:00 <DIR> d-------- c:\program files\AVG
2008-12-02 20:00 . 2008-12-02 20:00 <DIR> d-------- c:\documents and settings\Richard\Application Data\AVGTOOLBAR
2008-12-02 20:00 . 2008-12-02 20:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-12-02 20:00 . 2008-12-02 20:00 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-12-02 20:00 . 2008-12-02 20:00 10,520 --a------ c:\windows\system32\avgrsstx.dll
2008-12-02 17:58 . 2008-12-02 17:58 <DIR> d-------- c:\program files\Lavasoft
2008-12-02 17:58 . 2008-12-02 17:58 <DIR> d-------- c:\documents and settings\Richard\Application Data\Lavasoft
2008-11-23 15:15 . 2008-11-23 15:15 <DIR> d-------- c:\program files\Common Files\Philips
2008-11-23 14:51 . 2008-11-24 13:33 <DIR> d-------- c:\program files\Philips
2008-11-12 17:26 . 2008-09-04 17:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll
2008-11-12 17:11 . 2008-10-24 11:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-07 18:43 . 2008-12-01 22:48 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-07 18:43 . 2008-11-07 18:43 1,409 --a------ c:\windows\QTFont.for
2008-11-04 21:32 . 2008-11-04 21:32 <DIR> d-------- c:\documents and settings\Richard\Application Data\Damdai
2008-11-04 21:05 . 2006-06-29 13:07 14,048 --a------ c:\windows\system32\spmsg2.dll
2008-11-04 16:22 . 2008-11-06 20:55 <DIR> d-------- C:\vcs5BGEffects
2008-11-04 16:11 . 2008-11-06 20:38 <DIR> d-------- c:\program files\AV Vcs 6.0 DIAMOND

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-04 17:26 --------- d-----w c:\documents and settings\Richard\Application Data\Hamachi
2008-12-03 17:37 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2008-12-03 17:27 --------- d-----w c:\program files\Morpheus
2008-12-02 17:01 --------- d-----w c:\program files\Steam
2008-11-23 15:22 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-23 13:34 --------- d-----w c:\program files\Windows Live Safety Center
2008-10-26 12:44 --------- d-----w c:\program files\Half Life Player
2008-10-24 20:05 --------- d-----w c:\program files\Lexmark 1200 Series
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-19 12:01 --------- d-----w c:\program files\Nokia
2008-10-19 12:01 --------- d-----w c:\program files\Common Files\PCSuite
2008-10-19 12:01 --------- d-----w c:\program files\Common Files\Nokia
2008-10-19 12:01 --------- d-----w c:\documents and settings\All Users\Application Data\Installations
2008-10-19 11:59 --------- d-----w c:\program files\PC Connectivity Solution
2008-10-09 11:05 --------- d-----w c:\program files\Creative
2006-03-15 13:19 212,992 ----a-w c:\windows\inf\WG311v3\CopyWHQLDriver.exe
2006-01-26 16:55 280,576 ----a-w c:\windows\inf\WG311v3\WG311v3.sys
2005-10-06 14:17 280,576 ----a-w c:\windows\inf\WG311v3\WG311v3XP.sys
1999-07-07 00:00 6 --sh--r c:\windows\@desktop@.dat
2005-05-13 16:12 217,073 --sha-r c:\windows\meta4.exe
2005-10-24 10:13 66,560 --sha-r c:\windows\MOTA113.exe
2005-10-13 20:27 422,400 --sha-r c:\windows\x2.64.exe
2005-10-07 18:14 308,224 --sha-r c:\windows\system32\avisynth.dll
2005-07-14 11:31 27,648 --sha-r c:\windows\system32\AVSredirect.dll
2005-06-26 14:32 616,448 --sha-r c:\windows\system32\cygwin1.dll
2005-06-21 21:37 45,568 --sha-r c:\windows\system32\cygz.dll
2004-01-24 23:00 70,656 --sha-r c:\windows\system32\i420vfw.dll
2005-12-22 19:23 816,640 --sha-r c:\windows\system32\smab.dll
2005-02-28 12:16 240,128 --sha-r c:\windows\system32\x.264.exe
.

((((((((((((((((((((((((((((( snapshot@2008-12-04_16.21.27.37 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-04 15:43:31 93,966 ----a-w c:\windows\system32\perfc009.dat
+ 2008-12-04 17:56:38 93,966 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-04 15:43:32 510,476 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-04 17:56:38 510,476 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-11 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-08-11 1124352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-29 8466432]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"Popup"="c:\program files\Dell SAS RAID Storage Manager\MegaPopup\Popup.exe" [2006-08-15 77920]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"AHQInit"="c:\program files\Creative\SBLive\Program\AHQInit.exe" [2001-05-10 102400]
"AudioHQ"="c:\program files\Creative\SBLive\AudioHQ\AHQTB.EXE" [2001-08-17 180224]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992]
"Adobe_ID0EYTHM"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 1884160]
"FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-02-08 295856]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-29 81920]
"lxczbmgr.exe"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2007-02-08 74672]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-02 1261336]
"WD Button Manager"="WDBtnMgr.exe" [2007-12-03 c:\windows\system32\WDBtnMgr.exe]
"nwiz"="nwiz.exe" [2007-10-29 c:\windows\system32\nwiz.exe]
"P17Helper"="P17.dll" [2005-05-03 c:\windows\system32\P17.DLL]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Richard\Start Menu\Programs\Startup\
hamachi.lnk - c:\program files\Hamachi\hamachi.exe [2008-05-14 624416]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-08-03 110592]
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-08-03 110592]
BlueSoleil.lnk - c:\program files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2008-05-07 1183744]
NETGEAR WG311v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG311v3\wlancfg5.exe [2006-01-26 1486848]
TabUserW.exe.lnk - c:\windows\system32\Wtablet\TabUserW.exe [2003-12-04 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3fhg"= mp3fhg.acm
"msacm.divxa32"= divxa32.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell SAS RAID Storage Manager\\MegaPopup\\popup.exe"=
"c:\\Program Files\\Croteam\\Serious Sam - The Second Encounter\\Bin\\SeriousSam.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Steam\\SteamApps\\shinkosai\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\WINDOWS\\system32\\lxczcoms.exe"=
"c:\\Program Files\\bmoworld\\BomberMan.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Microsoft Games\\Halo Trial\\halo.exe"=
"c:\\Program Files\\Steam\\SteamApps\\shinkosai\\counter-strike source\\hl2.exe"=
"c:\\UnrealTournament\\System\\UnrealTournament.exe"=
"c:\\Hangame\\JAPANESE\\gunster.exe"=
"c:\\Team17\\Worms2\\frontend.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\LittleFighter2\\LF2_v1.9c\\lf2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\shinkosai\\condition zero\\hl.exe"=
"c:\\Program Files\\Steam\\SteamApps\\shinkosai\\ricochet\\hl.exe"=
"c:\\Program Files\\Steam\\SteamApps\\shinkosai\\day of defeat\\hl.exe"=
"c:\\Program Files\\Steam\\SteamApps\\shinkosai\\condition zero deleted scenes\\hl.exe"=
"c:\\Program Files\\Capcom\\Bionic Commando Rearmed\\bcr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Steam\\SteamApps\\shinkosai\\synergy\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\shinkosai\\zombie panic! source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\shinkosai\\diprip warm up\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\shinkosai\\source 2007 dedicated server\\srcds.exe"=
"c:\\Program Files\\Steam\\SteamApps\\shinkosai\\half-life 2\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\shinkosai\\insurgency\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\shinkosai\\garrysmod\\hl2.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Documents and Settings\\Richard\\Local Settings\\Apps\\2.0\\5MKQLXRC.5B8\\K2Z47TBN.1GC\\2dff..tion_fcdf29b345c9098a_0001.0000_98805a01a3d42574\\2DF FreePlay Client.exe"=
"c:\\Program Files\\Kazaa Lite\\KazaaLite.kpp"=
"c:\\Documents and Settings\\Richard\\Local Settings\\Apps\\2.0\\5MKQLXRC.5B8\\K2Z47TBN.1GC\\2dff..tion_fcdf29b345c9098a_0001.0000_89b83da73a004bb4\\2DF FreePlay Client.exe"=
"c:\\Program Files\\PC Connectivity Solution\\ServiceLayer.exe"=
"c:\\Program Files\\Dell SAS RAID Storage Manager\\JRE\\bin\\javaw.exe"=
"c:\\WINDOWS\\system32\\services.exe"=
"c:\\Program Files\\Google\\Common\\Google Updater\\GoogleUpdaterService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-02 97928]
R1 DLARTL_M;DLARTL_M;c:\windows\system32\Drivers\DLARTL_M.SYS [2007-07-20 28184]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-02 231704]
R2 lxcz_device;lxcz_device;c:\windows\system32\lxczcoms.exe -service []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e4233892-ea14-11dc-85e3-001b2f2e029d}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2008-07-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]
.
- - - - ORPHANS REMOVED - - - -

BHO-{16F3AE0F-AB16-4B4C-BEC3-9C3B3642F29D} - c:\windows\system32\vtUkhgeB.dll

.
------- Supplementary Scan -------
.
uStart Page = http://www.google.co.uk/ig/dell?hl=e...uk&ibd=6070720
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk-rel&channel=uk&ibd=6070720
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm

c:\windows\Downloaded Program Files\hgstartjp24.exe - c:\windows\Downloaded Program Files\hgnotifyjp24.exe
c:\windows\Downloaded Program Files\HGPluginJP24.dll
O16 -: {19A08B4B-EA7C-4C62-B477-D36E5396A1B5}
hxxp://down.hangame.co.jp/jp/dist/hgstart/HGPluginJP24.cab
c:\windows\Downloaded Program Files\HGPluginJP24.inf

c:\windows\Downloaded Program Files\hgstartjp23.exe - c:\windows\Downloaded Program Files\hgnotifyjp23.exe
c:\windows\Downloaded Program Files\HGPluginJP23.dll
O16 -: {D0FD5E32-CABD-4A6E-BD0F-94ACE89CCE03}
hxxp://down.hangame.co.jp/jp/dist/hgstart/HGPluginJP23.cab
c:\windows\Downloaded Program Files\HGPluginJP23.inf
FireFox -: Profile - c:\documents and settings\Richard\Application Data\Mozilla\Firefox\Profiles\vcspei4i.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF -: plugin - c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin.dll
FF -: plugin - c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin2.dll
FF -: plugin - c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin3.dll
FF -: plugin - c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin4.dll
FF -: plugin - c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin5.dll
FF -: plugin - c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF -: plugin - c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll
FF -: plugin - c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-04 17:52:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(948)
c:\windows\system32\MrvGINA.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\brss01a.exe
c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\windows\system32\lxczcoms.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\Tablet.exe
c:\windows\system32\wdfmgr.exe
c:\program files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
c:\windows\system32\MsPMSPSv.exe
c:\program files\Dell SAS RAID Storage Manager\Framework\VivaldiFramework.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\program files\Dell SAS RAID Storage Manager\MegaMonitor\mrmonitor.exe
c:\program files\Dell SAS RAID Storage Manager\JRE\bin\javaw.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Lexmark 1200 Series\LXCZbmon.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
.
**************************************************************************
.
Completion time: 2008-12-04 18:11:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-04 18:11:40
ComboFix2.txt 2008-12-04 16:21:55

Pre-Run: 84,005,400,576 bytes free
Post-Run: 83,974,840,320 bytes free

330 --- E O F --- 2008-11-25 00:32:59

tetonbob · 12-04-2008, 02:31 PM

Things are looking much better. I don't see that a file was uploaded to our analysis site. To help us get the information we need, please first do this...

Please go to Start > Run and copy/paste the following, then press Enter:

C:\QooBox\ComboFix-quarantined-files.txt

Post the contents of the logfile which will open.

SKaiser · 12-04-2008, 02:42 PM

My apologies I had to be elsewhere while the computer was performing the scan, when I came back it only showed the above log file I posted so I assumed the information you needed had already been sent.

2007-07-20 18:32:05 A------- 4,232 C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat.vir
2007-07-20 18:32:05 A------- 5,179 C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat.vir
2007-10-31 16:44:14 A------- 8 C:\Qoobox\Quarantine\C\Documents and Settings\Richard\Local Settings\Temporary Internet Files\hgstarterjp_verinfo.dat.vir
2008-09-02 17:37:15 A------- 64,512 C:\Qoobox\Quarantine\C\WINDOWS\system32\gizolama.dll.vir
2008-09-02 17:37:15 A------- 64,512 C:\Qoobox\Quarantine\C\WINDOWS\system32\ruvoziyi.dll.vir
2008-09-02 17:37:15 A------- 64,512 C:\Qoobox\Quarantine\C\WINDOWS\system32\vokeloso.dll.vir
2008-09-09 13:39:29 A------- 73 C:\Qoobox\Quarantine\C\WINDOWS\system32\ssprs.dll.vir
2008-09-09 13:39:29 A------- 205 C:\Qoobox\Quarantine\C\WINDOWS\system32\lsprst7.dll.vir
2008-11-24 16:27:14 A------- 369,152 C:\Qoobox\Quarantine\C\WINDOWS\system32\edirhpvlbn.dll.vir
2008-12-02 17:16:15 A------- 35,307 C:\Qoobox\Quarantine\C\WINDOWS\system32\prunnet.exe.vir
2008-12-02 17:16:17 A------- 56,320 C:\Qoobox\Quarantine\C\Documents and Settings\Richard\Application Data\gadcom\gadcom.exe.vir
2008-12-02 17:16:28 A------- 34,816 C:\Qoobox\Quarantine\C\WINDOWS\system32\wvUnOHwT.dll.vir
2008-12-02 17:16:37 A------- 65,024 C:\Qoobox\Quarantine\C\WINDOWS\system32\xxywWoND.dll.vir
2008-12-02 17:16:39 A------- 4,095 C:\Qoobox\Quarantine\C\Documents and Settings\Richard\Local Settings\Temporary Internet Files\fbk.sts.vir
2008-12-02 17:16:40 A------- 298 C:\Qoobox\Quarantine\C\WINDOWS\Tasks\jdntzijh.job.vir
2008-12-02 17:17:00 A------- 8,192 C:\Qoobox\Quarantine\C\opdwrpjm.exe.vir
2008-12-02 17:17:00 A------- 10,000 C:\Qoobox\Quarantine\C\WINDOWS\system32\gs73gfidgf.dll.vir
2008-12-02 17:17:04 A------- 2 C:\Qoobox\Quarantine\C\1960106143.vir
2008-12-02 17:17:08 A------- 705 C:\Qoobox\Quarantine\C\mguvbfr.exe.vir
2008-12-02 17:17:28 A------- 104,448 C:\Qoobox\Quarantine\C\qthqdso.exe.vir
2008-12-02 17:17:57 A------- 104,448 C:\Qoobox\Quarantine\C\WINDOWS\system32\winhlp.exe.vir
2008-12-02 17:18:02 A------- 60,416 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\TDSSpqlt.sys.vir
2008-12-02 17:18:13 A------- 35,840 C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSoiqt.dll.vir
2008-12-02 17:18:19 A------- 22,528 C:\Qoobox\Quarantine\C\WINDOWS\system32\rs32net.exe.vir
2008-12-02 17:18:31 A------- 527 C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSmtve.dat.vir
2008-12-02 17:18:37 A------- 29,696 C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSarxx.dll.vir
2008-12-02 17:18:42 A------- 31,232 C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSvkql.dll.vir
2008-12-02 17:18:44 A------- 174 C:\Qoobox\Quarantine\C\WINDOWS\system32\msnav32.ax.vir
2008-12-02 17:18:45 A------- 1,405 C:\Qoobox\Quarantine\C\Program Files\webHancer\Programs\readme.txt.vir
2008-12-02 17:18:45 A------- 8,292 C:\Qoobox\Quarantine\C\Program Files\webHancer\Programs\license.txt.vir
2008-12-02 17:18:45 A------- 73,728 C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSScfmm.dll.vir
2008-12-02 17:18:57 A------- 86,272 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\btcusbb.sys.vir
2008-12-02 17:18:59 A------- 2,271 C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSlxcp.dll.vir
2008-12-02 17:18:59 A------- 167,976 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\core.cache.dsk.vir
2008-12-02 17:19:03 A------- 648 C:\Qoobox\Quarantine\C\Documents and Settings\Richard\Start Menu\Programs\Startup\DW_Start.lnk.vir
2008-12-02 17:19:04 A------- 12,672 C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSkkai.log.vir
2008-12-02 17:19:07 A------- 282,629 C:\Qoobox\Quarantine\C\WINDOWS\system32\dwwnw64r.exe.vir
2008-12-02 17:19:10 A------- 47,598 C:\Qoobox\Quarantine\C\WINDOWS\system32\ouvirtkzoay.exe.vir
2008-12-02 17:19:18 A------- 472 C:\Qoobox\Quarantine\C\WINDOWS\UmljaGFyZCBXaWx0c2hpcmU\oA53u3IVtF1ruqUXwZ1DwAo.vbs.vir
2008-12-02 17:19:18 A------- 1,989 C:\Qoobox\Quarantine\C\WINDOWS\uninstall_nmon.vbs.vir
2008-12-02 17:19:18 A------- 94,208 C:\Qoobox\Quarantine\C\Program Files\Network Monitor\netmon.exe.vir
2008-12-02 17:19:18 A------- 187,904 C:\Qoobox\Quarantine\C\WINDOWS\UmljaGFyZCBXaWx0c2hpcmU\asappsrv.dll.vir
2008-12-02 17:19:18 A------- 293,888 C:\Qoobox\Quarantine\C\WINDOWS\UmljaGFyZCBXaWx0c2hpcmU\command.exe.vir
2008-12-02 17:19:26 A------- 210,944 C:\Qoobox\Quarantine\C\Program Files\webHancer\Programs\SET1D9.tmp.vir
2008-12-02 17:19:28 A------- 48 C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Application Data\NetMon\domains.txt.vir
2008-12-02 17:19:28 A------- 9,244 C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Application Data\NetMon\log.txt.vir
2008-12-02 17:35:09 A------- 302,592 C:\Qoobox\Quarantine\C\WINDOWS\system32\fccYoMdD.dll.vir
2008-12-02 17:35:10 A------- 743,931 C:\Qoobox\Quarantine\C\WINDOWS\system32\DdMoYccf.ini2.vir
2008-12-02 17:35:10 A------- 744,033 C:\Qoobox\Quarantine\C\WINDOWS\system32\DdMoYccf.ini.vir
2008-12-02 17:36:07 A------- 41,472 C:\Qoobox\Quarantine\C\WINDOWS\system32\eagdflvs.dll.vir
2008-12-02 17:36:08 A------- 129,024 C:\Qoobox\Quarantine\C\WINDOWS\system32\agucpwos.dll.vir
2008-12-02 17:36:09 A------- 129,024 C:\Qoobox\Quarantine\C\WINDOWS\system32\vfqxut.dll.vir
2008-12-02 17:36:37 A------- 32,768 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ati2rtxx.sys.vir
2008-12-02 17:37:15 A------- 62,464 C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir
2008-12-02 17:38:13 A------- 1,377,671 C:\Qoobox\Quarantine\C\WINDOWS\system32\oejvvlxr.ini.vir
2008-12-02 18:52:12 A------- 153,484 C:\Qoobox\Quarantine\C\WINDOWS\system32\g30.exe.vir
2008-12-02 18:52:17 A------- 64,859 C:\Qoobox\Quarantine\C\WINDOWS\system32\tdccmlvugevz.exe.vir
2008-12-02 18:52:22 A------- 21 C:\Qoobox\Quarantine\C\WINDOWS\system32\zxdnt3d.cfg.vir
2008-12-02 18:52:31 A------- 684 C:\Qoobox\Quarantine\C\Documents and Settings\Richard\Start Menu\Programs\Startup\Deewoo.lnk.vir
2008-12-02 18:52:33 A------- 859 C:\Qoobox\Quarantine\C\WINDOWS\system32\winpfz33.sys.vir
2008-12-03 17:36:36 A------- 41,472 C:\Qoobox\Quarantine\C\WINDOWS\system32\yckgqhco.dll.vir
2008-12-03 17:36:36 A------- 129,024 C:\Qoobox\Quarantine\C\WINDOWS\system32\najytkxa.dll.vir
2008-12-03 17:36:37 A------- 129,024 C:\Qoobox\Quarantine\C\WINDOWS\system32\vufkso.dll.vir
2008-12-03 17:37:04 A------- 116,224 C:\Qoobox\Quarantine\C\Program Files\Mjcore\Mjcore.dll.vir
2008-12-03 17:39:32 A------- 72,704 C:\Qoobox\Quarantine\C\WINDOWS\system32\lnimkwxr.dll.vir
2008-12-03 17:39:33 A------- 1,410,833 C:\Qoobox\Quarantine\C\WINDOWS\system32\rxwkminl.ini.vir
2008-12-04 14:45:23 A------- 1,229 C:\Qoobox\Quarantine\catchme.log
2008-12-04 15:24:23 A------- 0 C:\Qoobox\Quarantine\C\WINDOWS\Temp\TMP3.tmp.vir
2008-12-04 15:34:07 A------- 1,123 C:\Qoobox\Quarantine\Registry_backups\Service_TDSSSERV.SYS.reg.dat
2008-12-04 15:44:49 A------- 24,027 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_ati2rtxx_.sys.zip
2008-12-04 15:44:54 A------- 167,461 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_core.cache_.dsk.zip
2008-12-04 15:47:43 A------- 10,816 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2008-12-04 15:49:54 A------- 1,122 C:\Qoobox\Quarantine\Registry_backups\Legacy_NETWORK_MONITOR.reg.dat
2008-12-04 15:49:54 A------- 1,276 C:\Qoobox\Quarantine\Registry_backups\Legacy_ATI2RTXX.reg.dat
2008-12-04 15:50:02 A------- 2,078 C:\Qoobox\Quarantine\Registry_backups\Service_ati2rtxx.reg.dat
2008-12-04 15:50:07 A------- 2,210 C:\Qoobox\Quarantine\Registry_backups\Service_restore.reg.dat
2008-12-04 15:50:07 A------- 2,822 C:\Qoobox\Quarantine\Registry_backups\Service_Network Monitor.reg.dat
2008-12-04 16:12:36 A------- 302,592 C:\Qoobox\Quarantine\C\WINDOWS\system32\vtUkhgeB.dll.vir
2008-12-04 16:12:45 A------- 757,826 C:\Qoobox\Quarantine\C\WINDOWS\system32\BeghkUtv.ini.vir
2008-12-04 16:12:46 A------- 757,766 C:\Qoobox\Quarantine\C\WINDOWS\system32\BeghkUtv.ini2.vir
2008-12-04 16:13:47 A------- 41,472 C:\Qoobox\Quarantine\C\WINDOWS\system32\nanloaon.dll.vir
2008-12-04 16:15:46 A------- 72,704 C:\Qoobox\Quarantine\C\WINDOWS\system32\ghuejoqa.dll.vir
2008-12-04 16:15:50 A------- 1,454,990 C:\Qoobox\Quarantine\C\WINDOWS\system32\aqojeuhg.ini.vir
2008-12-04 16:18:46 A------- 129,024 C:\Qoobox\Quarantine\C\WINDOWS\system32\euspldow.dll.vir
2008-12-04 16:18:47 A------- 129,024 C:\Qoobox\Quarantine\C\WINDOWS\system32\mtalbh.dll.vir
2008-12-04 16:21:27 A------- 0 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat
2008-12-04 16:21:27 A------- 0 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat
2008-12-04 16:21:27 A------- 0 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat
2008-12-04 16:21:28 A------- 374 C:\Qoobox\Quarantine\Registry_backups\BHO-{5D1AC792-53F5-44A5-8802-D3ACFC1B3C11}.reg.dat
2008-12-04 16:21:28 A------- 374 C:\Qoobox\Quarantine\Registry_backups\BHO-{66c005b5-38a5-4a0b-af4b-19815d45a08f}.reg.dat
2008-12-04 16:21:29 A------- 435 C:\Qoobox\Quarantine\Registry_backups\BHO-{f0c9605b-2ddc-0bd1-0e74-b2416fe60202}.reg.dat
2008-12-04 16:21:30 A------- 127 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-rs32net.reg.dat
2008-12-04 16:21:30 A------- 131 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-prunnet.reg.dat
2008-12-04 16:21:30 A------- 132 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-prunnet.reg.dat
2008-12-04 16:21:31 A------- 169 C:\Qoobox\Quarantine\Registry_backups\HKU-Default-Run-Nokia.PCSync.reg.dat
2008-12-04 17:35:29 A------- 1,112,712 C:\Qoobox\Quarantine\[4]-Submit_2008-12-04@17.33.zip
2008-12-04 17:45:30 A------- 1,016 C:\Qoobox\Quarantine\Registry_backups\Service_btcusbb.reg.dat
2008-12-04 17:45:30 A------- 1,196 C:\Qoobox\Quarantine\Registry_backups\Legacy_KBEEPM.reg.dat
2008-12-04 17:45:30 A------- 1,262 C:\Qoobox\Quarantine\Registry_backups\Legacy_BTCUSBB.reg.dat
2008-12-04 17:45:31 A------- 2,640 C:\Qoobox\Quarantine\Registry_backups\Service_kbeepm.reg.dat
2008-12-04 18:11:21 A------- 374 C:\Qoobox\Quarantine\Registry_backups\BHO-{16F3AE0F-AB16-4B4C-BEC3-9C3B3642F29D}.reg.dat

tetonbob · 12-04-2008, 02:46 PM

That's fine, thanks....

Please visit this site:

http://www.bleepingcomputer.com/subm....php?channel=4
In the Link to topic where this file was requested: area, copy and paste this

http://www.techsupportforum.com/security-center/hijackthis-log-help/319513-stronger-adware-then-i-thought.html#post1838531
In the Browse to the file you want to submit: area, copy and paste this

C:\Qoobox\Quarantine\[4]-Submit_2008-12-04@17.33.zip
Then click Send File.
Once it shows:

Quote:

Your file was successfully submitted. Please let the user helping you know that you have submitted the file.
Close the site and continue with the steps below.

This next bit will take some time...

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 11. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Select the Windows platform from the dropdown menu.
Read the License Agreement and then check the box that says: "Accept License Agreement". Click on Continue.The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u11-windows-i586-p.exe to install the newest version.

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
  - Applications and Applets
    Trace and Log Files
- Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
- Click OK to leave the Temporary Files Window
- Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Please perform this online scan to help look for remnants

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on Settings. Uncheck Mail databases.
Next, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save Report As... button.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------------------------------------------------------------------------------------

How are things now?

SKaiser · 12-05-2008, 02:42 PM

Well that has to have been one of the slowest scans I've ever seen but it was worth it. The system still seems noticeably slower then before the malicious infection, especially on logins which might also be partly why the scan took so long, could this be fixed with a defrag and checking the drive for any additional errors perhaps?

Thank you again for your help so far tetonbob

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, December 5, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, December 05, 2008 10:22:37
Records in database: 1438409
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: no

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 366792
Threat name: 21
Infected objects: 24
Suspicious objects: 0
Duration of the scan: 08:26:28

File name / Threat name / Threats count
C:\Documents and Settings\All Users\Documents\programs\fgf11.exe Infected: not-a-virus:AdWare.Win32.Cydoor 1
C:\Documents and Settings\All Users\Documents\programs\mirc616.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1
C:\Documents and Settings\Richard\My Documents\My Received Files\mirc612.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.612 1
C:\Qoobox\Quarantine\C\Documents and Settings\Richard\Application Data\gadcom\gadcom.exe.vir Infected: Trojan.Win32.Agent.aqyt 1
C:\Qoobox\Quarantine\C\Program Files\Network Monitor\netmon.exe.vir Infected: not-a-virus:Monitor.Win32.NetMon.a 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ati2rtxx.sys.vir Infected: Rootkit.Win32.Protector.bd 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\TDSSpqlt.sys.vir Infected: Backdoor.Win32.TDSS.bkw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_ati2rtxx_.sys.zip Infected: Rootkit.Win32.Protector.bd 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gs73gfidgf.dll.vir Infected: Trojan.Win32.Agent.artu 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\prunnet.exe.vir Infected: Trojan.Win32.VB.hfs 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\rs32net.exe.vir Infected: Trojan.Win32.Inject.kwi 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSarxx.dll.vir Infected: Backdoor.Win32.TDSS.asz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSScfmm.dll.vir Infected: Trojan.Win32.Agent.arvz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSoiqt.dll.vir Infected: Backdoor.Win32.TDSS.blh 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSvkql.dll.vir Infected: Backdoor.Win32.TDSS.atb 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\xxywWoND.dll.vir Infected: Trojan.Win32.Agent.asus 1
C:\Qoobox\Quarantine\C\WINDOWS\UmljaGFyZCBXaWx0c2hpcmU\asappsrv.dll.vir Infected: not-a-virus:AdWare.Win32.CommAd.a 1
C:\Qoobox\Quarantine\C\WINDOWS\UmljaGFyZCBXaWx0c2hpcmU\command.exe.vir Infected: not-a-virus:AdWare.Win32.CommAd.a 1
C:\Qoobox\Quarantine\[4]-Submit_2008-12-04@17.33.zip Infected: Trojan.Win32.Small.yql 1
C:\Qoobox\Quarantine\[4]-Submit_2008-12-04@17.33.zip Infected: Trojan-Dropper.Win32.Agent.aaqu 2
C:\Qoobox\Quarantine\[4]-Submit_2008-12-04@17.33.zip Infected: Trojan.Win32.Agent.asjk 1
C:\Qoobox\Quarantine\[4]-Submit_2008-12-04@17.33.zip Infected: Trojan-Clicker.Win32.Agent.buk 1
E:\Motive\pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.1101 1

The selected area was scanned.

tetonbob · 12-05-2008, 03:52 PM

Most of those finds are in ComboFix quarantine, and will be addressed when we're done.

Flashget is ad supported,

http://vil.nai.com/vil/content/v_131043.htm
http://www.emsisoft.com/en/malware/?...ashGet+Toolbar

It's installer file is flagged as adware Cydoor, I would delete it:

"C:\Documents and Settings\All Users\Documents\programs\fgf11.exe"

I will ignore the mIRC files, and this:

E:\Motive\pskill.exe

pskill is an admin level command line tool, which gets targeted due to potential

http://technet.microsoft.com/en-us/s.../bb896683.aspx

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add or Remove Programs) if they exist:

Deewoo Network Manager removal
Enhancement Browser Tools Agadoo

You may receive notice that these are already uninstalled, or otherwise corrupted, would you like to remove them from the list. Click on OK, or Yes.

---------------------------------------------------------------------------------------------

If your AntiVirus was active, or you have large hdd or network storage, that would explain the length of scan.

Some machines never fully recover from an infestation, but yes, I would try a defrag as well as a thorough cleaning of temp files/cookies, etc with this tool:

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

---------------------------------------------------------------------------------------------

See if this topic helps you with a slow machine:

http://www.techsupportforum.com/secu...ning-slow.html

Other than that....

Your logs appear clean.You should be good to go. We still have a few items to address.

Go to

-> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

Microsoft Windows Update - http://www.windowsupdate.com
Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
SpywareBlaster to help prevent spyware from installing in the first place.
- Install & update SpywareBlaster with the latest definitions.
  After you have updated, click the button - enable protection for all unprotected items
Winpatrol

Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

You can get a free copy of Winpatrol or use the Plus version for more features.

You can read Winpatrol's FAQ if you run into problems.
MVPS HOST FILE
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
- Download Host.zip to your desktop.
- From your Desktop right-click (hosts.zip) and select:
  Extract All from the menu.
- Click Next, click Next, select the option:
  "Show Extracted files", click Finish
- This will open the newly created hosts folder on your Desktop.
- Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
- Once updated you should see another prompt that the task was completed.
ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

Do not install more than one AntiVirus program because they will conflict with each other.

Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer

Here are some additional utilities that will further enhance your safety.

http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.

ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

SKaiser · 12-05-2008, 04:14 PM

The wait for that scan means I will have to try these last tune ups for the computer tomorrow, but the instructions all seem self explanatory to me. Thank you again for taking the time to lend me your expertise.

tetonbob · 12-06-2008, 07:04 AM

Glad to have helped.

Surf Safely, and Think Prevention!

Since this issue is resolved, this topic will be archived.

12-02-2008, 04:26 PM	#1 (permalink)
SKaiser Registered User Join Date: Dec 2008 Posts: 8 OS: XP	Stronger adware then I thought... Having some repairing software related problems knowledge myself, I thought I was was capable of removing adware when some got into my computer, it has however turned out to have been more malicious then I first thought. Spawning popups to fake antivirus software and other services, interfered with Adaware and AVG's ability to update and scan the computer, caused some websites to not run at all or to be forwarded to yet more fake computer repair software and generally slowed down the entire system. The run speed of processes on the computer seems to vary now, but when it was performing at a more usable speed I finally managed to get a hijackthis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 21:20:05, on 02/12/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\CTsvcCDA.EXE C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe C:\WINDOWS\system32\lxczcoms.exe C:\Program Files\Network Monitor\netmon.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Tablet.exe C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\Program Files\Dell SAS RAID Storage Manager\Framework\VivaldiFramework.exe C:\WINDOWS\system32\cmd.exe C:\Program Files\Dell SAS RAID Storage Manager\JRE\bin\javaw.exe C:\Program Files\Dell SAS RAID Storage Manager\MegaMonitor\mrmonitor.exe C:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\Dell SAS RAID Storage Manager\MegaPopup\Popup.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe C:\PROGRA~1\AVG\AVG8\aAvgApi.exe C:\WINDOWS\System32\regsvr32.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\WINDOWS\system32\WDBtnMgr.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe C:\Program Files\Lexmark 1200 Series\lxczbmon.exe C:\WINDOWS\system32\Rundll32.exe C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe C:\WINDOWS\stsystra.exe C:\WINDOWS\system32\prunnet.exe C:\DOCUME~1\Richard\LOCALS~1\Temp\winlogin.exe C:\WINDOWS\System32\rs32net.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\AVG\AVG8\avgtray.exe C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe C:\WINDOWS\System32\svchost.exe C:\Documents and Settings\Richard\Application Data\gadcom\gadcom.exe C:\Program Files\PC Connectivity Solution\ServiceLayer.exe C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe C:\DOCUME~1\Richard\LOCALS~1\Temp\csrssc.exe C:\WINDOWS\System32\rs32net.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe C:\WINDOWS\system32\Wtablet\TabUserW.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.co.uk/ig/dell?hl=e...uk&ibd=6070720 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig/dell?hl=e...uk&ibd=6070720 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.co.uk/ig/dell?hl=e...uk&ibd=6070720 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/ig/dell?hl=e...uk&ibd=6070720 R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\1.bin\MBSRCAS.DLL O2 - BHO: banners4u browser enhancer - {14A18709-2CF5-E700-1A87-A501B3981CED} - C:\WINDOWS\system32\edirhpvlbn.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll O2 - BHO: (no name) - {66c005b5-38a5-4a0b-af4b-19815d45a08f} - C:\WINDOWS\system32\gizolama.dll O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\wvUnOHwT.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\sw g.dll O2 - BHO: pl - {B200799F-9538-403d-9A6E-36F5942EC540} - C:\WINDOWS\system32\fklame32.dll (file missing) O2 - BHO: {bba7de9e-377a-d028-b664-a2a1082fe18c} - {c81ef280-1a2a-466b-820d-a773e9ed7abb} - C:\WINDOWS\system32\vfqxut.dll O2 - BHO: (no name) - {D73F49B1-B51B-4d32-A3B7-BD04B8342F53} - (no file) O2 - BHO: (no name) - {EB1A4997-56B7-4A6C-A35D-3398DED0CAF4} - C:\WINDOWS\system32\fccYoMdD.dll O2 - BHO: agadoo browser optimizer - {f0c9605b-2ddc-0bd1-0e74-b2416fe60202} - C:\WINDOWS\system32\jtqnitevgoxhz.dll (file missing) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll O3 - Toolbar: Morpheus Toolbar - {3F3714A9-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\1.bin\MORPHBAR.DLL O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [popup] "C:\Program Files\Dell SAS RAID Storage Manager\MegaPopup\Popup.exe" O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VER SIO~2.EXE O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [lxczbmgr.exe] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe" O4 - HKLM\..\Run: [xsjfn83jkemfofght] C:\DOCUME~1\Richard\LOCALS~1\Temp\winlogin.exe O4 - HKLM\..\Run: [rs32net] C:\WINDOWS\System32\rs32net.exe O4 - HKLM\..\Run: [lhgsmxrslbpwvytgo] C:\WINDOWS\System32\regsvr32.exe /s "C:\WINDOWS\system32\edirhpvlbn.dll" O4 - HKLM\..\Run: [kuhujadeni] Rundll32.exe "C:\WINDOWS\system32\vokeloso.dll",s O4 - HKLM\..\Run: [74d4d830] rundll32.exe "C:\WINDOWS\system32\rxlvvjeo.dll",b O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe" O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\Richard\Application Data\gadcom\gadcom.exe" 61A847B5BBF728173599284503996897C881250221C8670836 AC4FA7C8833201749139 O4 - HKCU\..\Run: [xsjfn83jkemfofght] C:\DOCUME~1\Richard\LOCALS~1\Temp\winlogin.exe O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\Richard\LOCALS~1\Temp\csrssc.exe O4 - HKCU\..\Run: [rs32net] C:\WINDOWS\System32\rs32net.exe O4 - HKUS\S-1-5-19\..\Run: [kuhujadeni] Rundll32.exe "C:\WINDOWS\system32\vokeloso.dll",s (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [kuhujadeni] Rundll32.exe "C:\WINDOWS\system32\vokeloso.dll",s (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\ncntlsdl.exe O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\rrwnw64p.exe O4 - Startup: hamachi.lnk = C:\Program Files\Hamachi\hamachi.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: BlueSoleil.lnk = ? O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\wlancfg5.exe O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\Wtablet\TabUserW.exe O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System, DisableRegedit=1 O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {19A08B4B-EA7C-4C62-B477-D36E5396A1B5} (HGPluginJP24 Class) - http://down.hangame.co.jp/jp/dist/hg...PluginJP24.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1186507059250 O16 - DPF: {D0FD5E32-CABD-4A6E-BD0F-94ACE89CCE03} (HGPluginJP23 Class) - http://down.hangame.co.jp/jp/dist/hg...PluginJP23.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/zum...loader_v10.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V020...5034/CTPID.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll O20 - AppInit_DLLs: vfqxut.dll,C:\WINDOWS\system32\ruvoziyi.dll,avgrss tx.dll O20 - Winlogon Notify: wvUnOHwT - C:\WINDOWS\SYSTEM32\wvUnOHwT.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: lxcz_device - - C:\WINDOWS\system32\lxczcoms.exe O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: MRMonitor (MegaMonitorSrv) - Unknown owner - C:\Program Files\Dell SAS RAID Storage Manager\MegaMonitor\mrmonitor.exe O23 - Service: SSMFramework (MSMFramework) - Unknown owner - C:\Program Files\Dell SAS RAID Storage Manager\Framework\VivaldiFramework.exe O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe O23 - Service: Wireless Adapter Configurator - Tech Mahindra- PUNE - C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe Any expert advice the community could spare would be much appreciated.

12-03-2008, 10:42 AM	#4 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,569 OS: 2000 Pro; XP Pro; XP Home	Re: Stronger adware then I thought... Check your private messages, please. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

12-04-2008, 08:53 AM	#7 (permalink)
SKaiser Registered User Join Date: Dec 2008 Posts: 8 OS: XP	Re: Stronger adware then I thought... Well although slow to boot up the system appears to be a little more stable then it was, since it can now read usbs without needing to go into safemode again, as well as the virusguard identifying various copies of the trojen horse 'generic12.UGM' and Downloader Generic2.MYA. The previous issues however are still in effect, such as the popups and I have taken no action to deal with the identified trojen horses at this time: ComboFix 08-12-03.04 - Richard 2008-12-04 15:40:49.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1514 [GMT 0:00] Command switches used :: c:\documents and settings\Richard\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat c:\documents and settings\LocalService\Application Data\NetMon c:\documents and settings\LocalService\Application Data\NetMon\domains.txt c:\documents and settings\LocalService\Application Data\NetMon\log.txt c:\documents and settings\Richard\Application Data\gadcom c:\documents and settings\Richard\Application Data\gadcom\gadcom.exe c:\documents and settings\Richard\Local Settings\Temporary Internet Files\fbk.sts c:\documents and settings\Richard\Local Settings\Temporary Internet Files\hgstarterjp_verinfo.dat c:\documents and settings\Richard\Start Menu\Programs\Startup\Deewoo.lnk c:\documents and settings\Richard\Start Menu\Programs\Startup\DW_Start.lnk c:\program files\Mjcore c:\program files\Mjcore\Mjcore.dll c:\program files\network monitor c:\program files\network monitor\netmon.exe c:\program files\webhancer c:\program files\webhancer\Programs\license.txt c:\program files\webhancer\Programs\readme.txt c:\program files\webhancer\Programs\SET1D9.tmp c:\temp\tn3 c:\windows\system32\~.exe c:\windows\system32\agucpwos.dll c:\windows\system32\DdMoYccf.ini c:\windows\system32\DdMoYccf.ini2 c:\windows\system32\drivers\ati2rtxx.sys c:\windows\system32\drivers\TDSSpqlt.sys c:\windows\system32\dwwnw64r.exe c:\windows\system32\eagdflvs.dll c:\windows\system32\fccYoMdD.dll c:\windows\system32\gizolama.dll c:\windows\system32\gs73gfidgf.dll c:\windows\system32\lnimkwxr.dll c:\windows\system32\lsprst7.dll c:\windows\system32\msnav32.ax c:\windows\system32\najytkxa.dll c:\windows\system32\oejvvlxr.ini c:\windows\system32\prunnet.exe c:\windows\system32\rs32net.exe c:\windows\system32\ruvoziyi.dll c:\windows\system32\rxwkminl.ini c:\windows\system32\ssprs.dll c:\windows\system32\TDSSarxx.dll c:\windows\system32\TDSScfmm.dll c:\windows\system32\TDSSkkai.log c:\windows\system32\TDSSlxcp.dll c:\windows\system32\TDSSmtve.dat c:\windows\system32\TDSSnmxh.log c:\windows\system32\TDSSoiqt.dll c:\windows\system32\TDSSsahc.dll c:\windows\system32\TDSSvkql.dll c:\windows\system32\TDSSxhyf.log c:\windows\system32\vfqxut.dll c:\windows\system32\vokeloso.dll c:\windows\system32\vufkso.dll c:\windows\system32\winpfz33.sys c:\windows\system32\xxywWoND.dll c:\windows\system32\yckgqhco.dll c:\windows\system32\zxdnt3d.cfg c:\windows\Tasks\jdntzijh.job c:\windows\Temp\tmp3.tmp c:\windows\uninstall_nmon.vbs c:\windows\system32\drivers\core.cache.dsk . . . . failed to delete ----- BITS: Possible infected sites ----- hxxp://childhe.com . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_TDSSSERV.SYS -------\Legacy_TDSSSERV.SYS -------\Legacy_ATI2RTXX -------\Legacy_NETWORK_MONITOR -------\Service_ati2rtxx -------\Service_Network Monitor -------\Service_restore ((((((((((((((((((((((((( Files Created from 2008-11-04 to 2008-12-04 ))))))))))))))))))))))))))))))) . 2008-12-04 16:00 . 2008-12-04 16:00 <DIR> d-------- c:\temp\tn3 2008-12-04 15:58 . 2008-12-04 15:58 932 --------- c:\windows\system32\drivers\core.cache.dsk 2008-12-03 17:22 . 2007-12-05 21:32 237,568 --a------ c:\program files\Uninstall Morpheus Toolbar.dll 2008-12-02 20:41 . 2008-12-02 21:20 <DIR> d-------- C:\HJT 2008-12-02 20:24 . 2008-12-02 20:24 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\AVGTOOLBAR 2008-12-02 20:01 . 2008-12-02 20:01 <DIR> d--h----- C:\$AVG8.VAULT$ 2008-12-02 20:00 . 2008-12-04 16:03 <DIR> d-------- c:\windows\system32\drivers\Avg 2008-12-02 20:00 . 2008-12-02 20:00 <DIR> d-------- c:\program files\AVG 2008-12-02 20:00 . 2008-12-02 20:00 <DIR> d-------- c:\documents and settings\Richard\Application Data\AVGTOOLBAR 2008-12-02 20:00 . 2008-12-02 20:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8 2008-12-02 20:00 . 2008-12-02 20:00 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys 2008-12-02 20:00 . 2008-12-02 20:00 10,520 --a------ c:\windows\system32\avgrsstx.dll 2008-12-02 18:52 . 2008-12-02 18:52 153,484 --a------ c:\windows\system32\g30.exe 2008-12-02 18:52 . 2008-12-02 18:52 64,859 --a------ c:\windows\system32\tdccmlvugevz.exe 2008-12-02 17:58 . 2008-12-02 17:58 <DIR> d-------- c:\program files\Lavasoft 2008-12-02 17:58 . 2008-12-02 17:58 <DIR> d-------- c:\documents and settings\Richard\Application Data\Lavasoft 2008-12-02 17:19 . 2008-12-02 17:19 <DIR> d--hs---- c:\windows\UmljaGFyZCBXaWx0c2hpcmU 2008-12-02 17:19 . 2008-12-02 17:19 47,598 --a------ c:\windows\system32\ouvirtkzoay.exe 2008-12-02 17:18 . 2008-12-02 17:18 86,272 --a------ c:\windows\system32\drivers\btcusbb.sys 2008-12-02 17:17 . 2008-12-02 17:17 104,448 --a------ c:\windows\system32\winhlp.exe 2008-12-02 17:17 . 2008-12-02 17:17 104,448 --a------ C:\qthqdso.exe 2008-12-02 17:17 . 2008-12-02 17:17 8,192 --a------ C:\opdwrpjm.exe 2008-12-02 17:17 . 2008-12-02 17:17 705 --a------ C:\mguvbfr.exe 2008-12-02 17:17 . 2008-12-02 17:17 2 --a------ C:\1960106143 2008-12-02 17:16 . 2008-12-02 17:16 34,816 --a------ c:\windows\system32\wvUnOHwT.dll 2008-11-24 16:27 . 2008-11-24 16:27 369,152 --a------ c:\windows\system32\edirhpvlbn.dll 2008-11-23 15:15 . 2008-11-23 15:15 <DIR> d-------- c:\program files\Common Files\Philips 2008-11-23 14:51 . 2008-11-24 13:33 <DIR> d-------- c:\program files\Philips 2008-11-12 17:26 . 2008-09-04 17:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll 2008-11-12 17:11 . 2008-10-24 11:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys 2008-11-07 18:43 . 2008-12-01 22:48 54,156 --ah----- c:\windows\QTFont.qfn 2008-11-07 18:43 . 2008-11-07 18:43 1,409 --a------ c:\windows\QTFont.for 2008-11-04 21:32 . 2008-11-04 21:32 <DIR> d-------- c:\documents and settings\Richard\Application Data\Damdai 2008-11-04 21:05 . 2006-06-29 13:07 14,048 --a------ c:\windows\system32\spmsg2.dll 2008-11-04 16:22 . 2008-11-06 20:55 <DIR> d-------- C:\vcs5BGEffects 2008-11-04 16:11 . 2008-11-06 20:38 <DIR> d-------- c:\program files\AV Vcs 6.0 DIAMOND . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-04 15:32 --------- d-----w c:\documents and settings\Richard\Application Data\Hamachi 2008-12-03 17:37 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater 2008-12-02 17:01 --------- d-----w c:\program files\Steam 2008-11-23 15:22 --------- d--h--w c:\program files\InstallShield Installation Information 2008-11-23 13:34 --------- d-----w c:\program files\Windows Live Safety Center 2008-10-26 12:44 --------- d-----w c:\program files\Half Life Player 2008-10-24 20:05 --------- d-----w c:\program files\Lexmark 1200 Series 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-19 12:01 --------- d-----w c:\program files\Nokia 2008-10-19 12:01 --------- d-----w c:\program files\Common Files\PCSuite 2008-10-19 12:01 --------- d-----w c:\program files\Common Files\Nokia 2008-10-19 12:01 --------- d-----w c:\documents and settings\All Users\Application Data\Installations 2008-10-19 11:59 --------- d-----w c:\program files\PC Connectivity Solution 2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll 2008-10-16 14:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll 2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll 2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll 2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll 2008-10-16 14:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll 2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll 2008-10-16 14:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll 2008-10-16 14:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll 2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll 2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe 2008-10-16 14:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe 2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll 2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll 2008-10-16 14:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll 2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll 2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll 2008-10-15 16:34 337,408 ------w c:\windows\system32\dllcache\netapi32.dll 2008-10-09 11:05 --------- d-----w c:\program files\Creative 2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll 2008-09-30 16:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-09-15 12:12 1,846,400 ------w c:\windows\system32\dllcache\win32k.sys 2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll 2008-09-10 01:14 1,307,648 ------w c:\windows\system32\dllcache\msxml6.dll 2008-09-08 10:41 333,824 ------w c:\windows\system32\dllcache\srv.sys 2008-09-05 23:30 241,704 ------w c:\windows\system32\dllcache\wgaLogon.dll 2008-09-05 23:29 917,032 ------w c:\windows\system32\dllcache\WgaTray.exe 2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll 2006-03-15 13:19 212,992 ----a-w c:\windows\inf\WG311v3\CopyWHQLDriver.exe 2006-01-26 16:55 280,576 ----a-w c:\windows\inf\WG311v3\WG311v3.sys 2005-10-06 14:17 280,576 ----a-w c:\windows\inf\WG311v3\WG311v3XP.sys 1999-07-07 00:00 6 --sh--r c:\windows\@desktop@.dat 2005-05-13 16:12 217,073 --sha-r c:\windows\meta4.exe 2005-10-24 10:13 66,560 --sha-r c:\windows\MOTA113.exe 2005-10-13 20:27 422,400 --sha-r c:\windows\x2.64.exe 2005-10-07 18:14 308,224 --sha-r c:\windows\system32\avisynth.dll 2005-07-14 11:31 27,648 --sha-r c:\windows\system32\AVSredirect.dll 2005-06-26 14:32 616,448 --sha-r c:\windows\system32\cygwin1.dll 2005-06-21 21:37 45,568 --sha-r c:\windows\system32\cygz.dll 2004-01-24 23:00 70,656 --sha-r c:\windows\system32\i420vfw.dll 2005-12-22 19:23 816,640 --sha-r c:\windows\system32\smab.dll 2005-02-28 12:16 240,128 --sha-r c:\windows\system32\x.264.exe 2005-08-02 16:46 187,904 --sha-r c:\windows\UmljaGFyZCBXaWx0c2hpcmU\asappsrv.dll 2005-08-02 16:58 293,888 --sha-r c:\windows\UmljaGFyZCBXaWx0c2hpcmU\command.exe 2005-07-29 16:24 472 --sha-r c:\windows\UmljaGFyZCBXaWx0c2hpcmU\oA53u3IVtF1ruqUXwZ1DwAo.vbs . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14A18709-2CF5-E700-1A87-A501B3981CED}] 2008-11-24 16:27 369152 --a------ c:\windows\system32\edirhpvlbn.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1B46B97E-69B6-414C-9C71-20BD5B25B5A5}] 2008-12-04 16:12 302592 --a------ c:\windows\system32\vtUkhgeB.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}] 2008-12-02 17:16 34816 --a------ c:\windows\system32\wvUnOHwT.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7c7a4457-e81c-4c0d-b588-b2e81d86bb85}] 2008-12-04 16:18 129024 --a------ c:\windows\system32\mtalbh.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-11 68856] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-08-11 1124352] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-29 8466432] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "Popup"="c:\program files\Dell SAS RAID Storage Manager\MegaPopup\Popup.exe" [2006-08-15 77920] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920] "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648] "PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393] "IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "AHQInit"="c:\program files\Creative\SBLive\Program\AHQInit.exe" [2001-05-10 102400] "AudioHQ"="c:\program files\Creative\SBLive\AudioHQ\AHQTB.EXE" [2001-08-17 180224] "REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992] "Adobe_ID0EYTHM"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 1884160] "FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-02-08 295856] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-29 81920] "lxczbmgr.exe"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2007-02-08 74672] "CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696] "lhgsmxrslbpwvytgo"="c:\windows\system32\edirhpvlbn.dll" [2008-11-24 369152] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-02 1261336] "74d4d830"="c:\windows\system32\ghuejoqa.dll" [2008-12-04 72704] "WD Button Manager"="WDBtnMgr.exe" [2007-12-03 c:\windows\system32\WDBtnMgr.exe] "nwiz"="nwiz.exe" [2007-10-29 c:\windows\system32\nwiz.exe] "P17Helper"="P17.dll" [2005-05-03 c:\windows\system32\P17.DLL] "SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 c:\windows\stsystra.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\Richard\Start Menu\Programs\Startup\ hamachi.lnk - c:\program files\Hamachi\hamachi.exe [2008-05-14 624416] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-08-03 110592] Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-08-03 110592] BlueSoleil.lnk - c:\program files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2008-05-07 1183744] NETGEAR WG311v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG311v3\wlancfg5.exe [2006-01-26 1486848] TabUserW.exe.lnk - c:\windows\system32\Wtablet\TabUserW.exe [2003-12-04 77824] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= "c:\windows\system32\wvUnOHwT.dll" [2008-12-02 34816] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvUnOHwT] 2008-12-02 17:16 34816 c:\windows\system32\wvUnOHwT.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.l3fhg"= mp3fhg.acm "msacm.divxa32"= divxa32.acm "VIDC.X264"= x264vfw.dll "VIDC.HFYU"= huffyuv.dll "vidc.i263"= i263_32.drv [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Authentication Packages REG_MULTI_SZ msv1_0 c:\windows\system32\vtUkhgeB [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Dell SAS RAID Storage Manager\\MegaPopup\\popup.exe"= "c:\\Program Files\\Croteam\\Serious Sam - The Second Encounter\\Bin\\SeriousSam.exe"= "c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"= "c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"= "c:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"= "c:\\WINDOWS\\system32\\rtcshare.exe"= "c:\\Program Files\\NetMeeting\\conf.exe"= "c:\\Program Files\\Steam\\SteamApps\\shinkosai\\team fortress 2\\hl2.exe"= "c:\\Program Files\\Steam\\steam.exe"= "c:\\WINDOWS\\system32\\lxczcoms.exe"= "c:\\Program Files\\bmoworld\\BomberMan.exe"= "c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"= "c:\\Program Files\\Microsoft Games\\Halo Trial\\halo.exe"= "c:\\Program Files\\Steam\\SteamApps\\shinkosai\\counter-strike source\\hl2.exe"= "c:\\UnrealTournament\\System\\UnrealTournament.exe"= "c:\\Hangame\\JAPANESE\\gunster.exe"= "c:\\Team17\\Worms2\\frontend.exe"= "c:\\WINDOWS\\system32\\java.exe"= "c:\\Program Files\\LittleFighter2\\LF2_v1.9c\\lf2.exe"= "c:\\Program Files\\Steam\\SteamApps\\shinkosai\\condition zero\\hl.exe"= "c:\\Program Files\\Steam\\SteamApps\\shinkosai\\ricochet\\hl.exe"= "c:\\Program Files\\Steam\\SteamApps\\shinkosai\\day of defeat\\hl.exe"= "c:\\Program Files\\Steam\\SteamApps\\shinkosai\\condition zero deleted scenes\\hl.exe"= "c:\\Program Files\\Capcom\\Bionic Commando Rearmed\\bcr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\Steam\\SteamApps\\shinkosai\\synergy\\hl2.exe"= "c:\\Program Files\\Steam\\SteamApps\\shinkosai\\zombie panic! source\\hl2.exe"= "c:\\Program Files\\Steam\\SteamApps\\shinkosai\\diprip warm up\\hl2.exe"= "c:\\Program Files\\Steam\\SteamApps\\shinkosai\\source 2007 dedicated server\\srcds.exe"= "c:\\Program Files\\Steam\\SteamApps\\shinkosai\\half-life 2\\hl2.exe"= "c:\\Program Files\\Steam\\SteamApps\\shinkosai\\insurgency\\hl2.exe"= "c:\\Program Files\\Steam\\SteamApps\\shinkosai\\garrysmod\\hl2.exe"= "c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"= "c:\\Documents and Settings\\Richard\\Local Settings\\Apps\\2.0\\5MKQLXRC.5B8\\K2Z47TBN.1GC\\2dff..tion_fcdf29b345c9098a_0001.0000_98805a01a3d42574\\2DF FreePlay Client.exe"= "c:\\Program Files\\Kazaa Lite\\KazaaLite.kpp"= "c:\\Documents and Settings\\Richard\\Local Settings\\Apps\\2.0\\5MKQLXRC.5B8\\K2Z47TBN.1GC\\2dff..tion_fcdf29b345c9098a_0001.0000_89b83da73a004bb4\\2DF FreePlay Client.exe"= "c:\\Program Files\\PC Connectivity Solution\\ServiceLayer.exe"= "c:\\Program Files\\Dell SAS RAID Storage Manager\\JRE\\bin\\javaw.exe"= "c:\\WINDOWS\\system32\\services.exe"= "c:\\Program Files\\Google\\Common\\Google Updater\\GoogleUpdaterService.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server "3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server "50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server "50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-02 97928] R1 btcusbb;btcusbb;c:\windows\system32\drivers\btcusbb.sys [2008-12-02 86272] R1 DLARTL_M;DLARTL_M;c:\windows\system32\Drivers\DLARTL_M.SYS [2007-07-20 28184] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-02 231704] R2 lxcz_device;lxcz_device;c:\windows\system32\lxczcoms.exe -service [] S3 kbeepm;kbeepm;\??\c:\docume~1\Richard\LOCALS~1\Temp\kbeepm.sys [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] \Shell\AutoRun\command - E:\Setup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e4233892-ea14-11dc-85e3-001b2f2e029d}] \Shell\AutoRun\command - H:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder 2008-07-31 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57] . - - - - ORPHANS REMOVED - - - - BHO-{5D1AC792-53F5-44A5-8802-D3ACFC1B3C11} - c:\windows\system32\fccYoMdD.dll BHO-{66c005b5-38a5-4a0b-af4b-19815d45a08f} - c:\windows\system32\gizolama.dll BHO-{f0c9605b-2ddc-0bd1-0e74-b2416fe60202} - c:\windows\system32\jtqnitevgoxhz.dll HKCU-Run-prunnet - c:\windows\system32\prunnet.exe HKCU-Run-rs32net - c:\windows\System32\rs32net.exe HKLM-Run-prunnet - c:\windows\system32\prunnet.exe HKU-Default-Run-Nokia.PCSync - c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe . ------- Supplementary Scan ------- . uStart Page = http://www.google.co.uk/ig/dell?hl=e...uk&ibd=6070720 uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk-rel&channel=uk&ibd=6070720 uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm c:\windows\Downloaded Program Files\hgstartjp24.exe - c:\windows\Downloaded Program Files\hgnotifyjp24.exe c:\windows\Downloaded Program Files\HGPluginJP24.dll O16 -: {19A08B4B-EA7C-4C62-B477-D36E5396A1B5} hxxp://down.hangame.co.jp/jp/dist/hgstart/HGPluginJP24.cab c:\windows\Downloaded Program Files\HGPluginJP24.inf c:\windows\Downloaded Program Files\hgstartjp23.exe - c:\windows\Downloaded Program Files\hgnotifyjp23.exe c:\windows\Downloaded Program Files\HGPluginJP23.dll O16 -: {D0FD5E32-CABD-4A6E-BD0F-94ACE89CCE03} hxxp://down.hangame.co.jp/jp/dist/hgstart/HGPluginJP23.cab c:\windows\Downloaded Program Files\HGPluginJP23.inf FireFox -: Profile - c:\documents and settings\Richard\Application Data\Mozilla\Firefox\Profiles\vcspei4i.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll FF -: plugin - c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll FF -: plugin - c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin.dll FF -: plugin - c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin2.dll FF -: plugin - c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin3.dll FF -: plugin - c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin4.dll FF -: plugin - c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin5.dll FF -: plugin - c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll FF -: plugin - c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll FF -: plugin - c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll FF -: plugin - c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-04 16:01:13 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(948) c:\windows\system32\MrvGINA.dll c:\windows\system32\wvUnOHwT.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\brss01a.exe c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\CTSVCCDA.EXE c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe c:\windows\system32\lxczcoms.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\Tablet.exe c:\windows\system32\wdfmgr.exe c:\program files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe c:\windows\system32\MsPMSPSv.exe c:\program files\Dell SAS RAID Storage Manager\Framework\VivaldiFramework.exe c:\program files\Dell SAS RAID Storage Manager\MegaMonitor\mrmonitor.exe c:\program files\Dell SAS RAID Storage Manager\JRE\bin\javaw.exe c:\program files\AVG\AVG8\avgrsx.exe c:\windows\system32\rundll32.exe c:\windows\system32\rundll32.exe c:\program files\Lexmark 1200 Series\LXCZbmon.exe c:\progra~1\AVG\AVG8\aAvgApi.exe c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe c:\program files\PC Connectivity Solution\ServiceLayer.exe c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe c:\windows\system32\rundll32.exe c:\windows\system32\rundll32.exe . ************************************************************************ . Completion time: 2008-12-04 16:21:53 - machine was rebooted [Richard] ComboFix-quarantined-files.txt 2008-12-04 16:21:50 Pre-Run: 79,769,960,448 bytes free Post-Run: 84,061,978,624 bytes free 433 --- E O F --- 2008-11-25 00:32:59 Last edited by SKaiser; 12-04-2008 at 09:01 AM.

12-04-2008, 02:24 PM	#9 (permalink)
SKaiser Registered User Join Date: Dec 2008 Posts: 8 OS: XP	Re: Stronger adware then I thought... I think this scan may have solved the problem, since every time I was running the firefox browser since the infection it was asking me if I wanted to make it the default browser (which I normally already have it set as) but it's stopped doing that now, not to mention in preparing this post I have received no signs of any pop-ups and my virus gaurds have been able to update themselves. ComboFix 08-12-03.04 - Richard 2008-12-04 17:35:37.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1306 [GMT 0:00] Running from: c:\documents and settings\Richard\Desktop\Combo-Fix.exe Command switches used :: c:\documents and settings\Richard\Desktop\CFScript.txt * Created a new restore point FILE :: C:\1960106143 . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\1960106143 C:\mguvbfr.exe C:\opdwrpjm.exe C:\qthqdso.exe c:\temp\tn3 c:\windows\system32\aqojeuhg.ini c:\windows\system32\BeghkUtv.ini c:\windows\system32\BeghkUtv.ini2 c:\windows\system32\drivers\btcusbb.sys c:\windows\system32\drivers\core.cache.dsk c:\windows\system32\edirhpvlbn.dll c:\windows\system32\euspldow.dll c:\windows\system32\g30.exe c:\windows\system32\ghuejoqa.dll c:\windows\system32\mtalbh.dll c:\windows\system32\nanloaon.dll c:\windows\system32\ouvirtkzoay.exe c:\windows\system32\tdccmlvugevz.exe c:\windows\system32\vtUkhgeB.dll c:\windows\system32\winhlp.exe c:\windows\system32\wvUnOHwT.dll c:\windows\UmljaGFyZCBXaWx0c2hpcmU c:\windows\UmljaGFyZCBXaWx0c2hpcmU\asappsrv.dll c:\windows\UmljaGFyZCBXaWx0c2hpcmU\command.exe c:\windows\UmljaGFyZCBXaWx0c2hpcmU\oA53u3IVtF1ruqUXwZ1DwAo.vbs . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_BTCUSBB -------\Legacy_KBEEPM -------\Service_btcusbb -------\Service_kbeepm ((((((((((((((((((((((((( Files Created from 2008-11-04 to 2008-12-04 ))))))))))))))))))))))))))))))) . 2008-12-03 17:22 . 2007-12-05 21:32 237,568 --a------ c:\program files\Uninstall Morpheus Toolbar.dll 2008-12-02 20:41 . 2008-12-02 21:20 <DIR> d-------- C:\HJT 2008-12-02 20:24 . 2008-12-02 20:24 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\AVGTOOLBAR 2008-12-02 20:01 . 2008-12-02 20:01 <DIR> d--h----- C:\$AVG8.VAULT$ 2008-12-02 20:00 . 2008-12-04 17:55 <DIR> d-------- c:\windows\system32\drivers\Avg 2008-12-02 20:00 . 2008-12-02 20:00 <DIR> d-------- c:\program files\AVG 2008-12-02 20:00 . 2008-12-02 20:00 <DIR> d-------- c:\documents and settings\Richard\Application Data\AVGTOOLBAR 2008-12-02 20:00 . 2008-12-02 20:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8 2008-12-02 20:00 . 2008-12-02 20:00 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys 2008-12-02 20:00 . 2008-12-02 20:00 10,520 --a------ c:\windows\system32\avgrsstx.dll 2008-12-02 17:58 . 2008-12-02 17:58 <DIR> d-------- c:\program files\Lavasoft 2008-12-02 17:58 . 2008-12-02 17:58 <DIR> d-------- c:\documents and settings\Richard\Application Data\Lavasoft 2008-11-23 15:15 . 2008-11-23 15:15 <DIR> d-------- c:\program files\Common Files\Philips 2008-11-23 14:51 . 2008-11-24 13:33 <DIR> d-------- c:\program files\Philips 2008-11-12 17:26 . 2008-09-04 17:15 1,106,944 --------- c:\windows\system32\dllcache\msxml3.dll 2008-11-12 17:11 . 2008-10-24 11:21 455,296 --------- c:\windows\system32\dllcache\mrxsmb.sys 2008-11-07 18:43 . 2008-12-01 22:48 54,156 --ah----- c:\windows\QTFont.qfn 2008-11-07 18:43 . 2008-11-07 18:43 1,409 --a------ c:\windows\QTFont.for 2008-11-04 21:32 . 2008-11-04 21:32 <DIR> d-------- c:\documents and settings\Richard\Application Data\Damdai 2008-11-04 21:05 . 2006-06-29 13:07 14,048 --a------ c:\windows\system32\spmsg2.dll 2008-11-04 16:22 . 2008-11-06 20:55 <DIR> d-------- C:\vcs5BGEffects 2008-11-04 16:11 . 2008-11-06 20:38 <DIR> d-------- c:\program files\AV Vcs 6.0 DIAMOND . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-12-04 17:26 --------- d-----w c:\documents and settings\Richard\Application Data\Hamachi 2008-12-03 17:37 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater 2008-12-03 17:27 --------- d-----w c:\program files\Morpheus 2008-12-02 17:01 --------- d-----w c:\program files\Steam 2008-11-23 15:22 --------- d--h--w c:\program files\InstallShield Installation Information 2008-11-23 13:34 --------- d-----w c:\program files\Windows Live Safety Center 2008-10-26 12:44 --------- d-----w c:\program files\Half Life Player 2008-10-24 20:05 --------- d-----w c:\program files\Lexmark 1200 Series 2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys 2008-10-19 12:01 --------- d-----w c:\program files\Nokia 2008-10-19 12:01 --------- d-----w c:\program files\Common Files\PCSuite 2008-10-19 12:01 --------- d-----w c:\program files\Common Files\Nokia 2008-10-19 12:01 --------- d-----w c:\documents and settings\All Users\Application Data\Installations 2008-10-19 11:59 --------- d-----w c:\program files\PC Connectivity Solution 2008-10-09 11:05 --------- d-----w c:\program files\Creative 2006-03-15 13:19 212,992 ----a-w c:\windows\inf\WG311v3\CopyWHQLDriver.exe 2006-01-26 16:55 280,576 ----a-w c:\windows\inf\WG311v3\WG311v3.sys 2005-10-06 14:17 280,576 ----a-w c:\windows\inf\WG311v3\WG311v3XP.sys 1999-07-07 00:00 6 --sh--r c:\windows\@desktop@.dat 2005-05-13 16:12 217,073 --sha-r c:\windows\meta4.exe 2005-10-24 10:13 66,560 --sha-r c:\windows\MOTA113.exe 2005-10-13 20:27 422,400 --sha-r c:\windows\x2.64.exe 2005-10-07 18:14 308,224 --sha-r c:\windows\system32\avisynth.dll 2005-07-14 11:31 27,648 --sha-r c:\windows\system32\AVSredirect.dll 2005-06-26 14:32 616,448 --sha-r c:\windows\system32\cygwin1.dll 2005-06-21 21:37 45,568 --sha-r c:\windows\system32\cygz.dll 2004-01-24 23:00 70,656 --sha-r c:\windows\system32\i420vfw.dll 2005-12-22 19:23 816,640 --sha-r c:\windows\system32\smab.dll 2005-02-28 12:16 240,128 --sha-r c:\windows\system32\x.264.exe . ((((((((((((((((((((((((((((( snapshot@2008-12-04_16.21.27.37 ))))))))))))))))))))))))))))))))))))))))) . - 2008-12-04 15:43:31 93,966 ----a-w c:\windows\system32\perfc009.dat + 2008-12-04 17:56:38 93,966 ----a-w c:\windows\system32\perfc009.dat - 2008-12-04 15:43:32 510,476 ----a-w c:\windows\system32\perfh009.dat + 2008-12-04 17:56:38 510,476 ----a-w c:\windows\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-11 68856] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2008-08-11 1124352] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-29 8466432] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "Popup"="c:\program files\Dell SAS RAID Storage Manager\MegaPopup\Popup.exe" [2006-08-15 77920] "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920] "RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920] "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 155648] "PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 57393] "IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 40960] "NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "AHQInit"="c:\program files\Creative\SBLive\Program\AHQInit.exe" [2001-05-10 102400] "AudioHQ"="c:\program files\Creative\SBLive\AudioHQ\AHQTB.EXE" [2001-08-17 180224] "REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 623992] "Adobe_ID0EYTHM"="c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE" [2007-03-20 1884160] "FaxCenterServer"="c:\program files\Lexmark Fax Solutions\fm3032.exe" [2007-02-08 295856] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-29 81920] "lxczbmgr.exe"="c:\program files\Lexmark 1200 Series\lxczbmgr.exe" [2007-02-08 74672] "CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-28 413696] "AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-12-02 1261336] "WD Button Manager"="WDBtnMgr.exe" [2007-12-03 c:\windows\system32\WDBtnMgr.exe] "nwiz"="nwiz.exe" [2007-10-29 c:\windows\system32\nwiz.exe] "P17Helper"="P17.dll" [2005-05-03 c:\windows\system32\P17.DLL] "SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 c:\windows\stsystra.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360] c:\documents and settings\Richard\Start Menu\Programs\Startup\ hamachi.lnk - c:\program files\Hamachi\hamachi.exe [2008-05-14 624416] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-08-03 110592] Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-08-03 110592] BlueSoleil.lnk - c:\program files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2008-05-07 1183744] NETGEAR WG311v3 Smart Wizard.lnk - c:\program files\NETGEAR\WG311v3\wlancfg5.exe [2006-01-26 1486848] TabUserW.exe.lnk - c:\windows\system32\Wtablet\TabUserW.exe [2003-12-04 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.l3fhg"= mp3fhg.acm "msacm.divxa32"= divxa32.acm "VIDC.X264"= x264vfw.dll "VIDC.HFYU"= huffyuv.dll "vidc.i263"= i263_32.drv [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Dell SAS RAID Storage Manager\\MegaPopup\\popup.exe"= "c:\\Program Files\\Croteam\\Serious Sam - The Second Encounter\\Bin\\SeriousSam.exe"= "c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"= "c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"= "c:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"= "c:\\WINDOWS\\system32\\rtcshare.exe"= "c:\\Program Files\\NetMeeting\\conf.exe"= "c:\\Program Files\\Steam\\SteamApps\\shinkosai\\team fortress 2\\hl2.exe"= "c:\\Program Files\\Steam\\steam.exe"= "c:\\WINDOWS\\system32\\lxczcoms.exe"= "c:\\Program Files\\bmoworld\\BomberMan.exe"= "c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"= "c:\\Program Files\\Microsoft Games\\Halo Trial\\halo.exe"= "c:\\Program Files\\Steam\\SteamApps\\shinkosai\\counter-strike source\\hl2.exe"= "c:\\UnrealTournament\\System\\UnrealTournament.exe"= "c:\\Hangame\\JAPANESE\\gunster.exe"= "c:\\Team17\\Worms2\\frontend.exe"= "c:\\WINDOWS\\system32\\java.exe"= "c:\\Program Files\\LittleFighter2\\LF2_v1.9c\\lf2.exe"= "c:\\Program Files\\Steam\\SteamApps\\shinkosai\\condition zero\\hl.exe"= "c:\\Program Files\\Steam\\SteamApps\\shinkosai\\ricochet\\hl.exe"= "c:\\Program Files\\Steam\\SteamApps\\shinkosai\\day of defeat\\hl.exe"= "c:\\Program Files\\Steam\\SteamApps\\shinkosai\\condition zero deleted scenes\\hl.exe"= "c:\\Program Files\\Capcom\\Bionic Commando Rearmed\\bcr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\Steam\\SteamApps\\shinkosai\\synergy\\hl2.exe"= "c:\\Program Files\\Steam\\SteamApps\\shinkosai\\zombie panic! source\\hl2.exe"= "c:\\Program Files\\Steam\\SteamApps\\shinkosai\\diprip warm up\\hl2.exe"= "c:\\Program Files\\Steam\\SteamApps\\shinkosai\\source 2007 dedicated server\\srcds.exe"= "c:\\Program Files\\Steam\\SteamApps\\shinkosai\\half-life 2\\hl2.exe"= "c:\\Program Files\\Steam\\SteamApps\\shinkosai\\insurgency\\hl2.exe"= "c:\\Program Files\\Steam\\SteamApps\\shinkosai\\garrysmod\\hl2.exe"= "c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"= "c:\\Documents and Settings\\Richard\\Local Settings\\Apps\\2.0\\5MKQLXRC.5B8\\K2Z47TBN.1GC\\2dff..tion_fcdf29b345c9098a_0001.0000_98805a01a3d42574\\2DF FreePlay Client.exe"= "c:\\Program Files\\Kazaa Lite\\KazaaLite.kpp"= "c:\\Documents and Settings\\Richard\\Local Settings\\Apps\\2.0\\5MKQLXRC.5B8\\K2Z47TBN.1GC\\2dff..tion_fcdf29b345c9098a_0001.0000_89b83da73a004bb4\\2DF FreePlay Client.exe"= "c:\\Program Files\\PC Connectivity Solution\\ServiceLayer.exe"= "c:\\Program Files\\Dell SAS RAID Storage Manager\\JRE\\bin\\javaw.exe"= "c:\\WINDOWS\\system32\\services.exe"= "c:\\Program Files\\Google\\Common\\Google Updater\\GoogleUpdaterService.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server "3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server "50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server "50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009 R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-12-02 97928] R1 DLARTL_M;DLARTL_M;c:\windows\system32\Drivers\DLARTL_M.SYS [2007-07-20 28184] R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-12-02 231704] R2 lxcz_device;lxcz_device;c:\windows\system32\lxczcoms.exe -service [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] \Shell\AutoRun\command - E:\Setup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e4233892-ea14-11dc-85e3-001b2f2e029d}] \Shell\AutoRun\command - H:\LaunchU3.exe -a . Contents of the 'Scheduled Tasks' folder 2008-07-31 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57] . - - - - ORPHANS REMOVED - - - - BHO-{16F3AE0F-AB16-4B4C-BEC3-9C3B3642F29D} - c:\windows\system32\vtUkhgeB.dll . ------- Supplementary Scan ------- . uStart Page = http://www.google.co.uk/ig/dell?hl=e...uk&ibd=6070720 uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/ig/dell?hl=en&client=dell-usuk-rel&channel=uk&ibd=6070720 uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm c:\windows\Downloaded Program Files\hgstartjp24.exe - c:\windows\Downloaded Program Files\hgnotifyjp24.exe c:\windows\Downloaded Program Files\HGPluginJP24.dll O16 -: {19A08B4B-EA7C-4C62-B477-D36E5396A1B5} hxxp://down.hangame.co.jp/jp/dist/hgstart/HGPluginJP24.cab c:\windows\Downloaded Program Files\HGPluginJP24.inf c:\windows\Downloaded Program Files\hgstartjp23.exe - c:\windows\Downloaded Program Files\hgnotifyjp23.exe c:\windows\Downloaded Program Files\HGPluginJP23.dll O16 -: {D0FD5E32-CABD-4A6E-BD0F-94ACE89CCE03} hxxp://down.hangame.co.jp/jp/dist/hgstart/HGPluginJP23.cab c:\windows\Downloaded Program Files\HGPluginJP23.inf FireFox -: Profile - c:\documents and settings\Richard\Application Data\Mozilla\Firefox\Profiles\vcspei4i.default\ FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://start.mozilla.org/firefox?client=firefox-a&rls=org.mozilla:en-US:official FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll FF -: plugin - c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll FF -: plugin - c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin.dll FF -: plugin - c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin2.dll FF -: plugin - c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin3.dll FF -: plugin - c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin4.dll FF -: plugin - c:\program files\K-Lite Codec Pack\QuickTime\Plugins\npqtplugin5.dll FF -: plugin - c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll FF -: plugin - c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll FF -: plugin - c:\program files\Mozilla Firefox\plugins\npOGAPlugin.dll FF -: plugin - c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-12-04 17:52:22 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(948) c:\windows\system32\MrvGINA.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\brss01a.exe c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\CTSVCCDA.EXE c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe c:\windows\system32\lxczcoms.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\Tablet.exe c:\windows\system32\wdfmgr.exe c:\program files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe c:\windows\system32\MsPMSPSv.exe c:\program files\Dell SAS RAID Storage Manager\Framework\VivaldiFramework.exe c:\progra~1\AVG\AVG8\avgrsx.exe c:\program files\Dell SAS RAID Storage Manager\MegaMonitor\mrmonitor.exe c:\program files\Dell SAS RAID Storage Manager\JRE\bin\javaw.exe c:\windows\system32\rundll32.exe c:\windows\system32\rundll32.exe c:\program files\Lexmark 1200 Series\LXCZbmon.exe c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe c:\program files\PC Connectivity Solution\ServiceLayer.exe c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe . ************************************************************************ . Completion time: 2008-12-04 18:11:44 - machine was rebooted ComboFix-quarantined-files.txt 2008-12-04 18:11:40 ComboFix2.txt 2008-12-04 16:21:55 Pre-Run: 84,005,400,576 bytes free Post-Run: 83,974,840,320 bytes free 330 --- E O F --- 2008-11-25 00:32:59

12-04-2008, 02:31 PM	#10 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,569 OS: 2000 Pro; XP Pro; XP Home	Re: Stronger adware then I thought... Things are looking much better. I don't see that a file was uploaded to our analysis site. To help us get the information we need, please first do this... Please go to Start > Run and copy/paste the following, then press Enter: C:\QooBox\ComboFix-quarantined-files.txt Post the contents of the logfile which will open. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

12-04-2008, 02:42 PM	#11 (permalink)
SKaiser Registered User Join Date: Dec 2008 Posts: 8 OS: XP	Re: Stronger adware then I thought... My apologies I had to be elsewhere while the computer was performing the scan, when I came back it only showed the above log file I posted so I assumed the information you needed had already been sent. 2007-07-20 18:32:05 A------- 4,232 C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat.vir 2007-07-20 18:32:05 A------- 5,179 C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat.vir 2007-10-31 16:44:14 A------- 8 C:\Qoobox\Quarantine\C\Documents and Settings\Richard\Local Settings\Temporary Internet Files\hgstarterjp_verinfo.dat.vir 2008-09-02 17:37:15 A------- 64,512 C:\Qoobox\Quarantine\C\WINDOWS\system32\gizolama.dll.vir 2008-09-02 17:37:15 A------- 64,512 C:\Qoobox\Quarantine\C\WINDOWS\system32\ruvoziyi.dll.vir 2008-09-02 17:37:15 A------- 64,512 C:\Qoobox\Quarantine\C\WINDOWS\system32\vokeloso.dll.vir 2008-09-09 13:39:29 A------- 73 C:\Qoobox\Quarantine\C\WINDOWS\system32\ssprs.dll.vir 2008-09-09 13:39:29 A------- 205 C:\Qoobox\Quarantine\C\WINDOWS\system32\lsprst7.dll.vir 2008-11-24 16:27:14 A------- 369,152 C:\Qoobox\Quarantine\C\WINDOWS\system32\edirhpvlbn.dll.vir 2008-12-02 17:16:15 A------- 35,307 C:\Qoobox\Quarantine\C\WINDOWS\system32\prunnet.exe.vir 2008-12-02 17:16:17 A------- 56,320 C:\Qoobox\Quarantine\C\Documents and Settings\Richard\Application Data\gadcom\gadcom.exe.vir 2008-12-02 17:16:28 A------- 34,816 C:\Qoobox\Quarantine\C\WINDOWS\system32\wvUnOHwT.dll.vir 2008-12-02 17:16:37 A------- 65,024 C:\Qoobox\Quarantine\C\WINDOWS\system32\xxywWoND.dll.vir 2008-12-02 17:16:39 A------- 4,095 C:\Qoobox\Quarantine\C\Documents and Settings\Richard\Local Settings\Temporary Internet Files\fbk.sts.vir 2008-12-02 17:16:40 A------- 298 C:\Qoobox\Quarantine\C\WINDOWS\Tasks\jdntzijh.job.vir 2008-12-02 17:17:00 A------- 8,192 C:\Qoobox\Quarantine\C\opdwrpjm.exe.vir 2008-12-02 17:17:00 A------- 10,000 C:\Qoobox\Quarantine\C\WINDOWS\system32\gs73gfidgf.dll.vir 2008-12-02 17:17:04 A------- 2 C:\Qoobox\Quarantine\C\1960106143.vir 2008-12-02 17:17:08 A------- 705 C:\Qoobox\Quarantine\C\mguvbfr.exe.vir 2008-12-02 17:17:28 A------- 104,448 C:\Qoobox\Quarantine\C\qthqdso.exe.vir 2008-12-02 17:17:57 A------- 104,448 C:\Qoobox\Quarantine\C\WINDOWS\system32\winhlp.exe.vir 2008-12-02 17:18:02 A------- 60,416 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\TDSSpqlt.sys.vir 2008-12-02 17:18:13 A------- 35,840 C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSoiqt.dll.vir 2008-12-02 17:18:19 A------- 22,528 C:\Qoobox\Quarantine\C\WINDOWS\system32\rs32net.exe.vir 2008-12-02 17:18:31 A------- 527 C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSmtve.dat.vir 2008-12-02 17:18:37 A------- 29,696 C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSarxx.dll.vir 2008-12-02 17:18:42 A------- 31,232 C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSvkql.dll.vir 2008-12-02 17:18:44 A------- 174 C:\Qoobox\Quarantine\C\WINDOWS\system32\msnav32.ax.vir 2008-12-02 17:18:45 A------- 1,405 C:\Qoobox\Quarantine\C\Program Files\webHancer\Programs\readme.txt.vir 2008-12-02 17:18:45 A------- 8,292 C:\Qoobox\Quarantine\C\Program Files\webHancer\Programs\license.txt.vir 2008-12-02 17:18:45 A------- 73,728 C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSScfmm.dll.vir 2008-12-02 17:18:57 A------- 86,272 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\btcusbb.sys.vir 2008-12-02 17:18:59 A------- 2,271 C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSlxcp.dll.vir 2008-12-02 17:18:59 A------- 167,976 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\core.cache.dsk.vir 2008-12-02 17:19:03 A------- 648 C:\Qoobox\Quarantine\C\Documents and Settings\Richard\Start Menu\Programs\Startup\DW_Start.lnk.vir 2008-12-02 17:19:04 A------- 12,672 C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSkkai.log.vir 2008-12-02 17:19:07 A------- 282,629 C:\Qoobox\Quarantine\C\WINDOWS\system32\dwwnw64r.exe.vir 2008-12-02 17:19:10 A------- 47,598 C:\Qoobox\Quarantine\C\WINDOWS\system32\ouvirtkzoay.exe.vir 2008-12-02 17:19:18 A------- 472 C:\Qoobox\Quarantine\C\WINDOWS\UmljaGFyZCBXaWx0c2hpcmU\oA53u3IVtF1ruqUXwZ1DwAo.vbs.vir 2008-12-02 17:19:18 A------- 1,989 C:\Qoobox\Quarantine\C\WINDOWS\uninstall_nmon.vbs.vir 2008-12-02 17:19:18 A------- 94,208 C:\Qoobox\Quarantine\C\Program Files\Network Monitor\netmon.exe.vir 2008-12-02 17:19:18 A------- 187,904 C:\Qoobox\Quarantine\C\WINDOWS\UmljaGFyZCBXaWx0c2hpcmU\asappsrv.dll.vir 2008-12-02 17:19:18 A------- 293,888 C:\Qoobox\Quarantine\C\WINDOWS\UmljaGFyZCBXaWx0c2hpcmU\command.exe.vir 2008-12-02 17:19:26 A------- 210,944 C:\Qoobox\Quarantine\C\Program Files\webHancer\Programs\SET1D9.tmp.vir 2008-12-02 17:19:28 A------- 48 C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Application Data\NetMon\domains.txt.vir 2008-12-02 17:19:28 A------- 9,244 C:\Qoobox\Quarantine\C\Documents and Settings\LocalService\Application Data\NetMon\log.txt.vir 2008-12-02 17:35:09 A------- 302,592 C:\Qoobox\Quarantine\C\WINDOWS\system32\fccYoMdD.dll.vir 2008-12-02 17:35:10 A------- 743,931 C:\Qoobox\Quarantine\C\WINDOWS\system32\DdMoYccf.ini2.vir 2008-12-02 17:35:10 A------- 744,033 C:\Qoobox\Quarantine\C\WINDOWS\system32\DdMoYccf.ini.vir 2008-12-02 17:36:07 A------- 41,472 C:\Qoobox\Quarantine\C\WINDOWS\system32\eagdflvs.dll.vir 2008-12-02 17:36:08 A------- 129,024 C:\Qoobox\Quarantine\C\WINDOWS\system32\agucpwos.dll.vir 2008-12-02 17:36:09 A------- 129,024 C:\Qoobox\Quarantine\C\WINDOWS\system32\vfqxut.dll.vir 2008-12-02 17:36:37 A------- 32,768 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ati2rtxx.sys.vir 2008-12-02 17:37:15 A------- 62,464 C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir 2008-12-02 17:38:13 A------- 1,377,671 C:\Qoobox\Quarantine\C\WINDOWS\system32\oejvvlxr.ini.vir 2008-12-02 18:52:12 A------- 153,484 C:\Qoobox\Quarantine\C\WINDOWS\system32\g30.exe.vir 2008-12-02 18:52:17 A------- 64,859 C:\Qoobox\Quarantine\C\WINDOWS\system32\tdccmlvugevz.exe.vir 2008-12-02 18:52:22 A------- 21 C:\Qoobox\Quarantine\C\WINDOWS\system32\zxdnt3d.cfg.vir 2008-12-02 18:52:31 A------- 684 C:\Qoobox\Quarantine\C\Documents and Settings\Richard\Start Menu\Programs\Startup\Deewoo.lnk.vir 2008-12-02 18:52:33 A------- 859 C:\Qoobox\Quarantine\C\WINDOWS\system32\winpfz33.sys.vir 2008-12-03 17:36:36 A------- 41,472 C:\Qoobox\Quarantine\C\WINDOWS\system32\yckgqhco.dll.vir 2008-12-03 17:36:36 A------- 129,024 C:\Qoobox\Quarantine\C\WINDOWS\system32\najytkxa.dll.vir 2008-12-03 17:36:37 A------- 129,024 C:\Qoobox\Quarantine\C\WINDOWS\system32\vufkso.dll.vir 2008-12-03 17:37:04 A------- 116,224 C:\Qoobox\Quarantine\C\Program Files\Mjcore\Mjcore.dll.vir 2008-12-03 17:39:32 A------- 72,704 C:\Qoobox\Quarantine\C\WINDOWS\system32\lnimkwxr.dll.vir 2008-12-03 17:39:33 A------- 1,410,833 C:\Qoobox\Quarantine\C\WINDOWS\system32\rxwkminl.ini.vir 2008-12-04 14:45:23 A------- 1,229 C:\Qoobox\Quarantine\catchme.log 2008-12-04 15:24:23 A------- 0 C:\Qoobox\Quarantine\C\WINDOWS\Temp\TMP3.tmp.vir 2008-12-04 15:34:07 A------- 1,123 C:\Qoobox\Quarantine\Registry_backups\Service_TDSSSERV.SYS.reg.dat 2008-12-04 15:44:49 A------- 24,027 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_ati2rtxx_.sys.zip 2008-12-04 15:44:54 A------- 167,461 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_core.cache_.dsk.zip 2008-12-04 15:47:43 A------- 10,816 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg 2008-12-04 15:49:54 A------- 1,122 C:\Qoobox\Quarantine\Registry_backups\Legacy_NETWORK_MONITOR.reg.dat 2008-12-04 15:49:54 A------- 1,276 C:\Qoobox\Quarantine\Registry_backups\Legacy_ATI2RTXX.reg.dat 2008-12-04 15:50:02 A------- 2,078 C:\Qoobox\Quarantine\Registry_backups\Service_ati2rtxx.reg.dat 2008-12-04 15:50:07 A------- 2,210 C:\Qoobox\Quarantine\Registry_backups\Service_restore.reg.dat 2008-12-04 15:50:07 A------- 2,822 C:\Qoobox\Quarantine\Registry_backups\Service_Network Monitor.reg.dat 2008-12-04 16:12:36 A------- 302,592 C:\Qoobox\Quarantine\C\WINDOWS\system32\vtUkhgeB.dll.vir 2008-12-04 16:12:45 A------- 757,826 C:\Qoobox\Quarantine\C\WINDOWS\system32\BeghkUtv.ini.vir 2008-12-04 16:12:46 A------- 757,766 C:\Qoobox\Quarantine\C\WINDOWS\system32\BeghkUtv.ini2.vir 2008-12-04 16:13:47 A------- 41,472 C:\Qoobox\Quarantine\C\WINDOWS\system32\nanloaon.dll.vir 2008-12-04 16:15:46 A------- 72,704 C:\Qoobox\Quarantine\C\WINDOWS\system32\ghuejoqa.dll.vir 2008-12-04 16:15:50 A------- 1,454,990 C:\Qoobox\Quarantine\C\WINDOWS\system32\aqojeuhg.ini.vir 2008-12-04 16:18:46 A------- 129,024 C:\Qoobox\Quarantine\C\WINDOWS\system32\euspldow.dll.vir 2008-12-04 16:18:47 A------- 129,024 C:\Qoobox\Quarantine\C\WINDOWS\system32\mtalbh.dll.vir 2008-12-04 16:21:27 A------- 0 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat 2008-12-04 16:21:27 A------- 0 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat 2008-12-04 16:21:27 A------- 0 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat 2008-12-04 16:21:28 A------- 374 C:\Qoobox\Quarantine\Registry_backups\BHO-{5D1AC792-53F5-44A5-8802-D3ACFC1B3C11}.reg.dat 2008-12-04 16:21:28 A------- 374 C:\Qoobox\Quarantine\Registry_backups\BHO-{66c005b5-38a5-4a0b-af4b-19815d45a08f}.reg.dat 2008-12-04 16:21:29 A------- 435 C:\Qoobox\Quarantine\Registry_backups\BHO-{f0c9605b-2ddc-0bd1-0e74-b2416fe60202}.reg.dat 2008-12-04 16:21:30 A------- 127 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-rs32net.reg.dat 2008-12-04 16:21:30 A------- 131 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-prunnet.reg.dat 2008-12-04 16:21:30 A------- 132 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-prunnet.reg.dat 2008-12-04 16:21:31 A------- 169 C:\Qoobox\Quarantine\Registry_backups\HKU-Default-Run-Nokia.PCSync.reg.dat 2008-12-04 17:35:29 A------- 1,112,712 C:\Qoobox\Quarantine\[4]-Submit_2008-12-04@17.33.zip 2008-12-04 17:45:30 A------- 1,016 C:\Qoobox\Quarantine\Registry_backups\Service_btcusbb.reg.dat 2008-12-04 17:45:30 A------- 1,196 C:\Qoobox\Quarantine\Registry_backups\Legacy_KBEEPM.reg.dat 2008-12-04 17:45:30 A------- 1,262 C:\Qoobox\Quarantine\Registry_backups\Legacy_BTCUSBB.reg.dat 2008-12-04 17:45:31 A------- 2,640 C:\Qoobox\Quarantine\Registry_backups\Service_kbeepm.reg.dat 2008-12-04 18:11:21 A------- 374 C:\Qoobox\Quarantine\Registry_backups\BHO-{16F3AE0F-AB16-4B4C-BEC3-9C3B3642F29D}.reg.dat

12-05-2008, 02:42 PM	#13 (permalink)
SKaiser Registered User Join Date: Dec 2008 Posts: 8 OS: XP	Re: Stronger adware then I thought... Well that has to have been one of the slowest scans I've ever seen but it was worth it. The system still seems noticeably slower then before the malicious infection, especially on logins which might also be partly why the scan took so long, could this be fixed with a defrag and checking the drive for any additional errors perhaps? Thank you again for your help so far tetonbob -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Friday, December 5, 2008 Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Friday, December 05, 2008 10:22:37 Records in database: 1438409 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: no Scan area - My Computer: C:\ D:\ E:\ F:\ Scan statistics: Files scanned: 366792 Threat name: 21 Infected objects: 24 Suspicious objects: 0 Duration of the scan: 08:26:28 File name / Threat name / Threats count C:\Documents and Settings\All Users\Documents\programs\fgf11.exe Infected: not-a-virus:AdWare.Win32.Cydoor 1 C:\Documents and Settings\All Users\Documents\programs\mirc616.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1 C:\Documents and Settings\Richard\My Documents\My Received Files\mirc612.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.612 1 C:\Qoobox\Quarantine\C\Documents and Settings\Richard\Application Data\gadcom\gadcom.exe.vir Infected: Trojan.Win32.Agent.aqyt 1 C:\Qoobox\Quarantine\C\Program Files\Network Monitor\netmon.exe.vir Infected: not-a-virus:Monitor.Win32.NetMon.a 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ati2rtxx.sys.vir Infected: Rootkit.Win32.Protector.bd 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\TDSSpqlt.sys.vir Infected: Backdoor.Win32.TDSS.bkw 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_ati2rtxx_.sys.zip Infected: Rootkit.Win32.Protector.bd 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\gs73gfidgf.dll.vir Infected: Trojan.Win32.Agent.artu 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\prunnet.exe.vir Infected: Trojan.Win32.VB.hfs 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\rs32net.exe.vir Infected: Trojan.Win32.Inject.kwi 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSarxx.dll.vir Infected: Backdoor.Win32.TDSS.asz 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSScfmm.dll.vir Infected: Trojan.Win32.Agent.arvz 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSoiqt.dll.vir Infected: Backdoor.Win32.TDSS.blh 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\TDSSvkql.dll.vir Infected: Backdoor.Win32.TDSS.atb 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\xxywWoND.dll.vir Infected: Trojan.Win32.Agent.asus 1 C:\Qoobox\Quarantine\C\WINDOWS\UmljaGFyZCBXaWx0c2hpcmU\asappsrv.dll.vir Infected: not-a-virus:AdWare.Win32.CommAd.a 1 C:\Qoobox\Quarantine\C\WINDOWS\UmljaGFyZCBXaWx0c2hpcmU\command.exe.vir Infected: not-a-virus:AdWare.Win32.CommAd.a 1 C:\Qoobox\Quarantine\[4]-Submit_2008-12-04@17.33.zip Infected: Trojan.Win32.Small.yql 1 C:\Qoobox\Quarantine\[4]-Submit_2008-12-04@17.33.zip Infected: Trojan-Dropper.Win32.Agent.aaqu 2 C:\Qoobox\Quarantine\[4]-Submit_2008-12-04@17.33.zip Infected: Trojan.Win32.Agent.asjk 1 C:\Qoobox\Quarantine\[4]-Submit_2008-12-04@17.33.zip Infected: Trojan-Clicker.Win32.Agent.buk 1 E:\Motive\pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.1101 1 The selected area was scanned.

12-05-2008, 03:52 PM	#14 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,569 OS: 2000 Pro; XP Pro; XP Home	Re: Stronger adware then I thought... Most of those finds are in ComboFix quarantine, and will be addressed when we're done. Flashget is ad supported, http://vil.nai.com/vil/content/v_131043.htm http://www.emsisoft.com/en/malware/?...ashGet+Toolbar It's installer file is flagged as adware Cydoor, I would delete it: "C:\Documents and Settings\All Users\Documents\programs\fgf11.exe" I will ignore the mIRC files, and this: E:\Motive\pskill.exe pskill is an admin level command line tool, which gets targeted due to potential http://technet.microsoft.com/en-us/s.../bb896683.aspx Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add or Remove Programs) if they exist: Deewoo Network Manager removal Enhancement Browser Tools Agadoo You may receive notice that these are already uninstalled, or otherwise corrupted, would you like to remove them from the list. Click on OK, or Yes. --------------------------------------------------------------------------------------------- If your AntiVirus was active, or you have large hdd or network storage, that would explain the length of scan. Some machines never fully recover from an infestation, but yes, I would try a defrag as well as a thorough cleaning of temp files/cookies, etc with this tool: Please download ATF Cleaner by Atribune. Double-click ATF-Cleaner.exe to run the program. Under Main choose: Select All Click the Empty Selected button. If you use Firefox browser Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. For Technical Support, double-click the e-mail address located at the bottom of each menu. --------------------------------------------------------------------------------------------- See if this topic helps you with a slow machine: http://www.techsupportforum.com/secu...ning-slow.html Other than that.... Your logs appear clean.You should be good to go. We still have a few items to address. Go to -> Run -> copy/paste in the following single line command & click OK combofix /u This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points. Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs: Microsoft Windows Update - http://www.windowsupdate.com Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. SpywareBlaster to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items Winpatrol Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here. You can get a free copy of Winpatrol or use the Plus version for more features. You can read Winpatrol's FAQ if you run into problems. MVPS HOST FILE The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Download Host.zip to your desktop. From your Desktop right-click (hosts.zip) and select: Extract All from the menu. Click Next, click Next, select the option: "Show Extracted files", click Finish This will open the newly created hosts folder on your Desktop. Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine. Once updated you should see another prompt that the task was completed. ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out. Do not install more than one AntiVirus program because they will conflict with each other. Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer Here are some additional utilities that will further enhance your safety. http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT. ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry. NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster. In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles How did I get infected in the first place? PC Safety and Security--What Do I Need? If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it. Please respond to this thread one more time so we can mark this thread as resolved. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.

12-05-2008, 04:14 PM	#15 (permalink)
SKaiser Registered User Join Date: Dec 2008 Posts: 8 OS: XP	Re: Stronger adware then I thought... The wait for that scan means I will have to try these last tune ups for the computer tomorrow, but the instructions all seem self explanatory to me. Thank you again for taking the time to lend me your expertise.

12-06-2008, 07:04 AM	#16 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 32,569 OS: 2000 Pro; XP Pro; XP Home	Re: Stronger adware then I thought... Glad to have helped. Surf Safely, and Think Prevention! Since this issue is resolved, this topic will be archived. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Please do not ask for help via Private Message.