Non-browser popups and BSOD

HappyPear · 01-16-2009, 07:23 PM

Recently I've been having some problems with my computer, these problems consist of BSOD's and non-browser popups. I have already scanned my computer a couple times but it seems to have not resolved the problem. I hope that you can help resolve my problem and many thanks in advance. Here is the DDS:

DDS (Ver_09-01-07.01) - NTFSx86
Run by User at 18:11:28.07 on Fri 01/16/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3070.2007 [GMT -8:00]

AV: AVG 7.5.552 *On-access scanning enabled* (Updated)
AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)
AV: avast! antivirus 4.8.1296 [VPS 090116-1] *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ATKKBService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\prunnet.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Mal Updater\MalUpdater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Combined Community Codec Pack\MPC\mplayerc.exe
\\?\globalroot\systemroot\system32\rundll32.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Documents and Settings\User\My Documents\dds.com

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [WindowBlinds] c:\program files\stardock\object desktop\windowblinds\WBInstall32.exe
uRun: [MalUpdater] c:\program files\mal updater\MalUpdater.exe
uRun: [Google Update] "c:\documents and settings\user\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
uRun: [prunnet] "c:\windows\system32\prunnet.exe"
mRun: [JMB36X IDE Setup] c:\windows\jm\JMInsIDE.exe
mRun: [36X Raid Configurer] "c:\windows\system32\JMRaidSetup.exe" boot
mRun: [RTHDCPL] //~rthdcpl.exe
mRun: [SkyTel] //~skytel.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] "c:\windows\system32\ime\pintlgnt\ImScInst.exe" /SYNC
mRun: [PHIME2002ASync] "c:\windows\system32\ime\tintlgnt\TINTSETP.EXE" /SYNC
mRun: [PHIME2002A] "c:\windows\system32\ime\tintlgnt\TINTSETP.EXE" /IMEName
mRun: [AVG7_CC] c:\progra~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [googletalk] //~c:\program files\google\google talk\googletalk.exe /autostart
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [D-Link RangeBooster G WDA-2320] c:\program files\d-link\rangebooster g wda-2320\AirPlusCFG.exe
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [prunnet] "c:\windows\system32\prunnet.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Ybaqili] rundll32.exe "c:\windows\Exafetil.dll",e
mRun: [Wbizuloruzifu] rundll32.exe "c:\windows\oxekonib.dll",e
dRun: [AVG7_Run] c:\progra~1\grisoft\avg7\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\user\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\wljzx2r9.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/|https://mail.google.com/mail/?nsr=1&zx=1umtbqgps9eb5&shva=1#inbox|http://www.last.fm/home|http://myanimelist.net/panel.php|http://www.tokyotosho.com/|http://mullemeck.serveftp.org/jps_beta/?page=browse
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\wljzx2r9.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\user\local settings\application data\google\update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\microsoft silverlight\2.0.31005.0\npctrl.1.0.20926.0.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - HiddenExtension: XUL Cache: {637FBD41-0D27-4F35-8454-60E252D34364} - c:\documents and settings\user\local settings\application data\{637fbd41-0d27-4f35-8454-60e252d34364}\

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-1-15 111184]
R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2007-6-4 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2007-6-4 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2007-6-4 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2007-6-4 10760]
R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2008-7-2 11840]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-7-28 127768]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-4-13 394952]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2005-8-25 472096]
R3 AntiVirService;Avira AntiVir Personal – Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2008-7-2 151297]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-1-15 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-1-15 352920]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2008-7-2 52032]
R3 p17filt;p17filt;c:\windows\system32\drivers\p17filt.sys [2006-3-20 1452032]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 AntiVirScheduler;Avira AntiVir Personal – Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2008-7-2 68865]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-1-15 20560]
R4 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-1-15 155160]
R4 Avg7Alrt;AVG7 Alert Manager Server;c:\progra~1\grisoft\avg7\avgamsvr.exe [2007-6-4 418816]
R4 Avg7UpdSvc;AVG7 Update Service;c:\progra~1\grisoft\avg7\avgupsvc.exe [2007-6-4 49664]
R4 AVGEMS;AVG E-mail Scanner;c:\progra~1\grisoft\avg7\avgemc.exe [2007-6-4 406528]
R4 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2007-6-4 4960]
R4 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-5-25 13352]
S3 z520bus;Sony Ericsson 520 driver (WDM);c:\windows\system32\drivers\z520bus.sys --> c:\windows\system32\drivers\z520bus.sys [?]
S3 z520mdfl;Sony Ericsson 520 USB WMC Modem Filter;c:\windows\system32\drivers\z520mdfl.sys --> c:\windows\system32\drivers\z520mdfl.sys [?]
S3 z520mdm;Sony Ericsson 520 USB WMC Modem Drivers;c:\windows\system32\drivers\z520mdm.sys --> c:\windows\system32\drivers\z520mdm.sys [?]

=============== Created Last 30 ================

2009-01-16 17:47 <DIR> --d----- c:\program files\Trend Micro
2009-01-16 15:47 136,192 a------- c:\windows\oxekonib.dll
2009-01-16 15:35 41,984 a------- c:\windows\system32\chert5-998.exe
2009-01-16 15:35 41,984 a------- c:\windows\Exafetil.dll
2009-01-15 16:36 1,060,864 a------- c:\windows\system32\MFC71.dll
2009-01-14 17:56 60,054 a------- c:\windows\system32\prunnet.exe
2009-01-10 21:31 22,528 a------- c:\windows\system32\~.exe
2009-01-03 19:42 <DIR> --d----- c:\docume~1\user\applic~1\Malwarebytes
2009-01-03 19:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-03 19:25 12,247,247 -------- C:\avg7qt.dat
2008-12-23 21:42 <DIR> --d----- c:\program files\RocketDock
2008-12-22 15:00 <DIR> --d----- c:\docume~1\user\applic~1\Mal Updater
2008-12-21 23:21 7 a------- c:\windows\system32\ANIWZCSUSERNAME
2008-12-21 23:14 5 a------- c:\windows\system32\ANIWZCSUSERNAME{BD8ED844-A6C7-4810-87A4-19F3D23FB969}
2008-12-21 23:13 <DIR> --d----- c:\program files\ANI
2008-12-21 23:13 <DIR> --d----- c:\program files\D-Link
2008-12-21 23:06 5 a------- c:\windows\system32\ANIWZCSUSERNAME{C54E809C-9289-4525-A494-DDD535C8B841}
2008-12-19 17:52 <DIR> --d----- c:\program files\iPod
2008-12-19 17:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

==================== Find3M ====================

2009-01-14 17:56 42,309,664 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-01-14 00:39 498,488 a--sh--- c:\windows\system32\drivers\fidbox.idx
2008-12-31 20:01 138,464 a------- c:\windows\system32\drivers\PnkBstrK.sys
2008-12-31 20:00 111,928 a------- c:\windows\system32\PnkBstrB.exe
2008-11-12 16:38 22,328 a------- c:\docume~1\user\applic~1\PnkBstrK.sys
2008-11-12 16:37 66,872 a------- c:\windows\system32\PnkBstrA.exe
2008-11-12 16:37 682,280 a------- c:\windows\system32\pbsvc.exe
2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll
2008-10-23 05:01 283,648 a------- c:\windows\system32\gdi32.dll
2007-11-06 19:52 13,518 a------- c:\program files\install.log

============= FINISH: 18:11:42.17 ===============

tetonbob · 01-16-2009, 08:15 PM

Hello -

Before we can try to clean the malware, we need to take care of something, which may well be part of the cause of your BSOD.

As stated in our pre-posting sticky topic...

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

Quote:

If you have more than one antivirus software installed, leave only ONE and uninstall the others

While this may seem like greater protection, it can cause problems including slowdowns, system hangs or even crashes. This can happen if both AntiVirus applications attempt to access the same file at the same time. This may cause the applications to interfere with each other, or cause the system to lock up. It can also be a drain on system resources, making a machine run slower than it should.

I see you have more than one Anti-Virus program installed, AVG, Avast and Avira. Choose one to keep and uninstall the others.

Any antivirus program must be removed via add/remove program.
For any program that doesn't have an add/remove entry, you will have to do this:

re-install the program -> reboot -> uninstall

-----------------------------------------------------------------------

Once you've done that, run DDS once again, and post/attach it's logs.

HappyPear · 01-16-2009, 09:00 PM

Sorry about that. I guess I overlooked that detail. Here's the new DDS and logs:

DDS (Ver_09-01-07.01) - NTFSx86
Run by User at 19:55:36.51 on Fri 01/16/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3070.2427 [GMT -8:00]

AV: avast! antivirus 4.8.1296 [VPS 090116-1] *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\WINDOWS\system32\prunnet.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Mal Updater\MalUpdater.exe
C:\Documents and Settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User\My Documents\Misc\dds.com

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: : {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [WindowBlinds] c:\program files\stardock\object desktop\windowblinds\WBInstall32.exe
uRun: [MalUpdater] c:\program files\mal updater\MalUpdater.exe
uRun: [Google Update] "c:\documents and settings\user\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
uRun: [prunnet] "c:\windows\system32\prunnet.exe"
mRun: [JMB36X IDE Setup] c:\windows\jm\JMInsIDE.exe
mRun: [36X Raid Configurer] "c:\windows\system32\JMRaidSetup.exe" boot
mRun: [RTHDCPL] //~rthdcpl.exe
mRun: [SkyTel] //~skytel.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] "c:\windows\system32\ime\pintlgnt\ImScInst.exe" /SYNC
mRun: [PHIME2002ASync] "c:\windows\system32\ime\tintlgnt\TINTSETP.EXE" /SYNC
mRun: [PHIME2002A] "c:\windows\system32\ime\tintlgnt\TINTSETP.EXE" /IMEName
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [googletalk] //~c:\program files\google\google talk\googletalk.exe /autostart
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [D-Link RangeBooster G WDA-2320] c:\program files\d-link\rangebooster g wda-2320\AirPlusCFG.exe
mRun: [ANIWZCS2Service] c:\program files\ani\aniwzcs2 service\WZCSLDR2.exe
mRun: [prunnet] "c:\windows\system32\prunnet.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [Ybaqili] rundll32.exe "c:\windows\Exafetil.dll",e
mRun: [Wbizuloruzifu] rundll32.exe "c:\windows\oxekonib.dll",e
mRun: [Framework Windows] frmwrk32.exe
StartupFolder: c:\docume~1\user\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
uPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
uPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
uPolicies-system: DisableTaskMgr = 1 (0x1)
mPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\wljzx2r9.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/|https://mail.google.com/mail/?nsr=1&zx=1umtbqgps9eb5&shva=1#inbox|http://www.last.fm/home|http://myanimelist.net/panel.php|http://www.tokyotosho.com/|http://mullemeck.serveftp.org/jps_beta/?page=browse
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\wljzx2r9.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\user\local settings\application data\google\update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\microsoft silverlight\2.0.31005.0\npctrl.1.0.20926.0.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - HiddenExtension: XUL Cache: {637FBD41-0D27-4F35-8454-60E252D34364} - c:\documents and settings\user\local settings\application data\{637FBD41-0D27-4F35-8454-60E252D34364}

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-1-15 111184]
R1 KLIF;KLIF;c:\windows\system32\drivers\klif.sys [2008-7-28 127768]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-4-13 394952]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2005-8-25 472096]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-1-15 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-1-15 352920]
R3 p17filt;p17filt;c:\windows\system32\drivers\p17filt.sys [2006-3-20 1452032]
R4 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-1-15 20560]
R4 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-1-15 155160]
R4 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-5-25 13352]
S3 z520bus;Sony Ericsson 520 driver (WDM);c:\windows\system32\drivers\z520bus.sys --> c:\windows\system32\drivers\z520bus.sys [?]
S3 z520mdfl;Sony Ericsson 520 USB WMC Modem Filter;c:\windows\system32\drivers\z520mdfl.sys --> c:\windows\system32\drivers\z520mdfl.sys [?]
S3 z520mdm;Sony Ericsson 520 USB WMC Modem Drivers;c:\windows\system32\drivers\z520mdm.sys --> c:\windows\system32\drivers\z520mdm.sys [?]

=============== Created Last 30 ================

2009-01-16 19:50 4,785 a------- c:\windows\system32\warning.gif
2009-01-16 19:50 1,347 a------- c:\windows\system32\ahtn.htm
2009-01-16 19:40 1 a------- c:\windows\system32\uniq.tll
2009-01-16 19:40 1 a------- c:\windows\system32\test.ttt
2009-01-16 19:35 31,232 a------- c:\windows\system32\frmwrk32.exe
2009-01-16 19:35 31,232 a------- c:\windows\system32\998.exe
2009-01-16 18:13 250 a------- c:\windows\gmer.ini
2009-01-16 17:47 <DIR> --d----- c:\program files\Trend Micro
2009-01-16 15:47 136,192 a------- c:\windows\oxekonib.dll
2009-01-16 15:35 41,984 a------- c:\windows\system32\chert5-998.exe
2009-01-16 15:35 41,984 a------- c:\windows\Exafetil.dll
2009-01-15 16:36 1,060,864 a------- c:\windows\system32\MFC71.dll
2009-01-14 17:56 60,054 a------- c:\windows\system32\prunnet.exe
2009-01-10 21:31 22,528 a------- c:\windows\system32\~.exe
2009-01-03 19:42 <DIR> --d----- c:\docume~1\user\applic~1\Malwarebytes
2009-01-03 19:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-23 21:42 <DIR> --d----- c:\program files\RocketDock
2008-12-22 15:00 <DIR> --d----- c:\docume~1\user\applic~1\Mal Updater
2008-12-21 23:21 7 a------- c:\windows\system32\ANIWZCSUSERNAME
2008-12-21 23:14 5 a------- c:\windows\system32\ANIWZCSUSERNAME{BD8ED844-A6C7-4810-87A4-19F3D23FB969}
2008-12-21 23:13 <DIR> --d----- c:\program files\ANI
2008-12-21 23:13 <DIR> --d----- c:\program files\D-Link
2008-12-21 23:06 5 a------- c:\windows\system32\ANIWZCSUSERNAME{C54E809C-9289-4525-A494-DDD535C8B841}
2008-12-19 17:52 <DIR> --d----- c:\program files\iPod
2008-12-19 17:52 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

==================== Find3M ====================

2009-01-16 18:33 138,464 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-01-16 18:33 111,928 a------- c:\windows\system32\PnkBstrB.exe
2009-01-14 17:56 42,309,664 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-01-14 00:39 498,488 a--sh--- c:\windows\system32\drivers\fidbox.idx
2008-11-12 16:38 22,328 a------- c:\docume~1\user\applic~1\PnkBstrK.sys
2008-11-12 16:37 66,872 a------- c:\windows\system32\PnkBstrA.exe
2008-11-12 16:37 682,280 a------- c:\windows\system32\pbsvc.exe
2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll
2008-10-23 05:01 283,648 a------- c:\windows\system32\gdi32.dll
2007-11-06 19:52 13,518 a------- c:\program files\install.log

============= FINISH: 19:56:07.65 ===============

tetonbob · 01-16-2009, 09:22 PM

Good, now we can being the cleaning.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

HappyPear · 01-16-2009, 09:59 PM

Okay, I have scanned my computer with Combofix and have attached the "ComboFix.txt".

ComboFix 09-01-16.02 - User 2009-01-16 20:44:14.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3070.2526 [GMT -8:00]
Running from: c:\documents and settings\User\My Documents\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 090116-1] *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\INSTALL.LOG
c:\windows\system32\~.exe
c:\windows\system32\998.exe
c:\windows\system32\ahtn.htm
c:\windows\system32\AutoRun.inf
c:\windows\system32\drivers\senekajcjsarpv.sys
c:\windows\system32\frmwrk32.exe
c:\windows\system32\prunnet.exe
c:\windows\system32\senekadf.dat
c:\windows\system32\senekajyurotpo.dll
c:\windows\system32\senekalog.dat
c:\windows\system32\senekaqrdbapkb.dat
c:\windows\system32\test.ttt
c:\windows\system32\uniq.tll
c:\windows\system32\warning.gif

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_seneka

((((((((((((((((((((((((( Files Created from 2008-12-17 to 2009-01-17 )))))))))))))))))))))))))))))))
.

2009-01-16 19:45 . 2009-01-16 19:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg7
2009-01-16 18:13 . 2009-01-16 19:56 250 --a------ c:\windows\gmer.ini
2009-01-16 17:47 . 2009-01-16 17:47 <DIR> d-------- c:\program files\Trend Micro
2009-01-16 15:47 . 2009-01-16 15:47 136,192 --a------ c:\windows\oxekonib.dll
2009-01-16 15:35 . 2009-01-16 15:35 41,984 --a------ c:\windows\system32\chert5-998.exe
2009-01-16 15:35 . 2009-01-16 15:35 41,984 --a------ c:\windows\Exafetil.dll
2009-01-15 16:36 . 2009-01-15 16:36 <DIR> d-------- c:\program files\Alwil Software
2009-01-15 16:36 . 2003-03-18 13:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2009-01-03 19:42 . 2009-01-03 19:42 <DIR> d-------- c:\documents and settings\User\Application Data\Malwarebytes
2009-01-03 19:42 . 2009-01-03 19:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-23 21:42 . 2008-12-23 21:48 <DIR> d-------- c:\program files\RocketDock
2008-12-22 15:00 . 2008-12-24 15:59 <DIR> d-------- c:\documents and settings\User\Application Data\Mal Updater
2008-12-21 23:21 . 2009-01-16 20:37 7 --a------ c:\windows\system32\ANIWZCSUSERNAME
2008-12-21 23:14 . 2009-01-16 20:50 7 --a------ c:\windows\system32\ANIWZCSUSERNAME{BD8ED844-A6C7-4810-87A4-19F3D23FB969}
2008-12-21 23:13 . 2008-12-21 23:13 <DIR> d-------- c:\program files\D-Link
2008-12-21 23:13 . 2008-12-21 23:13 <DIR> d-------- c:\program files\ANI
2008-12-21 23:06 . 2008-12-21 23:06 5 --a------ c:\windows\system32\ANIWZCSUSERNAME{C54E809C-9289-4525-A494-DDD535C8B841}
2008-12-19 17:52 . 2008-12-19 17:52 <DIR> d-------- c:\program files\iPod
2008-12-19 17:52 . 2008-12-19 17:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-19 17:48 . 2008-12-19 17:49 <DIR> d-------- c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-17 04:51 --------- d-----w c:\documents and settings\User\Application Data\uTorrent
2009-01-17 04:49 499,544 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-01-17 04:49 42,309,664 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-01-17 02:33 138,464 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-01-17 01:51 --------- d-----w c:\program files\Lavasoft
2009-01-17 01:51 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-17 01:40 --------- d-----w c:\program files\Trillian
2009-01-17 01:09 --------- d-----w c:\program files\Starcraft
2009-01-11 22:37 --------- d-----w c:\documents and settings\User\Application Data\gtk-2.0
2008-12-25 00:27 --------- d-----w c:\program files\Mal Updater
2008-12-24 20:05 --------- d-----w c:\program files\iTunes
2008-12-22 07:15 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-20 01:52 --------- d-----w c:\program files\Common Files\Apple
2008-12-12 22:29 --------- d-----w c:\program files\AeriaGames
2008-12-07 02:24 --------- d-----w c:\program files\Common Files\DirectX
2008-12-04 22:36 --------- d-----w c:\program files\Java
2008-11-27 00:08 --------- d-----w c:\documents and settings\User\Application Data\foobar2000
2008-11-26 23:41 --------- d-----w c:\program files\foobar2000
2008-11-20 03:43 --------- d-----w c:\program files\Yahoo!
2008-11-20 03:41 --------- d-----w c:\program files\Creative
2008-11-20 03:38 --------- d-----w c:\program files\NCSoft
2008-11-20 03:05 --------- d-----w c:\documents and settings\User\Application Data\GetRightToGo
2008-11-17 00:28 --------- d-----w c:\documents and settings\All Users\Application Data\Last.fm
2008-11-17 00:27 --------- d-----w c:\program files\Last.fm
2008-11-13 00:38 22,328 ----a-w c:\documents and settings\User\Application Data\PnkBstrK.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-04-03 165784]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2008-10-07 270128]
"MalUpdater"="c:\program files\Mal Updater\MalUpdater.exe" [2008-09-18 1459200]
"Google Update"="c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-02 133104]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-30 36864]
"36X Raid Configurer"="c:\windows\system32\JMRaidSetup.exe" [2006-11-16 1953792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-01 7618560]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-02-28 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"D-Link RangeBooster G WDA-2320"="c:\program files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe" [2006-09-01 1880064]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2006-06-29 49152]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"Ybaqili"="c:\windows\Exafetil.dll" [2009-01-16 41984]
"Wbizuloruzifu"="c:\windows\oxekonib.dll" [2009-01-16 136192]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 c:\windows\system32\nvmctray.dll]
"P17Helper"="P17.dll" [2006-03-17 c:\windows\system32\P17.dll]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2006-02-28 c:\windows\system32\bthprops.cpl]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]

c:\documents and settings\User\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-07-29 805392]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 01:42 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 10:09 63712 c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
--a------ 2005-10-31 09:51 57344 c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-09-04 14:36 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-06-01 01:22 1519616 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\KONAMI\\Pro Evolution Soccer 2009\\pes2009.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Last.fm\\LastFM.exe"=
"c:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10208:TCP"= 10208:TCP:BitComet 10208 TCP
"10208:UDP"= 10208:UDP:BitComet 10208 UDP

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-01-15 111184]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2005-08-25 472096]
R3 p17filt;p17filt;c:\windows\system32\drivers\p17filt.sys [2006-03-20 1452032]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-01-15 20560]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-05-25 13352]
S3 z520bus;Sony Ericsson 520 driver (WDM);c:\windows\system32\DRIVERS\z520bus.sys --> c:\windows\system32\DRIVERS\z520bus.sys [?]
S3 z520mdfl;Sony Ericsson 520 USB WMC Modem Filter;c:\windows\system32\DRIVERS\z520mdfl.sys --> c:\windows\system32\DRIVERS\z520mdfl.sys [?]
S3 z520mdm;Sony Ericsson 520 USB WMC Modem Drivers;c:\windows\system32\DRIVERS\z520mdm.sys --> c:\windows\system32\DRIVERS\z520mdm.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b479e2c-41f2-11dc-8b7e-0008f41612f6}]
\Shell\AutoRun\command - H:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{932d3403-e9a1-11db-9eeb-806d6172696f}]
\Shell\AutoRun\command - D:\Run.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1491950412-2009852829-4049741679-1004.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 20:10]

2009-01-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-WindowBlinds - c:\program files\Stardock\Object Desktop\WindowBlinds\WBInstall32.exe
HKCU-Run-MsnMsgr - c:\program files\Windows Live\Messenger\MsnMsgr.Exe
HKCU-Run-prunnet - c:\windows\system32\prunnet.exe
HKLM-Run-googletalk - files\google\google talk\googletalk.exe
HKLM-Run-prunnet - c:\windows\system32\prunnet.exe
HKLM-Run-RTHDCPL - //~rthdcpl.exe
HKLM-Run-SkyTel - //~skytel.exe
MSConfigStartUp-BitComet - c:\program files\BitComet\BitComet.exe
MSConfigStartUp-CTXFIREG - CTxfiReg.exe

.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\wljzx2r9.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/|https://mail.google.com/mail/?nsr=1&zx=1umtbqgps9eb5&shva=1#inbox|http://www.last.fm/home|http://myanimelist.net/panel.php|http://www.tokyotosho.com/|http://mullemeck.serveftp.org/jps_beta/?page=browse
FF - component: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\wljzx2r9.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\User\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.20926.0.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-16 20:51:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1491950412-2009852829-4049741679-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CDC40D1A-6D16-2389-7342-04F07C8B13FB}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iaodlnlhhhgpkddpll"=hex:69,61,70,63,6c,6c,6b,64,61,6a,62,65,61,6c,6b,61,6e,6c,
00,00
"haeefcmkkphialfn"=hex:69,61,70,63,6c,6c,6b,64,61,6a,62,65,61,6c,6b,61,6e,6c,
00,00

[HKEY_USERS\S-1-5-21-1491950412-2009852829-4049741679-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\ATKKBService.exe
c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-16 20:56:32 - machine was rebooted [User]
ComboFix-quarantined-files.txt 2009-01-17 04:56:29

Pre-Run: 112,102,481,920 bytes free
Post-Run: 113,004,744,704 bytes free

263 --- E O F --- 2009-01-01 19:15:16

tetonbob · 01-16-2009, 10:03 PM

Please go to: VirusTotal

On the page you'll find a "Browse" button.
Next to the browse button you'll see a box to enter text.
Please copy/paste the following:

c:\windows\oxekonib.dll
Then click the "Send File " button just below.
This will scan the file. Please be patient.
If you get a message saying File has already been analyzed: click Reanalyze file now
Once scanned, copy and paste the results in your next reply.
Please repeat for the following files:
- c:\windows\system32\chert5-998.exe
  c:\windows\Exafetil.dll

HappyPear · 01-16-2009, 10:37 PM

For "c:\windows\oxekonib.dll":
File oxekonib.dll received on 01.17.2009 06:27:50 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 2/38 (5.27%)

Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.17 -
AhnLab-V3 2009.1.15.0 2009.01.16 -
AntiVir 7.9.0.55 2009.01.16 -
Authentium 5.1.0.4 2009.01.16 -
Avast 4.8.1281.0 2009.01.16 -
AVG 8.0.0.229 2009.01.16 -
BitDefender 7.2 2009.01.17 -
CAT-QuickHeal 10.00 2009.01.17 -
ClamAV 0.94.1 2009.01.17 -
Comodo 933 2009.01.16 -
DrWeb 4.44.0.09170 2009.01.17 -
eSafe 7.0.17.0 2009.01.15 -
eTrust-Vet 31.6.6312 2009.01.17 -
F-Prot 4.4.4.56 2009.01.16 W32/Hiloti.A.gen!Eldorado
F-Secure 8.0.14470.0 2009.01.17 -
Fortinet 3.117.0.0 2009.01.15 -
GData 19 2009.01.17 -
Ikarus T3.1.1.45.0 2009.01.17 -
K7AntiVirus 7.10.593 2009.01.16 -
Kaspersky 7.0.0.125 2009.01.17 -
McAfee 5497 2009.01.16 -
McAfee+Artemis 5497 2009.01.16 -
Microsoft 1.4205 2009.01.17 -
NOD32 3772 2009.01.16 -
Norman 5.93.01 2009.01.16 -
nProtect 2009.1.8.0 2009.01.16 -
Panda 9.5.1.2 2009.01.16 -
PCTools 4.4.2.0 2009.01.16 -
Prevx1 V2 2009.01.17 -
Rising 21.12.50.00 2009.01.17 -
SecureWeb-Gateway 6.7.6 2009.01.16 -
Sophos 4.37.0 2009.01.17 Mal/Behav-172
Sunbelt 3.2.1835.2 2009.01.16 -
TheHacker 6.3.1.4.220 2009.01.14 -
TrendMicro 8.700.0.1004 2009.01.16 -
VBA32 3.12.8.10 2009.01.16 -
ViRobot 2009.1.16.1562 2009.01.16 -
VirusBuster 4.5.11.0 2009.01.16 -
Additional information
File size: 136192 bytes
MD5...: c72307ec7444b68e95d5bd96629bb4f4
SHA1..: efad79f269f34af9351766f6a2010c5e2e0f6138
SHA256: 0b340152411310d676a006147e4e95c2326f518feed2b6ce3db9074e67810257
SHA512: d1c20a965560f6311b6483ec2784388126d3361d61585be899b412f5f949dce9
ec18d5d2d5fc9cf26713fcafbc159aa4f27672813b98b30bad5d6fa4334717ca
ssdeep: 3072:jlbb7Gko8PmycuwCLJQ+GzUexN1rYKCVsIcbFiMrE01GofNB8:jNbPJpLW+
GzUe5MKa01JlB
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10006c18
timedatestamp.....: 0x489b0406 (Thu Aug 07 14:17:42 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x21000 0x10a00 7.89 b3bb292d947142c2b1d246a4e7aac255
.data 0x22000 0x10000 0xf200 6.30 9117892cc4595a4d4963992728d7684a
.rsrc 0x32000 0x1000 0x600 2.54 e425d2561b6b8587332be937bda3f130
.reloc 0x33000 0x1000 0x200 1.71 6c8a1febc975ab9550bf41eff97db457

( 5 imports )
> KERNEL32.dll: EnterCriticalSection, FreeLibrary, GetEnvironmentStringsA, GetFileType, GetSystemDirectoryA, GetSystemTimeAsFileTime, HeapAlloc, HeapCreate, OpenProcess, SetEnvironmentVariableA, lstrcmpA, lstrcpynA, lstrlenA
> msvcrt.dll: __p__fmode, wcslen, malloc
> user32.dll: GetSystemMetrics, PtInRect, SetCapture, GetUserObjectSecurity, PostMessageA, GetWindowThreadProcessId
> OLEAUT32.dll: -, -, -, -, -, -
> SHLWAPI.dll: PathBuildRootA, PathFileExistsA, SHDeleteEmptyKeyA, SHSetValueA, StrStrA, StrToIntA, PathAppendA

( 0 exports )

For "c:\windows\system32\chert5-998.exe":
File chert5-998.exe received on 01.17.2009 06:30:58 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 7/39 (17.95%)

Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.17 Trojan.Win32.Hiloti!IK
AhnLab-V3 2009.1.15.0 2009.01.16 -
AntiVir 7.9.0.55 2009.01.16 -
Authentium 5.1.0.4 2009.01.16 -
Avast 4.8.1281.0 2009.01.16 -
AVG 8.0.0.229 2009.01.16 SHeur2.LPR
BitDefender 7.2 2009.01.17 -
CAT-QuickHeal 10.00 2009.01.17 (Suspicious) - DNAScan
ClamAV 0.94.1 2009.01.17 -
Comodo 933 2009.01.16 -
DrWeb 4.44.0.09170 2009.01.17 -
eSafe 7.0.17.0 2009.01.15 -
eTrust-Vet 31.6.6312 2009.01.17 -
F-Prot 4.4.4.56 2009.01.16 W32/Hiloti.A.gen!Eldorado
F-Secure 8.0.14470.0 2009.01.17 -
Fortinet 3.117.0.0 2009.01.15 -
GData 19 2009.01.17 -
Ikarus T3.1.1.45.0 2009.01.17 Trojan.Win32.Hiloti
K7AntiVirus 7.10.593 2009.01.16 -
Kaspersky 7.0.0.125 2009.01.17 Trojan-Downloader.Win32.Agent.bdlh
McAfee 5497 2009.01.16 -
McAfee+Artemis 5497 2009.01.16 -
Microsoft 1.4205 2009.01.17 -
NOD32 3772 2009.01.16 -
Norman 5.93.01 2009.01.16 -
nProtect 2009.1.8.0 2009.01.16 -
Panda 9.5.1.2 2009.01.16 -
PCTools 4.4.2.0 2009.01.16 -
Prevx1 V2 2009.01.17 -
Rising 21.12.50.00 2009.01.17 -
SecureWeb-Gateway 6.7.6 2009.01.16 -
Sophos 4.37.0 2009.01.17 Troj/Polaco-B
Sunbelt 3.2.1835.2 2009.01.16 -
Symantec 10 2009.01.17 -
TheHacker 6.3.1.4.220 2009.01.14 -
TrendMicro 8.700.0.1004 2009.01.16 -
VBA32 3.12.8.10 2009.01.16 -
ViRobot 2009.1.16.1562 2009.01.16 -
VirusBuster 4.5.11.0 2009.01.16 -
Additional information
File size: 41984 bytes
MD5...: d9cf5e73dff52b1a4aee09b1f896966b
SHA1..: 03dca48d888962a4682ac58f7ff5ebebf955ce52
SHA256: f819e253bf55b06f362e2394ac49b1d95ec750f4c9197313ac39deb35a3b2443
SHA512: f5e650a856c3c30bc195bc70f4c3dead3e327714c486cd71b50cebe741fc32af
5aefd3e033bb1198952dae9e8f600e5bd57064484d1edf6becc45e4f01657ce0
ssdeep: 768:GkW7/lvROyK1D536fLkMt/4Wt8hiEzEySewzu8yk79:BWtuD53eLkMt7tkoX
8k79
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1000663c
timedatestamp.....: 0x489b0402 (Thu Aug 07 14:17:38 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x8000 0x7200 7.59 73b2c298fd645a523ce3c699a1ca1be1
.data 0x9000 0x2000 0x1a00 6.20 11100d743db366a283f51db8c7a453e9
.rsrc 0xb000 0x1000 0x600 2.54 ee6db8893c648e9bb1b9365d4d752ec8
.reloc 0xc000 0x1000 0x200 2.52 720e33450ea56cb15ac8c0d0b6619db0

( 5 imports )
> KERNEL32.dll: HeapAlloc, HeapCreate, IsBadReadPtr, RaiseException, ReadProcessMemory, CreateFileMappingA
> msvcrt.dll: _exit, free, malloc, realloc, wcscmp, _wcsicmp
> user32.dll: BeginPaint, GetMessageA, GetUpdateRgn, PeekMessageA, SendMessageTimeoutA, TrackPopupMenu, CheckMenuItem, DestroyWindow, SetCursor
> OLEAUT32.dll: -, -, -, -, -, -
> SHLWAPI.dll: PathCombineA, PathBuildRootA, PathAppendA, PathFileExistsA, SHDeleteValueA, SHQueryInfoKeyA, StrSpnA, StrStrA, StrToIntA, SHDeleteKeyA

( 0 exports )

For "c:\windows\Exafetil.dll":
File Exafetil.dll received on 01.17.2009 06:33:25 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED
Result: 7/39 (17.95%)

Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.17 Trojan.Win32.Hiloti!IK
AhnLab-V3 2009.1.15.0 2009.01.16 -
AntiVir 7.9.0.55 2009.01.16 -
Authentium 5.1.0.4 2009.01.16 -
Avast 4.8.1281.0 2009.01.16 -
AVG 8.0.0.229 2009.01.16 SHeur2.LPR
BitDefender 7.2 2009.01.17 -
CAT-QuickHeal 10.00 2009.01.17 -
ClamAV 0.94.1 2009.01.17 -
Comodo 933 2009.01.16 -
DrWeb 4.44.0.09170 2009.01.17 -
eSafe 7.0.17.0 2009.01.15 -
eTrust-Vet 31.6.6312 2009.01.17 -
F-Prot 4.4.4.56 2009.01.16 W32/Hiloti.A.gen!Eldorado
F-Secure 8.0.14470.0 2009.01.17 -
Fortinet 3.117.0.0 2009.01.15 -
GData 19 2009.01.17 -
Ikarus T3.1.1.45.0 2009.01.17 Trojan.Win32.Hiloti
K7AntiVirus 7.10.593 2009.01.16 -
Kaspersky 7.0.0.125 2009.01.17 Trojan-Downloader.Win32.Agent.bdlh
McAfee 5497 2009.01.16 -
McAfee+Artemis 5497 2009.01.16 -
Microsoft 1.4205 2009.01.17 -
NOD32 3772 2009.01.16 -
Norman 5.93.01 2009.01.16 -
nProtect 2009.1.8.0 2009.01.16 -
Panda 9.5.1.2 2009.01.16 -
PCTools 4.4.2.0 2009.01.16 -
Prevx1 V2 2009.01.17 Cloaked Malware
Rising 21.12.50.00 2009.01.17 -
SecureWeb-Gateway 6.7.6 2009.01.16 -
Sophos 4.37.0 2009.01.17 Troj/Polaco-B
Sunbelt 3.2.1835.2 2009.01.16 -
Symantec 10 2009.01.17 -
TheHacker 6.3.1.4.220 2009.01.14 -
TrendMicro 8.700.0.1004 2009.01.16 -
VBA32 3.12.8.10 2009.01.16 -
ViRobot 2009.1.16.1562 2009.01.16 -
VirusBuster 4.5.11.0 2009.01.16 -
Additional information
File size: 41984 bytes
MD5...: ef89d54c3f78e803f9816b7c5953244f
SHA1..: 7b8569b0d88c94295a516d0691a88dbe4b7609d8
SHA256: f03865124304c29909104f1fc42b2b1665a606684f23f12e7ec76b9287214229
SHA512: 8d9a723257d60c00ee68e9e1d11b50944264fc74e901554b3fab0f529b3b69d8
c3c3069a2eabe65b5d18a5f257e500776ba654dde0ff1e139dea626431f94cdc
ssdeep: 768:mkW7/lvROyK1D536fLkMt/4Wt8hiEzEySewzu8yk79:hWtuD53eLkMt7tkoX
8k79
PEiD..: -
TrID..: File type identification
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1000663c
timedatestamp.....: 0x489b0402 (Thu Aug 07 14:17:38 2008)
machinetype.......: 0x14c (I386)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x8000 0x7200 7.59 73b2c298fd645a523ce3c699a1ca1be1
.data 0x9000 0x2000 0x1a00 6.20 11100d743db366a283f51db8c7a453e9
.rsrc 0xb000 0x1000 0x600 2.54 ee6db8893c648e9bb1b9365d4d752ec8
.reloc 0xc000 0x1000 0x200 2.52 720e33450ea56cb15ac8c0d0b6619db0

( 5 imports )
> KERNEL32.dll: HeapAlloc, HeapCreate, IsBadReadPtr, RaiseException, ReadProcessMemory, CreateFileMappingA
> msvcrt.dll: _exit, free, malloc, realloc, wcscmp, _wcsicmp
> user32.dll: BeginPaint, GetMessageA, GetUpdateRgn, PeekMessageA, SendMessageTimeoutA, TrackPopupMenu, CheckMenuItem, DestroyWindow, SetCursor
> OLEAUT32.dll: -, -, -, -, -, -
> SHLWAPI.dll: PathCombineA, PathBuildRootA, PathAppendA, PathFileExistsA, SHDeleteValueA, SHQueryInfoKeyA, StrSpnA, StrStrA, StrToIntA, SHDeleteKeyA

( 0 exports )
Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=3C04000600017C6EA40100E9A85318009A8A329F' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=3C04000600017C6EA40100E9A85318009A8A329F</a>

tetonbob · 01-16-2009, 10:50 PM

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.

Open notepad and copy/paste the text in the quotebox below into it:

Quote:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/335596-non-browser-popups-bsod.html#post1916785

FireFox::
FF - HiddenExtension: XUL Cache: {637FBD41-0D27-4F35-8454-60E252D34364} - c:\documents and settings\user\local settings\application data\{637FBD41-0D27-4F35-8454-60E252D34364}

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000000
Collect::
c:\windows\oxekonib.dll
c:\windows\system32\chert5-998.exe
c:\windows\Exafetil.dll

Save this as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed.. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK. Follow the prompts.
Ensure your AntiVirus and AntiSpyware applications are re-enabled.

---------------------------------------------------------------------------------------------

HappyPear · 01-16-2009, 11:50 PM

Here's the new ComboFix log:

ComboFix 09-01-16.02 - User 2009-01-16 22:37:08.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3070.2480 [GMT -8:00]
Running from: c:\documents and settings\User\My Documents\ComboFix.exe
Command switches used :: c:\documents and settings\User\My Documents\CFScript.txt
AV: avast! antivirus 4.8.1296 [VPS 090116-1] *On-access scanning disabled* (Updated)
FW: ZoneAlarm Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\user\local settings\application data\{637FBD41-0D27-4F35-8454-60E252D34364}
c:\documents and settings\user\local settings\application data\{637FBD41-0D27-4F35-8454-60E252D34364}\chrome.manifest
c:\documents and settings\user\local settings\application data\{637FBD41-0D27-4F35-8454-60E252D34364}\chrome\content\_cfg.js
c:\documents and settings\user\local settings\application data\{637FBD41-0D27-4F35-8454-60E252D34364}\chrome\content\c.js
c:\documents and settings\user\local settings\application data\{637FBD41-0D27-4F35-8454-60E252D34364}\chrome\content\overlay.xul
c:\documents and settings\user\local settings\application data\{637FBD41-0D27-4F35-8454-60E252D34364}\install.rdf
c:\windows\Exafetil.dll
c:\windows\oxekonib.dll
c:\windows\system32\chert5-998.exe

.
((((((((((((((((((((((((( Files Created from 2008-12-17 to 2009-01-17 )))))))))))))))))))))))))))))))
.

2009-01-16 19:45 . 2009-01-16 19:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg7
2009-01-16 18:13 . 2009-01-16 19:56 250 --a------ c:\windows\gmer.ini
2009-01-16 17:47 . 2009-01-16 17:47 <DIR> d-------- c:\program files\Trend Micro
2009-01-15 16:36 . 2009-01-15 16:36 <DIR> d-------- c:\program files\Alwil Software
2009-01-15 16:36 . 2003-03-18 13:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2009-01-03 19:42 . 2009-01-03 19:42 <DIR> d-------- c:\documents and settings\User\Application Data\Malwarebytes
2009-01-03 19:42 . 2009-01-03 19:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-12-23 21:42 . 2008-12-23 21:48 <DIR> d-------- c:\program files\RocketDock
2008-12-22 15:00 . 2008-12-24 15:59 <DIR> d-------- c:\documents and settings\User\Application Data\Mal Updater
2008-12-21 23:21 . 2009-01-16 22:42 7 --a------ c:\windows\system32\ANIWZCSUSERNAME
2008-12-21 23:14 . 2009-01-16 22:42 5 --a------ c:\windows\system32\ANIWZCSUSERNAME{BD8ED844-A6C7-4810-87A4-19F3D23FB969}
2008-12-21 23:13 . 2008-12-21 23:13 <DIR> d-------- c:\program files\D-Link
2008-12-21 23:13 . 2008-12-21 23:13 <DIR> d-------- c:\program files\ANI
2008-12-21 23:06 . 2008-12-21 23:06 5 --a------ c:\windows\system32\ANIWZCSUSERNAME{C54E809C-9289-4525-A494-DDD535C8B841}
2008-12-19 17:52 . 2008-12-19 17:52 <DIR> d-------- c:\program files\iPod
2008-12-19 17:52 . 2008-12-19 17:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-19 17:48 . 2008-12-19 17:49 <DIR> d-------- c:\program files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-17 06:43 42,434,592 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-01-17 06:43 --------- d-----w c:\documents and settings\User\Application Data\uTorrent
2009-01-17 06:41 18,471,459 ----a-w c:\windows\Internet Logs\tvDebug.zip
2009-01-17 06:39 501,320 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-01-17 06:36 --------- d-----w c:\program files\Trillian
2009-01-17 06:13 --------- d-----w c:\program files\Starcraft
2009-01-17 02:33 138,464 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-01-17 01:51 --------- d-----w c:\program files\Lavasoft
2009-01-17 01:51 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-01-11 22:37 --------- d-----w c:\documents and settings\User\Application Data\gtk-2.0
2009-01-05 22:36 3,449,856 ----a-w c:\windows\Internet Logs\xDB1A.tmp
2008-12-25 00:27 --------- d-----w c:\program files\Mal Updater
2008-12-24 20:05 --------- d-----w c:\program files\iTunes
2008-12-22 07:15 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-20 01:52 --------- d-----w c:\program files\Common Files\Apple
2008-12-12 22:29 --------- d-----w c:\program files\AeriaGames
2008-12-07 02:24 --------- d-----w c:\program files\Common Files\DirectX
2008-12-04 22:36 --------- d-----w c:\program files\Java
2008-11-27 00:08 --------- d-----w c:\documents and settings\User\Application Data\foobar2000
2008-11-26 23:41 --------- d-----w c:\program files\foobar2000
2008-11-20 03:43 --------- d-----w c:\program files\Yahoo!
2008-11-20 03:41 --------- d-----w c:\program files\Creative
2008-11-20 03:38 --------- d-----w c:\program files\NCSoft
2008-11-20 03:05 --------- d-----w c:\documents and settings\User\Application Data\GetRightToGo
2008-11-17 00:28 --------- d-----w c:\documents and settings\All Users\Application Data\Last.fm
2008-11-17 00:27 --------- d-----w c:\program files\Last.fm
2008-11-13 00:38 22,328 ----a-w c:\documents and settings\User\Application Data\PnkBstrK.sys
2008-11-07 05:31 3,230,720 ----a-w c:\windows\Internet Logs\xDB19.tmp
.

((((((((((((((((((((((((((((( snapshot@2009-01-16_20.55.20.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-17 06:41:31 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_258.dat
+ 2009-01-17 06:41:14 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_4f8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-04-03 165784]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2008-10-07 270128]
"MalUpdater"="c:\program files\Mal Updater\MalUpdater.exe" [2008-09-18 1459200]
"Google Update"="c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-02 133104]
"RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-30 36864]
"36X Raid Configurer"="c:\windows\system32\JMRaidSetup.exe" [2006-11-16 1953792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-01 7618560]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-02-28 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"D-Link RangeBooster G WDA-2320"="c:\program files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe" [2006-09-01 1880064]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2006-06-29 49152]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"NvMediaCenter"="NvMCTray.dll" [2006-06-01 c:\windows\system32\nvmctray.dll]
"P17Helper"="P17.dll" [2006-03-17 c:\windows\system32\P17.dll]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2006-02-28 c:\windows\system32\bthprops.cpl]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]

c:\documents and settings\User\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-07-29 805392]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-05-02 01:42 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 10:09 63712 c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
--a------ 2005-10-31 09:51 57344 c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-09-04 14:36 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-06-01 01:22 1519616 c:\windows\system32\nwiz.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"=
"c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"=
"c:\\Program Files\\KONAMI\\Pro Evolution Soccer 2009\\pes2009.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Last.fm\\LastFM.exe"=
"c:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10208:TCP"= 10208:TCP:BitComet 10208 TCP
"10208:UDP"= 10208:UDP:BitComet 10208 UDP

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-01-15 111184]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2005-08-25 472096]
R3 p17filt;p17filt;c:\windows\system32\drivers\p17filt.sys [2006-03-20 1452032]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-01-15 20560]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-05-25 13352]
S3 z520bus;Sony Ericsson 520 driver (WDM);c:\windows\system32\DRIVERS\z520bus.sys --> c:\windows\system32\DRIVERS\z520bus.sys [?]
S3 z520mdfl;Sony Ericsson 520 USB WMC Modem Filter;c:\windows\system32\DRIVERS\z520mdfl.sys --> c:\windows\system32\DRIVERS\z520mdfl.sys [?]
S3 z520mdm;Sony Ericsson 520 USB WMC Modem Drivers;c:\windows\system32\DRIVERS\z520mdm.sys --> c:\windows\system32\DRIVERS\z520mdm.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b479e2c-41f2-11dc-8b7e-0008f41612f6}]
\Shell\AutoRun\command - H:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{932d3403-e9a1-11db-9eeb-806d6172696f}]
\Shell\AutoRun\command - D:\Run.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1491950412-2009852829-4049741679-1004.job
- c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 20:10]

2009-01-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Ybaqili - c:\windows\Exafetil.dll
HKLM-Run-Wbizuloruzifu - c:\windows\oxekonib.dll

.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\wljzx2r9.default\
FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/|https://mail.google.com/mail/?nsr=1&zx=1umtbqgps9eb5&shva=1#inbox|http://www.last.fm/home|http://myanimelist.net/panel.php|http://www.tokyotosho.com/|http://mullemeck.serveftp.org/jps_beta/?page=browse
FF - component: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\wljzx2r9.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\User\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.20926.0.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-16 22:41:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1491950412-2009852829-4049741679-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CDC40D1A-6D16-2389-7342-04F07C8B13FB}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iaodlnlhhhgpkddpll"=hex:69,61,70,63,6c,6c,6b,64,61,6a,62,65,61,6c,6b,61,6e,6c,
00,00
"haeefcmkkphialfn"=hex:69,61,70,63,6c,6c,6b,64,61,6a,62,65,61,6c,6b,61,6e,6c,
00,00

[HKEY_USERS\S-1-5-21-1491950412-2009852829-4049741679-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ZoneLabs\vsmon.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\ATKKBService.exe
c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-16 22:47:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-17 06:47:27
ComboFix2.txt 2009-01-17 04:56:34

Pre-Run: 112,884,846,592 bytes free
Post-Run: 112,875,073,536 bytes free

248 --- E O F --- 2009-01-01 19:15:16

tetonbob · 01-16-2009, 11:58 PM

Hi HappyPear -

It does not appear as though a file was uploaded to our analysis site. Was the machine connected to the internet before you clicked OK?

Did you see this message?

Please locate C:\CF-Submit.htm, and double click on it to open it. Follow the instructions on the webpage which should open to copy/paste the file path, and upload the requested file. Include a link to this topic, please.

Then, let me know.

Any recent BSOD?

HappyPear · 01-17-2009, 12:01 AM

Hmm, no, I did not see that message, yet I am positive that my computer was connected to the internet. Also, I have tried to locate C:\CF-Submit.htm, but it does not exist.

tetonbob · 01-17-2009, 12:02 AM

Ok, let's have a look at this file:

Please go to Start > Run and copy/paste the following, then press Enter:

C:\QooBox\ComboFix-quarantined-files.txt

Post the contents of the logfile which will open.

HappyPear · 01-17-2009, 01:15 AM

Here's what came up:

2007-11-06 15:49:17 A------- 13,518 C:\Qoobox\Quarantine\C\Program Files\install.log.vir
2008-07-01 13:53:27 A------- 307,237 C:\Qoobox\Quarantine\C\WINDOWS\system32\autorun.inf.vir
2009-01-10 21:31:00 A------- 22,528 C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir
2009-01-14 17:56:34 A------- 60,054 C:\Qoobox\Quarantine\C\WINDOWS\system32\prunnet.exe.vir
2009-01-14 17:56:46 A------- 47,023 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\senekajcjsarpv.sys.vir
2009-01-14 17:56:47 A------- 12,768 C:\Qoobox\Quarantine\C\WINDOWS\system32\senekalog.dat.vir
2009-01-14 17:56:47 A------- 29,613 C:\Qoobox\Quarantine\C\WINDOWS\system32\senekajyurotpo.dll.vir
2009-01-14 18:02:31 A------- 59 C:\Qoobox\Quarantine\C\WINDOWS\system32\senekaqrdbapkb.dat.vir
2009-01-14 18:02:32 A------- 3 C:\Qoobox\Quarantine\C\WINDOWS\system32\senekadf.dat.vir
2009-01-16 15:35:38 A------- 41,984 C:\Qoobox\Quarantine\C\WINDOWS\Exafetil.dll.vir
2009-01-16 15:35:38 A------- 41,984 C:\Qoobox\Quarantine\C\WINDOWS\system32\chert5-998.exe.vir
2009-01-16 15:47:46 A------- 136,192 C:\Qoobox\Quarantine\C\WINDOWS\oxekonib.dll.vir
2009-01-16 15:47:49 A------- 120 C:\Qoobox\Quarantine\C\Documents and Settings\User\Local Settings\Application Data\{637FBD41-0D27-4F35-8454-60E252D34364}\chrome.manifest.vir
2009-01-16 15:47:49 A------- 770 C:\Qoobox\Quarantine\C\Documents and Settings\User\Local Settings\Application Data\{637FBD41-0D27-4F35-8454-60E252D34364}\install.rdf.vir
2009-01-16 15:47:49 A------- 2,111 C:\Qoobox\Quarantine\C\Documents and Settings\User\Local Settings\Application Data\{637FBD41-0D27-4F35-8454-60E252D34364}\chrome\content\_cfg.js.vir
2009-01-16 15:47:49 A------- 3,321 C:\Qoobox\Quarantine\C\Documents and Settings\User\Local Settings\Application Data\{637FBD41-0D27-4F35-8454-60E252D34364}\chrome\content\c.js.vir
2009-01-16 15:47:49 A------- 5,708 C:\Qoobox\Quarantine\C\Documents and Settings\User\Local Settings\Application Data\{637FBD41-0D27-4F35-8454-60E252D34364}\chrome\content\overlay.xul.vir
2009-01-16 19:35:39 A------- 31,232 C:\Qoobox\Quarantine\C\WINDOWS\system32\998.exe.vir
2009-01-16 19:35:41 A------- 31,232 C:\Qoobox\Quarantine\C\WINDOWS\system32\frmwrk32.exe.vir
2009-01-16 19:40:03 A------- 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\test.ttt.vir
2009-01-16 19:40:03 A------- 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\uniq.tll.vir
2009-01-16 19:50:59 A------- 1,347 C:\Qoobox\Quarantine\C\WINDOWS\system32\ahtn.htm.vir
2009-01-16 19:50:59 A------- 4,785 C:\Qoobox\Quarantine\C\WINDOWS\system32\warning.gif.vir
2009-01-16 20:29:28 A------- 224 C:\Qoobox\Quarantine\catchme.log
2009-01-16 20:32:35 A------- 1,518 C:\Qoobox\Quarantine\Registry_backups\Service_SENEKA.reg.dat
2009-01-16 20:47:03 A------- 15,469 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-01-16 20:55:32 A------- 131 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-prunnet.reg.dat
2009-01-16 20:55:32 A------- 164 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-MsnMsgr.reg.dat
2009-01-16 20:55:32 A------- 172 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-WindowBlinds.reg.dat
2009-01-16 20:55:33 A------- 107 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-SkyTel.reg.dat
2009-01-16 20:55:33 A------- 109 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-RTHDCPL.reg.dat
2009-01-16 20:55:33 A------- 132 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-prunnet.reg.dat
2009-01-16 20:55:33 A------- 165 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-googletalk.reg.dat
2009-01-16 20:55:43 A------- 604 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-BitComet.reg.dat
2009-01-16 20:55:44 A------- 526 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-CTXFIREG.reg.dat
2009-01-16 22:36:58 A------- 181,320 C:\Qoobox\Quarantine\[4]-Submit_2009-01-16@22.36.zip
2009-01-16 22:46:30 A------- 138 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Ybaqili.reg.dat
2009-01-16 22:46:30 A------- 144 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Wbizuloruzifu.reg.dat

tetonbob · 01-17-2009, 08:34 AM

Please visit this site:

http://www.bleepingcomputer.com/subm....php?channel=4
In the Link to topic where this file was requested: area, copy and paste this

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/335596-non-browser-popups-bsod.html#post1916930
In the Browse to the file you want to submit: area, copy and paste this

C:\Qoobox\Quarantine\[4]-Submit_2009-01-16@22.36.zip
Then click Send File.
Once it shows:

Quote:

Your file was successfully submitted. Please let the user helping you know that you have submitted the file.
Close the site and continue with the steps below.

Please perform this online scan to help look for remnants

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on Settings. Uncheck Mail databases.
Next, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save Report As... button.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------------------------------------------------------------------------------------

How is the machine behaving?

HappyPear · 01-17-2009, 04:23 PM

That scan took a long time, but here's the results:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, January 17, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, January 17, 2009 19:19:58
Records in database: 1638100
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: no

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Files scanned: 155584
Threat name: 5
Infected objects: 6
Suspicious objects: 0
Duration of the scan: 02:10:16

File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\senekajcjsarpv.sys.vir Infected: Rootkit.Win32.Agent.gmj 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\prunnet.exe.vir Infected: Trojan.Win32.Agent.binp 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\senekajyurotpo.dll.vir Infected: Trojan.Win32.Agent.binr 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir Infected: Trojan-Dropper.Win32.Agent.aekv 1
C:\Qoobox\Quarantine\[4]-Submit_2009-01-16@22.36.zip Infected: Trojan-Downloader.Win32.Agent.bdlh 2

The selected area was scanned.

tetonbob · 01-17-2009, 05:18 PM

The items Kaspersky found are in ComboFix quarantine, and will be addressed by uninstalling ComboFix when I am sure we're done, which should be shortly.

How is the machine behaving?

HappyPear · 01-17-2009, 05:28 PM

Right now, I have not experiences any BSOD's recently nor have there been any non-browser popups. It's looking great right now.

tetonbob · 01-17-2009, 05:40 PM

Good to hear.

The items Kaspersky found are in ComboFix quarantine, and will be addressed by uninstalling ComboFix as instructed below

Other than that....

Your logs appear clean.You should be good to go. We still have a few items to address.

Go to

-> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

Microsoft Windows Update - http://www.windowsupdate.com
Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
SpywareBlaster to help prevent spyware from installing in the first place.
- Install & update SpywareBlaster with the latest definitions.
  After you have updated, click the button - enable protection for all unprotected items
McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.
Winpatrol

Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

You can get a free copy of Winpatrol or use the Plus version for more features.

You can read Winpatrol's FAQ if you run into problems.
MVPS HOST FILE
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
- Download Host.zip to your desktop.
- From your Desktop right-click (hosts.zip) and select:
  Extract All from the menu.
- Click Next, click Next, select the option:
  "Show Extracted files", click Finish
- This will open the newly created hosts folder on your Desktop.
- Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
- Once updated you should see another prompt that the task was completed.
ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

Do not install more than one AntiVirus program because they will conflict with each other.
Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer
http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.

ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

HappyPear · 01-17-2009, 09:43 PM

Okay, I have uninstalled Combofix and the computer is working perfectly. Thank you so much for your time and help.

tetonbob · 01-17-2009, 09:45 PM

Glad to hear that, and you're quite welcome for the help.

Surf Safely, and Think Prevention!

Since this issue is resolved, this topic will be archived.

01-16-2009, 09:22 PM	#4 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,555 OS: 2000 Pro; XP Pro; XP Home	Re: Non-browser popups and BSOD Good, now we can being the cleaning. Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. --------------------------------------------------------------------------------------------- Please visit this webpage for download links, and instructions for running combofix: http://www.bleepingcomputer.com/comb...o-use-combofix * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Please include the C:\ComboFix.txt in your next reply for further review. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

01-16-2009, 10:03 PM	#6 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,555 OS: 2000 Pro; XP Pro; XP Home	Re: Non-browser popups and BSOD Please go to: VirusTotal On the page you'll find a "Browse" button. Next to the browse button you'll see a box to enter text. Please copy/paste the following: c:\windows\oxekonib.dll Then click the "Send File " button just below. This will scan the file. Please be patient. If you get a message saying File has already been analyzed: click Reanalyze file now Once scanned, copy and paste the results in your next reply. Please repeat for the following files: c:\windows\system32\chert5-998.exe c:\windows\Exafetil.dll __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

01-16-2009, 10:37 PM	#7 (permalink)
HappyPear Registered User Join Date: Jan 2009 Posts: 10 OS: Windows XP SP2	Re: Non-browser popups and BSOD For "c:\windows\oxekonib.dll": File oxekonib.dll received on 01.17.2009 06:27:50 (CET) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 2/38 (5.27%) Antivirus Version Last Update Result a-squared 4.0.0.73 2009.01.17 - AhnLab-V3 2009.1.15.0 2009.01.16 - AntiVir 7.9.0.55 2009.01.16 - Authentium 5.1.0.4 2009.01.16 - Avast 4.8.1281.0 2009.01.16 - AVG 8.0.0.229 2009.01.16 - BitDefender 7.2 2009.01.17 - CAT-QuickHeal 10.00 2009.01.17 - ClamAV 0.94.1 2009.01.17 - Comodo 933 2009.01.16 - DrWeb 4.44.0.09170 2009.01.17 - eSafe 7.0.17.0 2009.01.15 - eTrust-Vet 31.6.6312 2009.01.17 - F-Prot 4.4.4.56 2009.01.16 W32/Hiloti.A.gen!Eldorado F-Secure 8.0.14470.0 2009.01.17 - Fortinet 3.117.0.0 2009.01.15 - GData 19 2009.01.17 - Ikarus T3.1.1.45.0 2009.01.17 - K7AntiVirus 7.10.593 2009.01.16 - Kaspersky 7.0.0.125 2009.01.17 - McAfee 5497 2009.01.16 - McAfee+Artemis 5497 2009.01.16 - Microsoft 1.4205 2009.01.17 - NOD32 3772 2009.01.16 - Norman 5.93.01 2009.01.16 - nProtect 2009.1.8.0 2009.01.16 - Panda 9.5.1.2 2009.01.16 - PCTools 4.4.2.0 2009.01.16 - Prevx1 V2 2009.01.17 - Rising 21.12.50.00 2009.01.17 - SecureWeb-Gateway 6.7.6 2009.01.16 - Sophos 4.37.0 2009.01.17 Mal/Behav-172 Sunbelt 3.2.1835.2 2009.01.16 - TheHacker 6.3.1.4.220 2009.01.14 - TrendMicro 8.700.0.1004 2009.01.16 - VBA32 3.12.8.10 2009.01.16 - ViRobot 2009.1.16.1562 2009.01.16 - VirusBuster 4.5.11.0 2009.01.16 - Additional information File size: 136192 bytes MD5...: c72307ec7444b68e95d5bd96629bb4f4 SHA1..: efad79f269f34af9351766f6a2010c5e2e0f6138 SHA256: 0b340152411310d676a006147e4e95c2326f518feed2b6ce3db9074e67810257 SHA512: d1c20a965560f6311b6483ec2784388126d3361d61585be899b412f5f949dce9 ec18d5d2d5fc9cf26713fcafbc159aa4f27672813b98b30bad5d6fa4334717ca ssdeep: 3072:jlbb7Gko8PmycuwCLJQ+GzUexN1rYKCVsIcbFiMrE01GofNB8:jNbPJpLW+ GzUe5MKa01JlB PEiD..: - TrID..: File type identification Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x10006c18 timedatestamp.....: 0x489b0406 (Thu Aug 07 14:17:42 2008) machinetype.......: 0x14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x21000 0x10a00 7.89 b3bb292d947142c2b1d246a4e7aac255 .data 0x22000 0x10000 0xf200 6.30 9117892cc4595a4d4963992728d7684a .rsrc 0x32000 0x1000 0x600 2.54 e425d2561b6b8587332be937bda3f130 .reloc 0x33000 0x1000 0x200 1.71 6c8a1febc975ab9550bf41eff97db457 ( 5 imports ) > KERNEL32.dll: EnterCriticalSection, FreeLibrary, GetEnvironmentStringsA, GetFileType, GetSystemDirectoryA, GetSystemTimeAsFileTime, HeapAlloc, HeapCreate, OpenProcess, SetEnvironmentVariableA, lstrcmpA, lstrcpynA, lstrlenA > msvcrt.dll: __p__fmode, wcslen, malloc > user32.dll: GetSystemMetrics, PtInRect, SetCapture, GetUserObjectSecurity, PostMessageA, GetWindowThreadProcessId > OLEAUT32.dll: -, -, -, -, -, - > SHLWAPI.dll: PathBuildRootA, PathFileExistsA, SHDeleteEmptyKeyA, SHSetValueA, StrStrA, StrToIntA, PathAppendA ( 0 exports ) For "c:\windows\system32\chert5-998.exe": File chert5-998.exe received on 01.17.2009 06:30:58 (CET) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 7/39 (17.95%) Antivirus Version Last Update Result a-squared 4.0.0.73 2009.01.17 Trojan.Win32.Hiloti!IK AhnLab-V3 2009.1.15.0 2009.01.16 - AntiVir 7.9.0.55 2009.01.16 - Authentium 5.1.0.4 2009.01.16 - Avast 4.8.1281.0 2009.01.16 - AVG 8.0.0.229 2009.01.16 SHeur2.LPR BitDefender 7.2 2009.01.17 - CAT-QuickHeal 10.00 2009.01.17 (Suspicious) - DNAScan ClamAV 0.94.1 2009.01.17 - Comodo 933 2009.01.16 - DrWeb 4.44.0.09170 2009.01.17 - eSafe 7.0.17.0 2009.01.15 - eTrust-Vet 31.6.6312 2009.01.17 - F-Prot 4.4.4.56 2009.01.16 W32/Hiloti.A.gen!Eldorado F-Secure 8.0.14470.0 2009.01.17 - Fortinet 3.117.0.0 2009.01.15 - GData 19 2009.01.17 - Ikarus T3.1.1.45.0 2009.01.17 Trojan.Win32.Hiloti K7AntiVirus 7.10.593 2009.01.16 - Kaspersky 7.0.0.125 2009.01.17 Trojan-Downloader.Win32.Agent.bdlh McAfee 5497 2009.01.16 - McAfee+Artemis 5497 2009.01.16 - Microsoft 1.4205 2009.01.17 - NOD32 3772 2009.01.16 - Norman 5.93.01 2009.01.16 - nProtect 2009.1.8.0 2009.01.16 - Panda 9.5.1.2 2009.01.16 - PCTools 4.4.2.0 2009.01.16 - Prevx1 V2 2009.01.17 - Rising 21.12.50.00 2009.01.17 - SecureWeb-Gateway 6.7.6 2009.01.16 - Sophos 4.37.0 2009.01.17 Troj/Polaco-B Sunbelt 3.2.1835.2 2009.01.16 - Symantec 10 2009.01.17 - TheHacker 6.3.1.4.220 2009.01.14 - TrendMicro 8.700.0.1004 2009.01.16 - VBA32 3.12.8.10 2009.01.16 - ViRobot 2009.1.16.1562 2009.01.16 - VirusBuster 4.5.11.0 2009.01.16 - Additional information File size: 41984 bytes MD5...: d9cf5e73dff52b1a4aee09b1f896966b SHA1..: 03dca48d888962a4682ac58f7ff5ebebf955ce52 SHA256: f819e253bf55b06f362e2394ac49b1d95ec750f4c9197313ac39deb35a3b2443 SHA512: f5e650a856c3c30bc195bc70f4c3dead3e327714c486cd71b50cebe741fc32af 5aefd3e033bb1198952dae9e8f600e5bd57064484d1edf6becc45e4f01657ce0 ssdeep: 768:GkW7/lvROyK1D536fLkMt/4Wt8hiEzEySewzu8yk79:BWtuD53eLkMt7tkoX 8k79 PEiD..: - TrID..: File type identification Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x1000663c timedatestamp.....: 0x489b0402 (Thu Aug 07 14:17:38 2008) machinetype.......: 0x14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x8000 0x7200 7.59 73b2c298fd645a523ce3c699a1ca1be1 .data 0x9000 0x2000 0x1a00 6.20 11100d743db366a283f51db8c7a453e9 .rsrc 0xb000 0x1000 0x600 2.54 ee6db8893c648e9bb1b9365d4d752ec8 .reloc 0xc000 0x1000 0x200 2.52 720e33450ea56cb15ac8c0d0b6619db0 ( 5 imports ) > KERNEL32.dll: HeapAlloc, HeapCreate, IsBadReadPtr, RaiseException, ReadProcessMemory, CreateFileMappingA > msvcrt.dll: _exit, free, malloc, realloc, wcscmp, _wcsicmp > user32.dll: BeginPaint, GetMessageA, GetUpdateRgn, PeekMessageA, SendMessageTimeoutA, TrackPopupMenu, CheckMenuItem, DestroyWindow, SetCursor > OLEAUT32.dll: -, -, -, -, -, - > SHLWAPI.dll: PathCombineA, PathBuildRootA, PathAppendA, PathFileExistsA, SHDeleteValueA, SHQueryInfoKeyA, StrSpnA, StrStrA, StrToIntA, SHDeleteKeyA ( 0 exports ) For "c:\windows\Exafetil.dll": File Exafetil.dll received on 01.17.2009 06:33:25 (CET) Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED Result: 7/39 (17.95%) Antivirus Version Last Update Result a-squared 4.0.0.73 2009.01.17 Trojan.Win32.Hiloti!IK AhnLab-V3 2009.1.15.0 2009.01.16 - AntiVir 7.9.0.55 2009.01.16 - Authentium 5.1.0.4 2009.01.16 - Avast 4.8.1281.0 2009.01.16 - AVG 8.0.0.229 2009.01.16 SHeur2.LPR BitDefender 7.2 2009.01.17 - CAT-QuickHeal 10.00 2009.01.17 - ClamAV 0.94.1 2009.01.17 - Comodo 933 2009.01.16 - DrWeb 4.44.0.09170 2009.01.17 - eSafe 7.0.17.0 2009.01.15 - eTrust-Vet 31.6.6312 2009.01.17 - F-Prot 4.4.4.56 2009.01.16 W32/Hiloti.A.gen!Eldorado F-Secure 8.0.14470.0 2009.01.17 - Fortinet 3.117.0.0 2009.01.15 - GData 19 2009.01.17 - Ikarus T3.1.1.45.0 2009.01.17 Trojan.Win32.Hiloti K7AntiVirus 7.10.593 2009.01.16 - Kaspersky 7.0.0.125 2009.01.17 Trojan-Downloader.Win32.Agent.bdlh McAfee 5497 2009.01.16 - McAfee+Artemis 5497 2009.01.16 - Microsoft 1.4205 2009.01.17 - NOD32 3772 2009.01.16 - Norman 5.93.01 2009.01.16 - nProtect 2009.1.8.0 2009.01.16 - Panda 9.5.1.2 2009.01.16 - PCTools 4.4.2.0 2009.01.16 - Prevx1 V2 2009.01.17 Cloaked Malware Rising 21.12.50.00 2009.01.17 - SecureWeb-Gateway 6.7.6 2009.01.16 - Sophos 4.37.0 2009.01.17 Troj/Polaco-B Sunbelt 3.2.1835.2 2009.01.16 - Symantec 10 2009.01.17 - TheHacker 6.3.1.4.220 2009.01.14 - TrendMicro 8.700.0.1004 2009.01.16 - VBA32 3.12.8.10 2009.01.16 - ViRobot 2009.1.16.1562 2009.01.16 - VirusBuster 4.5.11.0 2009.01.16 - Additional information File size: 41984 bytes MD5...: ef89d54c3f78e803f9816b7c5953244f SHA1..: 7b8569b0d88c94295a516d0691a88dbe4b7609d8 SHA256: f03865124304c29909104f1fc42b2b1665a606684f23f12e7ec76b9287214229 SHA512: 8d9a723257d60c00ee68e9e1d11b50944264fc74e901554b3fab0f529b3b69d8 c3c3069a2eabe65b5d18a5f257e500776ba654dde0ff1e139dea626431f94cdc ssdeep: 768:mkW7/lvROyK1D536fLkMt/4Wt8hiEzEySewzu8yk79:hWtuD53eLkMt7tkoX 8k79 PEiD..: - TrID..: File type identification Win32 Executable Generic (42.3%) Win32 Dynamic Link Library (generic) (37.6%) Generic Win/DOS Executable (9.9%) DOS Executable Generic (9.9%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x1000663c timedatestamp.....: 0x489b0402 (Thu Aug 07 14:17:38 2008) machinetype.......: 0x14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x8000 0x7200 7.59 73b2c298fd645a523ce3c699a1ca1be1 .data 0x9000 0x2000 0x1a00 6.20 11100d743db366a283f51db8c7a453e9 .rsrc 0xb000 0x1000 0x600 2.54 ee6db8893c648e9bb1b9365d4d752ec8 .reloc 0xc000 0x1000 0x200 2.52 720e33450ea56cb15ac8c0d0b6619db0 ( 5 imports ) > KERNEL32.dll: HeapAlloc, HeapCreate, IsBadReadPtr, RaiseException, ReadProcessMemory, CreateFileMappingA > msvcrt.dll: _exit, free, malloc, realloc, wcscmp, _wcsicmp > user32.dll: BeginPaint, GetMessageA, GetUpdateRgn, PeekMessageA, SendMessageTimeoutA, TrackPopupMenu, CheckMenuItem, DestroyWindow, SetCursor > OLEAUT32.dll: -, -, -, -, -, - > SHLWAPI.dll: PathCombineA, PathBuildRootA, PathAppendA, PathFileExistsA, SHDeleteValueA, SHQueryInfoKeyA, StrSpnA, StrStrA, StrToIntA, SHDeleteKeyA ( 0 exports ) Prevx info: <a href='http://info.prevx.com/aboutprogramtext.asp?PX5=3C04000600017C6EA40100E9A85318009A8A329F' target='_blank'>http://info.prevx.com/aboutprogramtext.asp?PX5=3C04000600017C6EA40100E9A85318009A8A329F</a>

01-16-2009, 11:50 PM	#9 (permalink)
HappyPear Registered User Join Date: Jan 2009 Posts: 10 OS: Windows XP SP2	Re: Non-browser popups and BSOD Here's the new ComboFix log: ComboFix 09-01-16.02 - User 2009-01-16 22:37:08.2 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3070.2480 [GMT -8:00] Running from: c:\documents and settings\User\My Documents\ComboFix.exe Command switches used :: c:\documents and settings\User\My Documents\CFScript.txt AV: avast! antivirus 4.8.1296 [VPS 090116-1] On-access scanning disabled (Updated) FW: ZoneAlarm Firewall enabled * Created a new restore point . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\user\local settings\application data\{637FBD41-0D27-4F35-8454-60E252D34364} c:\documents and settings\user\local settings\application data\{637FBD41-0D27-4F35-8454-60E252D34364}\chrome.manifest c:\documents and settings\user\local settings\application data\{637FBD41-0D27-4F35-8454-60E252D34364}\chrome\content\_cfg.js c:\documents and settings\user\local settings\application data\{637FBD41-0D27-4F35-8454-60E252D34364}\chrome\content\c.js c:\documents and settings\user\local settings\application data\{637FBD41-0D27-4F35-8454-60E252D34364}\chrome\content\overlay.xul c:\documents and settings\user\local settings\application data\{637FBD41-0D27-4F35-8454-60E252D34364}\install.rdf c:\windows\Exafetil.dll c:\windows\oxekonib.dll c:\windows\system32\chert5-998.exe . ((((((((((((((((((((((((( Files Created from 2008-12-17 to 2009-01-17 ))))))))))))))))))))))))))))))) . 2009-01-16 19:45 . 2009-01-16 19:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg7 2009-01-16 18:13 . 2009-01-16 19:56 250 --a------ c:\windows\gmer.ini 2009-01-16 17:47 . 2009-01-16 17:47 <DIR> d-------- c:\program files\Trend Micro 2009-01-15 16:36 . 2009-01-15 16:36 <DIR> d-------- c:\program files\Alwil Software 2009-01-15 16:36 . 2003-03-18 13:20 1,060,864 --a------ c:\windows\system32\MFC71.dll 2009-01-03 19:42 . 2009-01-03 19:42 <DIR> d-------- c:\documents and settings\User\Application Data\Malwarebytes 2009-01-03 19:42 . 2009-01-03 19:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes 2008-12-23 21:42 . 2008-12-23 21:48 <DIR> d-------- c:\program files\RocketDock 2008-12-22 15:00 . 2008-12-24 15:59 <DIR> d-------- c:\documents and settings\User\Application Data\Mal Updater 2008-12-21 23:21 . 2009-01-16 22:42 7 --a------ c:\windows\system32\ANIWZCSUSERNAME 2008-12-21 23:14 . 2009-01-16 22:42 5 --a------ c:\windows\system32\ANIWZCSUSERNAME{BD8ED844-A6C7-4810-87A4-19F3D23FB969} 2008-12-21 23:13 . 2008-12-21 23:13 <DIR> d-------- c:\program files\D-Link 2008-12-21 23:13 . 2008-12-21 23:13 <DIR> d-------- c:\program files\ANI 2008-12-21 23:06 . 2008-12-21 23:06 5 --a------ c:\windows\system32\ANIWZCSUSERNAME{C54E809C-9289-4525-A494-DDD535C8B841} 2008-12-19 17:52 . 2008-12-19 17:52 <DIR> d-------- c:\program files\iPod 2008-12-19 17:52 . 2008-12-19 17:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-12-19 17:48 . 2008-12-19 17:49 <DIR> d-------- c:\program files\QuickTime . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-01-17 06:43 42,434,592 --sha-w c:\windows\system32\drivers\fidbox.dat 2009-01-17 06:43 --------- d-----w c:\documents and settings\User\Application Data\uTorrent 2009-01-17 06:41 18,471,459 ----a-w c:\windows\Internet Logs\tvDebug.zip 2009-01-17 06:39 501,320 --sha-w c:\windows\system32\drivers\fidbox.idx 2009-01-17 06:36 --------- d-----w c:\program files\Trillian 2009-01-17 06:13 --------- d-----w c:\program files\Starcraft 2009-01-17 02:33 138,464 ----a-w c:\windows\system32\drivers\PnkBstrK.sys 2009-01-17 01:51 --------- d-----w c:\program files\Lavasoft 2009-01-17 01:51 --------- d-----w c:\program files\Common Files\Wise Installation Wizard 2009-01-11 22:37 --------- d-----w c:\documents and settings\User\Application Data\gtk-2.0 2009-01-05 22:36 3,449,856 ----a-w c:\windows\Internet Logs\xDB1A.tmp 2008-12-25 00:27 --------- d-----w c:\program files\Mal Updater 2008-12-24 20:05 --------- d-----w c:\program files\iTunes 2008-12-22 07:15 --------- d--h--w c:\program files\InstallShield Installation Information 2008-12-20 01:52 --------- d-----w c:\program files\Common Files\Apple 2008-12-12 22:29 --------- d-----w c:\program files\AeriaGames 2008-12-07 02:24 --------- d-----w c:\program files\Common Files\DirectX 2008-12-04 22:36 --------- d-----w c:\program files\Java 2008-11-27 00:08 --------- d-----w c:\documents and settings\User\Application Data\foobar2000 2008-11-26 23:41 --------- d-----w c:\program files\foobar2000 2008-11-20 03:43 --------- d-----w c:\program files\Yahoo! 2008-11-20 03:41 --------- d-----w c:\program files\Creative 2008-11-20 03:38 --------- d-----w c:\program files\NCSoft 2008-11-20 03:05 --------- d-----w c:\documents and settings\User\Application Data\GetRightToGo 2008-11-17 00:28 --------- d-----w c:\documents and settings\All Users\Application Data\Last.fm 2008-11-17 00:27 --------- d-----w c:\program files\Last.fm 2008-11-13 00:38 22,328 ----a-w c:\documents and settings\User\Application Data\PnkBstrK.sys 2008-11-07 05:31 3,230,720 ----a-w c:\windows\Internet Logs\xDB19.tmp . ((((((((((((((((((((((((((((( snapshot@2009-01-16_20.55.20.34 ))))))))))))))))))))))))))))))))))))))))) . + 2009-01-17 06:41:31 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_258.dat + 2009-01-17 06:41:14 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_4f8.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-04-03 165784] "uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2008-10-07 270128] "MalUpdater"="c:\program files\Mal Updater\MalUpdater.exe" [2008-09-18 1459200] "Google Update"="c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-02 133104] "RocketDock"="c:\program files\RocketDock\RocketDock.exe" [2007-09-02 495616] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "JMB36X IDE Setup"="c:\windows\JM\JMInsIDE.exe" [2006-10-30 36864] "36X Raid Configurer"="c:\windows\system32\JMRaidSetup.exe" [2006-11-16 1953792] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-06-01 7618560] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2006-02-28 59392] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088] "D-Link RangeBooster G WDA-2320"="c:\program files\D-Link\RangeBooster G WDA-2320\AirPlusCFG.exe" [2006-09-01 1880064] "ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2006-06-29 49152] "avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000] "NvMediaCenter"="NvMCTray.dll" [2006-06-01 c:\windows\system32\nvmctray.dll] "P17Helper"="P17.dll" [2006-03-17 c:\windows\system32\P17.dll] "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe] "BluetoothAuthenticationAgent"="bthprops.cpl" [2006-02-28 c:\windows\system32\bthprops.cpl] "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe] c:\documents and settings\User\Start Menu\Programs\Startup\ Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-07-29 805392] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn] 2008-05-02 01:42 72208 c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup] @="" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader] --a------ 2007-03-09 10:09 63712 c:\program files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol] --a------ 2005-10-31 09:51 57344 c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2008-09-04 14:36 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2006-06-01 01:22 1519616 c:\windows\system32\nwiz.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Trillian\\trillian.exe"= "c:\\WINDOWS\\system32\\PnkBstrA.exe"= "c:\\WINDOWS\\system32\\PnkBstrB.exe"= "c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"= "c:\\Program Files\\Google\\Google Talk\\googletalk.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaWmp.exe"= "c:\\Program Files\\Activision\\Call of Duty - World at War\\CoDWaW.exe"= "c:\\Program Files\\KONAMI\\Pro Evolution Soccer 2009\\pes2009.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\Last.fm\\LastFM.exe"= "c:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "10208:TCP"= 10208:TCP:BitComet 10208 TCP "10208:UDP"= 10208:UDP:BitComet 10208 UDP R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-01-15 111184] R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2005-08-25 472096] R3 p17filt;p17filt;c:\windows\system32\drivers\p17filt.sys [2006-03-20 1452032] R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-01-15 20560] R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592] S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-05-25 13352] S3 z520bus;Sony Ericsson 520 driver (WDM);c:\windows\system32\DRIVERS\z520bus.sys --> c:\windows\system32\DRIVERS\z520bus.sys [?] S3 z520mdfl;Sony Ericsson 520 USB WMC Modem Filter;c:\windows\system32\DRIVERS\z520mdfl.sys --> c:\windows\system32\DRIVERS\z520mdfl.sys [?] S3 z520mdm;Sony Ericsson 520 USB WMC Modem Drivers;c:\windows\system32\DRIVERS\z520mdm.sys --> c:\windows\system32\DRIVERS\z520mdm.sys [?] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 hpdevmgmt REG_MULTI_SZ hpqcxs08 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0b479e2c-41f2-11dc-8b7e-0008f41612f6}] \Shell\AutoRun\command - H:\setupSNK.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{932d3403-e9a1-11db-9eeb-806d6172696f}] \Shell\AutoRun\command - D:\Run.exe . Contents of the 'Scheduled Tasks' folder 2009-01-12 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34] 2009-01-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1491950412-2009852829-4049741679-1004.job - c:\documents and settings\User\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 20:10] 2009-01-17 c:\windows\Tasks\MP Scheduled Scan.job - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20] . - - - - ORPHANS REMOVED - - - - HKLM-Run-Ybaqili - c:\windows\Exafetil.dll HKLM-Run-Wbizuloruzifu - c:\windows\oxekonib.dll . ------- Supplementary Scan ------- . uInternet Settings,ProxyOverride = .local FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\wljzx2r9.default\ FF - prefs.js: browser.startup.homepage - hxxp://news.bbc.co.uk/\|https://mail.google.com/mail/?nsr=1&zx=1umtbqgps9eb5&shva=1#inbox\|http://www.last.fm/home\|http://myanimelist.net/panel.php\|http://www.tokyotosho.com/\|http://mullemeck.serveftp.org/jps_beta/?page=browse FF - component: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\wljzx2r9.default\extensions\piclens@cooliris.com\components\coolirisstub.dll FF - plugin: c:\documents and settings\User\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.1.0.20926.0.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll . *********************************************************************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-01-16 22:41:58 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1491950412-2009852829-4049741679-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{CDC40D1A-6D16-2389-7342-04F07C8B13FB}] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) "iaodlnlhhhgpkddpll"=hex:69,61,70,63,6c,6c,6b,64,61,6a,62,65,61,6c,6b,61,6e,6c, 00,00 "haeefcmkkphialfn"=hex:69,61,70,63,6c,6c,6b,64,61,6a,62,65,61,6c,6b,61,6e,6c, 00,00 [HKEY_USERS\S-1-5-21-1491950412-2009852829-4049741679-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(764) c:\program files\common files\logitech\bluetooth\LBTWlgn.dll c:\program files\common files\logitech\bluetooth\LBTServ.dll . ------------------------ Other Running Processes ------------------------ . c:\windows\system32\ZoneLabs\vsmon.exe c:\program files\Lavasoft\Ad-Aware\aawservice.exe c:\program files\Alwil Software\Avast4\aswUpdSv.exe c:\program files\Alwil Software\Avast4\ashServ.exe c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\windows\ATKKBService.exe c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\nvsvc32.exe c:\windows\system32\PnkBstrA.exe c:\windows\system32\wdfmgr.exe c:\windows\system32\rundll32.exe c:\windows\system32\rundll32.exe c:\program files\iPod\bin\iPodService.exe c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe c:\windows\system32\wscntfy.exe . ************************************************************************** . Completion time: 2009-01-16 22:47:30 - machine was rebooted ComboFix-quarantined-files.txt 2009-01-17 06:47:27 ComboFix2.txt 2009-01-17 04:56:34 Pre-Run: 112,884,846,592 bytes free Post-Run: 112,875,073,536 bytes free 248 --- E O F --- 2009-01-01 19:15:16

01-16-2009, 11:58 PM	#10 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,555 OS: 2000 Pro; XP Pro; XP Home	Re: Non-browser popups and BSOD Hi HappyPear - It does not appear as though a file was uploaded to our analysis site. Was the machine connected to the internet before you clicked OK? Did you see this message? Please locate C:\CF-Submit.htm, and double click on it to open it. Follow the instructions on the webpage which should open to copy/paste the file path, and upload the requested file. Include a link to this topic, please. Then, let me know. Any recent BSOD? __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

01-17-2009, 12:01 AM	#11 (permalink)
HappyPear Registered User Join Date: Jan 2009 Posts: 10 OS: Windows XP SP2	Re: Non-browser popups and BSOD Hmm, no, I did not see that message, yet I am positive that my computer was connected to the internet. Also, I have tried to locate C:\CF-Submit.htm, but it does not exist.

01-17-2009, 12:02 AM	#12 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,555 OS: 2000 Pro; XP Pro; XP Home	Re: Non-browser popups and BSOD Ok, let's have a look at this file: Please go to Start > Run and copy/paste the following, then press Enter: C:\QooBox\ComboFix-quarantined-files.txt Post the contents of the logfile which will open. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

01-17-2009, 01:15 AM	#13 (permalink)
HappyPear Registered User Join Date: Jan 2009 Posts: 10 OS: Windows XP SP2	Re: Non-browser popups and BSOD Here's what came up: 2007-11-06 15:49:17 A------- 13,518 C:\Qoobox\Quarantine\C\Program Files\install.log.vir 2008-07-01 13:53:27 A------- 307,237 C:\Qoobox\Quarantine\C\WINDOWS\system32\autorun.inf.vir 2009-01-10 21:31:00 A------- 22,528 C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir 2009-01-14 17:56:34 A------- 60,054 C:\Qoobox\Quarantine\C\WINDOWS\system32\prunnet.exe.vir 2009-01-14 17:56:46 A------- 47,023 C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\senekajcjsarpv.sys.vir 2009-01-14 17:56:47 A------- 12,768 C:\Qoobox\Quarantine\C\WINDOWS\system32\senekalog.dat.vir 2009-01-14 17:56:47 A------- 29,613 C:\Qoobox\Quarantine\C\WINDOWS\system32\senekajyurotpo.dll.vir 2009-01-14 18:02:31 A------- 59 C:\Qoobox\Quarantine\C\WINDOWS\system32\senekaqrdbapkb.dat.vir 2009-01-14 18:02:32 A------- 3 C:\Qoobox\Quarantine\C\WINDOWS\system32\senekadf.dat.vir 2009-01-16 15:35:38 A------- 41,984 C:\Qoobox\Quarantine\C\WINDOWS\Exafetil.dll.vir 2009-01-16 15:35:38 A------- 41,984 C:\Qoobox\Quarantine\C\WINDOWS\system32\chert5-998.exe.vir 2009-01-16 15:47:46 A------- 136,192 C:\Qoobox\Quarantine\C\WINDOWS\oxekonib.dll.vir 2009-01-16 15:47:49 A------- 120 C:\Qoobox\Quarantine\C\Documents and Settings\User\Local Settings\Application Data\{637FBD41-0D27-4F35-8454-60E252D34364}\chrome.manifest.vir 2009-01-16 15:47:49 A------- 770 C:\Qoobox\Quarantine\C\Documents and Settings\User\Local Settings\Application Data\{637FBD41-0D27-4F35-8454-60E252D34364}\install.rdf.vir 2009-01-16 15:47:49 A------- 2,111 C:\Qoobox\Quarantine\C\Documents and Settings\User\Local Settings\Application Data\{637FBD41-0D27-4F35-8454-60E252D34364}\chrome\content\_cfg.js.vir 2009-01-16 15:47:49 A------- 3,321 C:\Qoobox\Quarantine\C\Documents and Settings\User\Local Settings\Application Data\{637FBD41-0D27-4F35-8454-60E252D34364}\chrome\content\c.js.vir 2009-01-16 15:47:49 A------- 5,708 C:\Qoobox\Quarantine\C\Documents and Settings\User\Local Settings\Application Data\{637FBD41-0D27-4F35-8454-60E252D34364}\chrome\content\overlay.xul.vir 2009-01-16 19:35:39 A------- 31,232 C:\Qoobox\Quarantine\C\WINDOWS\system32\998.exe.vir 2009-01-16 19:35:41 A------- 31,232 C:\Qoobox\Quarantine\C\WINDOWS\system32\frmwrk32.exe.vir 2009-01-16 19:40:03 A------- 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\test.ttt.vir 2009-01-16 19:40:03 A------- 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\uniq.tll.vir 2009-01-16 19:50:59 A------- 1,347 C:\Qoobox\Quarantine\C\WINDOWS\system32\ahtn.htm.vir 2009-01-16 19:50:59 A------- 4,785 C:\Qoobox\Quarantine\C\WINDOWS\system32\warning.gif.vir 2009-01-16 20:29:28 A------- 224 C:\Qoobox\Quarantine\catchme.log 2009-01-16 20:32:35 A------- 1,518 C:\Qoobox\Quarantine\Registry_backups\Service_SENEKA.reg.dat 2009-01-16 20:47:03 A------- 15,469 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg 2009-01-16 20:55:32 A------- 131 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-prunnet.reg.dat 2009-01-16 20:55:32 A------- 164 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-MsnMsgr.reg.dat 2009-01-16 20:55:32 A------- 172 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-WindowBlinds.reg.dat 2009-01-16 20:55:33 A------- 107 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-SkyTel.reg.dat 2009-01-16 20:55:33 A------- 109 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-RTHDCPL.reg.dat 2009-01-16 20:55:33 A------- 132 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-prunnet.reg.dat 2009-01-16 20:55:33 A------- 165 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-googletalk.reg.dat 2009-01-16 20:55:43 A------- 604 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-BitComet.reg.dat 2009-01-16 20:55:44 A------- 526 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-CTXFIREG.reg.dat 2009-01-16 22:36:58 A------- 181,320 C:\Qoobox\Quarantine\[4]-Submit_2009-01-16@22.36.zip 2009-01-16 22:46:30 A------- 138 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Ybaqili.reg.dat 2009-01-16 22:46:30 A------- 144 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Wbizuloruzifu.reg.dat

01-17-2009, 04:23 PM	#15 (permalink)
HappyPear Registered User Join Date: Jan 2009 Posts: 10 OS: Windows XP SP2	Re: Non-browser popups and BSOD That scan took a long time, but here's the results: -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Saturday, January 17, 2009 Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Saturday, January 17, 2009 19:19:58 Records in database: 1638100 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: no Scan area - My Computer: A:\ C:\ D:\ E:\ F:\ G:\ H:\ Scan statistics: Files scanned: 155584 Threat name: 5 Infected objects: 6 Suspicious objects: 0 Duration of the scan: 02:10:16 File name / Threat name / Threats count C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\senekajcjsarpv.sys.vir Infected: Rootkit.Win32.Agent.gmj 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\prunnet.exe.vir Infected: Trojan.Win32.Agent.binp 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\senekajyurotpo.dll.vir Infected: Trojan.Win32.Agent.binr 1 C:\Qoobox\Quarantine\C\WINDOWS\system32\~.exe.vir Infected: Trojan-Dropper.Win32.Agent.aekv 1 C:\Qoobox\Quarantine\[4]-Submit_2009-01-16@22.36.zip Infected: Trojan-Downloader.Win32.Agent.bdlh 2 The selected area was scanned.

01-17-2009, 05:18 PM	#16 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,555 OS: 2000 Pro; XP Pro; XP Home	Re: Non-browser popups and BSOD The items Kaspersky found are in ComboFix quarantine, and will be addressed by uninstalling ComboFix when I am sure we're done, which should be shortly. How is the machine behaving? __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

01-17-2009, 05:28 PM	#17 (permalink)
HappyPear Registered User Join Date: Jan 2009 Posts: 10 OS: Windows XP SP2	Re: Non-browser popups and BSOD Right now, I have not experiences any BSOD's recently nor have there been any non-browser popups. It's looking great right now.

01-17-2009, 05:40 PM	#18 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,555 OS: 2000 Pro; XP Pro; XP Home	Re: Non-browser popups and BSOD Good to hear. The items Kaspersky found are in ComboFix quarantine, and will be addressed by uninstalling ComboFix as instructed below Other than that.... Your logs appear clean.You should be good to go. We still have a few items to address. Go to -> Run -> copy/paste in the following single line command & click OK combofix /u This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points. Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs: Microsoft Windows Update - http://www.windowsupdate.com Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. SpywareBlaster to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad. Winpatrol Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here. You can get a free copy of Winpatrol or use the Plus version for more features. You can read Winpatrol's FAQ if you run into problems. MVPS HOST FILE The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Download Host.zip to your desktop. From your Desktop right-click (hosts.zip) and select: Extract All from the menu. Click Next, click Next, select the option: "Show Extracted files", click Finish This will open the newly created hosts folder on your Desktop. Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine. Once updated you should see another prompt that the task was completed. ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out. Do not install more than one AntiVirus program because they will conflict with each other. Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT. ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry. NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster. In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles How did I get infected in the first place? PC Safety and Security--What Do I Need? If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it. Please respond to this thread one more time so we can mark this thread as resolved. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

01-17-2009, 09:43 PM	#19 (permalink)
HappyPear Registered User Join Date: Jan 2009 Posts: 10 OS: Windows XP SP2	Re: Non-browser popups and BSOD Okay, I have uninstalled Combofix and the computer is working perfectly. Thank you so much for your time and help.

01-17-2009, 09:45 PM	#20 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,555 OS: 2000 Pro; XP Pro; XP Home	Re: Non-browser popups and BSOD Glad to hear that, and you're quite welcome for the help. Surf Safely, and Think Prevention! Since this issue is resolved, this topic will be archived. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009