[SOLVED] mlJBULcD.dll virus problem

[Ryukenden]

After reinstalling windows due to BSOD I installed NOD antivirus, updated it and now it gives same error every second. mlJBULcD.dll file, which is in C:\WINDOWS\system32\ folder, have virus.

I would deliete it but OS would crash.What to do?

____________________________________________________________

DDS (Ver_09-07-30.01) - NTFSx86
Run by PC at 2:59:39.00 on Sun 08/16/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.535 [GMT -7:00]

AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\PC\Local Settings\Apps\2.0\EJN53Q3Z.4AA\V0AP6JE6.L2V\2dff..tion_fcdf29b345c9098a_0001.0000_89b83da73a004bb4\2DF FreePlay Client.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\PC\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: {ef8820eb-f11e-4dd6-bc6c-d99084691c18} - c:\windows\system32\mlJBULcD.dll
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
TCP: {A60FACAE-3948-4993-9A2B-39B25A9F324D} = 192.168.1.2
Notify: mlJBULcD - mlJBULcD.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {ef8820eb-f11e-4dd6-bc6c-d99084691c18} - c:\windows\system32\mlJBULcD.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\pc\applic~1\mozilla\firefox\profiles\itj3deui.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 6
FF - user.js: network.http.max-persistent-connections-per-server - 3
FF - user.js: nglayout.initialpaint.delay - 750
FF - user.js: content.notify.interval - 750000
FF - user.js: content.max.tokenizing.time - 2250000
c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-6-10 34312]
R2 ekrn;Eset Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2008-6-10 468224]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2009-8-15 603904]

=============== Created Last 30 ================

2009-08-16 02:35 <DIR> --d----- C:\New Folder
2009-08-15 23:53 16,128 ac------ c:\windows\system32\dllcache\modemcsa.sys
2009-08-15 23:53 16,128 a------- c:\windows\system32\drivers\MODEMCSA.sys
2009-08-15 23:24 1,846,632 a------- c:\windows\system32\D3DCompiler_41.dll
2009-08-15 23:24 453,456 a------- c:\windows\system32\d3dx10_41.dll
2009-08-15 23:22 3,786,760 a------- c:\windows\system32\D3DX9_37.dll
2009-08-15 23:21 2,297,552 a------- c:\windows\system32\d3dx9_26.dll
2009-08-15 23:03 <DIR> --d-h--- c:\windows\msdownld.tmp
2009-08-15 23:03 <DIR> --d----- c:\windows\Logs
2009-08-15 22:59 713,216 a------- c:\windows\system32\SET2D2.tmp
2009-08-15 22:57 741,744 a------- C:\WindowsXP-KB943232-v2-x86-ENU.exe
2009-08-15 22:51 <DIR> --d----- c:\windows\Internet Logs
2009-08-15 22:34 819,200 a------- c:\windows\system32\xvidcore.dll
2009-08-15 22:34 77,824 a------- c:\windows\system32\xvid.ax
2009-08-15 22:34 180,224 a------- c:\windows\system32\xvidvfw.dll
2009-08-15 22:34 <DIR> --d----- c:\program files\Xvid
2009-08-15 22:26 <DIR> --d----- c:\program files\The KMPlayer
2009-08-15 22:19 1,197,294 ac------ c:\windows\system32\dllcache\SET9DB.tmp
2009-08-15 22:19 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-08-15 22:16 <DIR> --d----- c:\windows\system32\LogFiles
2009-08-15 21:45 <DIR> --d----- c:\docume~1\pc\applic~1\Damdai
2009-08-15 21:38 <DIR> --d----- c:\program files\Unlocker
2009-08-15 21:24 603,904 a------- c:\windows\system32\TUProgSt.exe
2009-08-15 21:24 27,904 a------- c:\windows\system32\uxtuneup.dll
2009-08-15 21:24 362,240 a------- c:\windows\system32\TuneUpDefragService.exe
2009-08-15 21:24 <DIR> --d----- c:\docume~1\pc\applic~1\TuneUp Software
2009-08-15 21:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\TuneUp Software
2009-08-15 21:23 <DIR> --d----- c:\program files\TuneUp Utilities 2009
2009-08-15 21:22 <DIR> --dsh--- c:\docume~1\alluse~1\applic~1\{55A29068-F2CE-456C-9148-C869879E2357}
2009-08-15 21:08 <DIR> --d----- c:\program files\uTorrent
2009-08-15 21:08 <DIR> --d----- c:\docume~1\pc\applic~1\uTorrent
2009-08-15 21:02 <DIR> --d----- c:\windows\system32\PreInstall
2009-08-15 21:02 <DIR> --d-h--- c:\windows\$hf_mig$
2009-08-15 21:00 <DIR> --ds---- c:\documents and settings\pc\UserData
2009-08-15 20:56 <DIR> --d----- c:\windows\system32\XPSViewer
2009-08-15 20:56 14,048 a------- c:\windows\system32\spmsg2.dll
2009-08-15 20:55 <DIR> --d----- c:\program files\CCleaner
2009-08-15 20:52 23,856 a------- c:\windows\system32\spupdsvc.exe
2009-08-15 20:52 <DIR> --d----- c:\program files\MSXML 6.0
2009-08-15 20:42 <DIR> --d----- C:\dba663370b2697e0b24911bb
2009-08-15 20:33 <DIR> --d----- c:\program files\ESET
2009-08-15 20:33 37,888 a------- c:\windows\system32\ljJDtqRJ.dll
2009-08-15 20:33 37,888 a------- c:\windows\system32\mlJBULcD.dll
2009-08-15 20:29 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-08-15 20:29 <DIR> --d----- c:\program files\NVIDIA Corporation
2009-08-15 20:29 <DIR> --d----- c:\program files\common files\NVIDIA Shared
2009-08-15 20:29 172,032 a------- c:\windows\system32\nvuaudio.exe
2009-08-15 20:29 3,787 a------- c:\windows\system32\nvaudio.nvu
2009-08-15 20:28 172,032 a------- c:\windows\system32\nvuide.exe
2009-08-15 20:28 464 a------- c:\windows\system32\nvide.nvu
2009-08-15 20:28 159,744 a------- c:\windows\system32\nvuenet.exe
2009-08-15 20:28 1,556 a------- c:\windows\system32\nvenet.nvu
2009-08-15 20:28 172,032 a------- c:\windows\system32\nvusmb.exe
2009-08-15 20:28 789 a------- c:\windows\system32\nvsmb.nvu
2009-08-15 20:28 172,032 a------- c:\windows\system32\nvumctl.exe
2009-08-15 20:28 1,217 a------- c:\windows\system32\nvmctl.nvu
2009-08-15 20:28 172,032 a------- c:\windows\system32\nvugart.exe
2009-08-15 20:28 2,124 a------- c:\windows\system32\nvgart.nvu
2009-08-15 20:28 <DIR> --d----- c:\windows\system32\ReinstallBackups
2009-08-15 20:27 49,152 a------- c:\windows\system32\ChCfg.exe
2009-08-15 20:27 4,122,368 a----r-- c:\windows\system32\drivers\alcxwdm.sys
2009-08-15 20:27 <DIR> --d----- c:\program files\Realtek AC97
2009-08-15 20:27 10,528,768 a------- c:\windows\system32\RTLCPL.exe
2009-08-15 20:27 141,016 a------- c:\windows\system32\alsndmgr.wav
2009-08-15 20:27 18,804,736 a------- c:\windows\system32\alsndmgr.cpl
2009-08-15 20:27 577,536 a------- c:\windows\soundman.exe
2009-08-15 20:27 315,392 a------- c:\windows\alcupd.exe
2009-08-15 20:27 217,088 a------- c:\windows\Alcrmv.exe
2009-08-15 20:27 147,456 a------- c:\windows\system32\RtlCPAPI.dll
2009-08-15 20:24 457,248 a------- c:\windows\system32\nvudisp.exe
2009-08-15 20:24 19,495 a------- c:\windows\system32\nvdisp.nvu
2009-08-15 20:24 485,920 a------- c:\windows\system32\NVUNINST.EXE
2009-08-15 20:23 <DIR> --d----- C:\NVIDIA
2009-08-15 20:22 <DIR> --d----- c:\documents and settings\PC
2009-08-15 20:21 <DIR> --ds---- c:\windows\system32\Microsoft
2009-08-15 20:21 8,192 a------- c:\windows\REGLOCS.OLD
2009-08-15 20:20 28,288 ac------ c:\windows\system32\dllcache\xjis.nls
2009-08-15 20:18 221,696 ac------ c:\windows\system32\dllcache\seo.dll
2009-08-15 20:17 47,066 ac------ c:\windows\system32\dllcache\ksc.nls
2009-08-15 20:16 101,888 ac------ c:\windows\system32\dllcache\evntagnt.dll
2009-08-15 20:15 2,577 a------- c:\windows\system32\CONFIG.NT
2009-08-15 20:15 0 a------- c:\windows\control.ini
2009-08-15 20:15 23,392 a------- c:\windows\system32\nscompat.tlb
2009-08-15 20:15 16,832 a------- c:\windows\system32\amcompat.tlb
2009-08-15 20:15 316,640 a------- c:\windows\WMSysPr9.prx
2009-08-15 20:14 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-08-15 20:13 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-08-15 20:12 <DIR> --d----- c:\program files\common files\MSSoap
2009-08-15 20:11 <DIR> --d----- c:\program files\Online Services
2009-08-15 20:11 <DIR> --d----- c:\program files\Messenger
2009-08-15 20:11 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-08-15 20:10 <DIR> --d----- c:\program files\Windows NT
2009-08-15 13:05 <DIR> --d----- c:\program files\common files\ODBC
2009-08-15 13:05 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-08-15 13:04 <DIR> --d--r-- c:\documents and settings\all users\Documents

==================== Find3M ====================

2009-08-15 20:14 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-08-15 20:11 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-06-10 08:28 3,510,272 a------- c:\windows\system32\nvgames.dll
2009-06-10 08:28 4,022,272 a------- c:\windows\system32\nvdisps.dll
2009-06-10 08:28 13,758,464 a------- c:\windows\system32\nvcpl.dll
2009-06-10 08:28 168,004 a------- c:\windows\system32\nvsvc32.exe
2009-06-10 08:28 143,360 a------- c:\windows\system32\nvcolor.exe
2009-06-10 08:28 86,016 a------- c:\windows\system32\nvmctray.dll
2009-06-10 08:28 229,376 a------- c:\windows\system32\nvmccs.dll
2009-06-10 06:03 9,998,336 a------- c:\windows\system32\nvoglnt.dll
2009-06-10 06:03 5,908,608 a------- c:\windows\system32\nv4_disp.dll
2009-06-10 06:03 1,720,320 a------- c:\windows\system32\nvcuda.dll
2009-06-10 06:03 1,580,550 a------- c:\windows\system32\nvdata.bin
2009-06-10 06:03 1,310,720 a------- c:\windows\system32\nvcuvenc.dll
2009-06-10 06:03 815,104 a------- c:\windows\system32\nvapi.dll
2009-06-10 06:03 671,744 a------- c:\windows\system32\nvcuvid.dll
2009-06-10 06:03 151,552 a------- c:\windows\system32\nvcodins.dll
2009-06-10 06:03 151,552 a------- c:\windows\system32\nvcod.dll

============= FINISH: 3:00:00.74 ===============

[tetonbob]

Hello again....

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

1. Download ComboFix from this location:
   
   Link 1
   
   * IMPORTANT !!! Place it on your Desktop
   
2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
   
   
   You can get help on disabling your protection programs here
   
3. Double click on the file you downloaded & follow the prompts.
   
4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
   
   Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
   
   
   
   
   
   The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
   
   With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
   
   Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
   
   ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
   
   Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
   
   The Recovery Console was successfully installed.
   
   
   
   Click on Yes, to continue scanning for malware.
   
5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
   
6. When finished, it shall produce a log for you. Post that log in your next reply
   
   Note:
   Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
   
   ---------------------------------------------------------------------------------------------
   
7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.
   
   ---------------------------------------------------------------------------------------------

[Ryukenden]

Combo fix is best tool ever! Works fine now, thanks a lot
___________________________________________________________
ComboFix Beta_09-08-15.07 - PC 08/17/2009 0:15.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.727 [GMT -7:00]
Running from: c:\documents and settings\PC\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ljJDtqRJ.dll
c:\windows\system32\mlJBULcD.dll

.
((((((((((((((((((((((((( Files Created from 2009-07-17 to 2009-08-17 )))))))))))))))))))))))))))))))
.

2009-08-16 17:42 . 2004-08-04 06:08 26496 -c--a-w- c:\windows\system32\dllcache\usbstor.sys
2009-08-16 14:57 . 2009-08-16 14:57 -------- d-----w- c:\documents and settings\PC\Local Settings\Application Data\bluesoleil
2009-08-16 14:53 . 2009-08-16 14:53 -------- d-----w- c:\program files\IVT Corporation
2009-08-16 14:47 . 2007-05-13 19:24 86683 ----a-w- c:\windows\system32\pthreadGC2.dll
2009-08-16 14:47 . 2009-08-16 14:47 -------- d-----w- c:\program files\AoA Audio Extractor
2009-08-16 14:42 . 2009-08-16 14:42 -------- d--h--w- c:\windows\PIF
2009-08-16 14:36 . 2009-08-16 14:48 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-08-16 13:11 . 2009-08-16 18:15 -------- d-----w- c:\documents and settings\PC\Tracing
2009-08-16 13:06 . 2009-08-16 13:06 -------- d-----w- c:\program files\Microsoft
2009-08-16 13:06 . 2009-08-16 13:06 -------- d-----w- c:\program files\Windows Live SkyDrive
2009-08-16 13:06 . 2009-08-16 13:06 -------- d-----w- c:\program files\Windows Live
2009-08-16 13:00 . 2009-08-16 13:00 -------- d-----w- c:\program files\Common Files\Windows Live
2009-08-16 10:51 . 2009-08-16 10:51 -------- d-----w- c:\documents and settings\PC\Application Data\com.doubleperfect.ggpo.0753AD3679DBFCA1E7F470171B7D0DB8B404A7EA.1
2009-08-16 10:50 . 2009-08-16 10:50 38208 ----a-w- c:\documents and settings\PC\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
2009-08-16 10:50 . 2009-08-16 10:50 38208 ----a-w- c:\documents and settings\Default User\Application Data\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
2009-08-16 10:50 . 2009-08-16 10:50 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-08-16 06:53 . 2001-08-17 20:57 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2009-08-16 06:53 . 2001-08-17 20:57 16128 ----a-w- c:\windows\system32\drivers\MODEMCSA.sys
2009-08-16 06:24 . 2009-03-09 22:27 453456 ----a-w- c:\windows\system32\d3dx10_41.dll
2009-08-16 06:24 . 2009-03-09 22:27 1846632 ----a-w- c:\windows\system32\D3DCompiler_41.dll
2009-08-16 06:22 . 2008-03-05 22:56 3786760 ----a-w- c:\windows\system32\D3DX9_37.dll
2009-08-16 06:21 . 2005-05-26 22:34 2297552 ----a-w- c:\windows\system32\d3dx9_26.dll
2009-08-16 06:03 . 2009-08-16 06:21 -------- d--h--w- c:\windows\msdownld.tmp
2009-08-16 06:03 . 2009-08-16 06:03 -------- d-----w- c:\windows\Logs
2009-08-16 05:51 . 2009-08-16 06:48 -------- d-----w- c:\windows\Internet Logs
2009-08-16 05:34 . 2009-06-07 23:16 819200 ----a-w- c:\windows\system32\xvidcore.dll
2009-08-16 05:34 . 2009-06-07 23:24 180224 ----a-w- c:\windows\system32\xvidvfw.dll
2009-08-16 05:34 . 2009-08-16 05:34 -------- d-----w- c:\program files\Xvid
2009-08-16 05:26 . 2009-08-17 06:21 -------- d-----w- c:\program files\The KMPlayer
2009-08-16 05:20 . 2004-08-03 22:56 25600 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2009-08-16 05:19 . 2009-08-16 05:19 -------- d-----w- c:\program files\Windows Media Connect 2
2009-08-16 05:16 . 2009-08-16 06:48 -------- d-----w- c:\windows\system32\LogFiles
2009-08-16 05:16 . 2009-08-16 05:17 -------- d-----w- c:\windows\system32\drivers\UMDF
2009-08-16 04:45 . 2009-08-16 04:43 110592 ----a-w- c:\documents and settings\PC\Application Data\Damdai\2DF\FreePlay\kailleraclient.dll
2009-08-16 04:45 . 2009-08-16 04:43 81920 ----a-w- c:\documents and settings\PC\Application Data\Damdai\2DF\FreePlay\okai_recorder.dll
2009-08-16 04:45 . 2009-08-16 04:43 75264 ----a-w- c:\documents and settings\PC\Application Data\Damdai\2DF\FreePlay\zlib1.dll
2009-08-16 04:45 . 2009-08-16 04:45 6393344 ----a-w- c:\documents and settings\PC\Application Data\Damdai\2DF\FreePlay\freeplay_emu.exe
2009-08-16 04:45 . 2009-08-16 04:45 -------- d-----w- c:\documents and settings\PC\Application Data\Damdai
2009-08-16 04:38 . 2009-08-16 04:38 -------- d-----w- c:\program files\Unlocker
2009-08-16 04:24 . 2009-08-16 04:24 603904 ----a-w- c:\windows\system32\TUProgSt.exe
2009-08-16 04:24 . 2008-11-12 23:44 27904 ----a-w- c:\windows\system32\uxtuneup.dll
2009-08-16 04:24 . 2009-08-16 04:24 362240 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2009-08-16 04:24 . 2009-08-16 04:24 -------- d-----w- c:\documents and settings\PC\Application Data\TuneUp Software
2009-08-16 04:23 . 2009-08-16 04:23 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software
2009-08-16 04:23 . 2009-08-16 04:24 -------- d-----w- c:\program files\TuneUp Utilities 2009
2009-08-16 04:22 . 2009-08-16 04:22 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
2009-08-16 04:08 . 2009-08-16 04:08 -------- d-----w- c:\program files\uTorrent
2009-08-16 04:08 . 2009-08-16 15:02 -------- d-----w- c:\documents and settings\PC\Application Data\uTorrent
2009-08-16 04:06 . 2009-08-16 13:11 12912 ----a-w- c:\documents and settings\PC\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-16 04:06 . 2009-08-17 06:54 -------- d-----w- c:\documents and settings\PC\Local Settings\Application Data\Deployment
2009-08-16 04:02 . 2009-08-16 05:59 -------- d--h--w- c:\windows\$hf_mig$
2009-08-16 04:00 . 2009-08-16 04:00 -------- d-s---w- c:\documents and settings\PC\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-16 06:48 . 2009-08-16 05:51 1736 ----a-w- c:\windows\Internet Logs\ErrorLog.tmp
2009-08-16 03:59 . 2009-08-16 03:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2009-08-16 03:57 . 2009-08-16 03:57 64200 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-08-16 03:56 . 2009-08-16 03:56 -------- d-----w- c:\program files\MSBuild
2009-08-16 03:56 . 2009-08-16 03:49 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-08-16 03:56 . 2009-08-16 03:56 -------- d-----w- c:\program files\Reference Assemblies
2009-08-16 03:55 . 2009-08-16 03:55 -------- d-----w- c:\program files\CCleaner
2009-08-16 03:52 . 2009-08-16 03:52 -------- d-----w- c:\program files\MSXML 6.0
2009-08-16 03:34 . 2009-08-16 03:34 0 ----a-w- c:\windows\nsreg.dat
2009-08-16 03:33 . 2009-08-16 03:33 -------- d-----w- c:\program files\ESET
2009-08-16 03:33 . 2009-08-16 03:33 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET
2009-08-16 03:29 . 2009-08-16 03:29 -------- d-----w- c:\program files\NVIDIA Corporation
2009-08-16 03:29 . 2009-08-16 03:29 -------- d-----w- c:\program files\Common Files\NVIDIA Shared
2009-08-16 03:29 . 2009-08-16 03:27 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-16 03:29 . 2009-08-16 03:24 -------- d-----w- c:\program files\Common Files\InstallShield
2009-08-16 03:27 . 2009-08-16 03:27 -------- d-----w- c:\program files\Realtek AC97
2009-08-16 03:16 . 2009-08-16 03:16 -------- d-----w- c:\program files\microsoft frontpage
2009-08-16 03:14 . 2009-08-16 03:14 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-08-16 03:11 . 2009-08-16 03:11 21640 ----a-w- c:\windows\system32\emptyregdb.dat
2009-08-05 19:29 . 2009-08-16 03:45 43008 ----a-w- c:\documents and settings\PC\Application Data\Mozilla\Firefox\Profiles\itj3deui.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2009-08-05 19:29 . 2009-08-16 03:45 340480 ----a-w- c:\documents and settings\PC\Application Data\Mozilla\Firefox\Profiles\itj3deui.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2009-08-05 19:28 . 2009-08-16 03:45 346112 ----a-w- c:\documents and settings\PC\Application Data\Mozilla\Firefox\Profiles\itj3deui.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2009-06-21 15:46 . 2009-08-16 03:24 485920 ----a-w- c:\windows\system32\NVUNINST.EXE
2009-06-10 15:28 . 2009-06-10 15:28 3510272 ----a-w- c:\windows\system32\nvgames.dll
2009-06-10 15:28 . 2009-06-10 15:28 4022272 ----a-w- c:\windows\system32\nvdisps.dll
2009-06-10 15:28 . 2009-06-10 15:28 86016 ----a-w- c:\windows\system32\nvmctray.dll
2009-06-10 15:28 . 2009-06-10 15:28 168004 ----a-w- c:\windows\system32\nvsvc32.exe
2009-06-10 15:28 . 2009-06-10 15:28 143360 ----a-w- c:\windows\system32\nvcolor.exe
2009-06-10 15:28 . 2009-06-10 15:28 13758464 ----a-w- c:\windows\system32\nvcpl.dll
2009-06-10 15:28 . 2009-06-10 15:28 229376 ----a-w- c:\windows\system32\nvmccs.dll
2009-06-10 13:03 . 2009-08-16 03:24 457248 ----a-w- c:\windows\system32\nvudisp.exe
2009-06-10 13:03 . 2009-06-10 13:03 9998336 ----a-w- c:\windows\system32\nvoglnt.dll
2009-06-10 13:03 . 2009-06-10 13:03 815104 ----a-w- c:\windows\system32\nvapi.dll
2009-06-10 13:03 . 2009-06-10 13:03 8087712 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-06-10 13:03 . 2009-06-10 13:03 671744 ----a-w- c:\windows\system32\nvcuvid.dll
2009-06-10 13:03 . 2009-06-10 13:03 5908608 ----a-w- c:\windows\system32\nv4_disp.dll
2009-06-10 13:03 . 2009-06-10 13:03 1720320 ----a-w- c:\windows\system32\nvcuda.dll
2009-06-10 13:03 . 2009-06-10 13:03 1580550 ----a-w- c:\windows\system32\nvdata.bin
2009-06-10 13:03 . 2009-06-10 13:03 151552 ----a-w- c:\windows\system32\nvcodins.dll
2009-06-10 13:03 . 2009-06-10 13:03 151552 ----a-w- c:\windows\system32\nvcod.dll
2009-06-10 13:03 . 2009-06-10 13:03 1310720 ----a-w- c:\windows\system32\nvcuvenc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-06-11 1447168]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\PC\\Local Settings\\Apps\\2.0\\EJN53Q3Z.4AA\\V0AP6JE6.L2V\\2dff..tion_fcdf29b345c9098a_0001.0000_89b83da73a004bb4\\2DF FreePlay Client.exe"=
"c:\\Documents and Settings\\PC\\Application Data\\Damdai\\2DF\\FreePlay\\freeplay_emu.exe"=
"d:\\Program Files\\GGPO\\ggpo.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleilCS.exe"=

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [6/10/2008 6:56 PM 34312]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [6/10/2008 6:53 PM 468224]
R2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [8/15/2009 9:24 PM 603904]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-08-17 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-11-20 23:28]
.
- - - - ORPHANS REMOVED - - - -

Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
TCP: {A60FACAE-3948-4993-9A2B-39B25A9F324D} = 192.168.1.2
FF - ProfilePath - c:\documents and settings\PC\Application Data\Mozilla\Firefox\Profiles\itj3deui.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 6
FF - user.js: network.http.max-persistent-connections-per-server - 3
FF - user.js: nglayout.initialpaint.delay - 750
FF - user.js: content.notify.interval - 750000
FF - user.js: content.max.tokenizing.time - 2250000
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-17 00:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3780)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\BsLangInDepRes.dll
c:\windows\system32\Bs2Res.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\IVT Corporation\BlueSoleil\BlueSoleilCS.exe
c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
c:\program files\IVT Corporation\BlueSoleil\BsHelpCS.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-08-17 0:24 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-17 07:24

Pre-Run: 26,203,254,784 bytes free
Post-Run: 26,230,611,968 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

237 --- E O F --- 2009-08-16 04:03

[tetonbob]

Hello -

I'm glad to hear things are better. ComboFix is quite effective at what it does, thanks to it's author. It should not be run without being supervised by someone trained in it's use, or take the place of more conventional applications.

It would be prudent to run a couple more scans.

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to the following:
  
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Save it to your desktop. Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.

Please perform this online scan to help look for remnants.

This scan requires Sun Java

• Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
• Scroll down to where it says "Java SE Runtime Environment (JRE)."
• Click the "Download" button to the right.
• Select the Windows platform from the dropdown menu.
• Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
• Click on the link to download Windows Offline Installation and save the file to your desktop.
• Close any programs you may have running - especially your web browser.
• Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version.

• After the install is complete.....

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs
• Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on Settings. Uncheck Mail databases.
• Next, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------------------------------------------------------------------------------------

[tetonbob]

Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help