Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

Virus processes appeared after I opened a file I downloaded

This is a discussion on Virus processes appeared after I opened a file I downloaded within the Resolved HJT Threads forums, part of the Tech Support Forum category. I downloaded a file that was a supposed crack of a program, and it was not. I double clicked to


 
 
Thread Tools Search this Thread
Old 07-07-2010, 09:14 PM   #1
Registered Member
 
Join Date: Jul 2010
Posts: 19
OS: XP



I downloaded a file that was a supposed crack of a program, and it was not. I double clicked to open it, and the file disappeared. Since then there are four programs that I believe to be viruses that will show up every now and then under processes in Windows Task Manager, and I'll end them when they come back. The processes that have appeared since I opened the file are:
aw1.exe
apyqya.exe
fvufxggtssd.exe
verclsid.exe

I found the first one listed as malware I believe, and it took up a very large amount of ram. The second and third were nowhere to be found with a Google search. The fourth one I am pretty sure prevented me from clicking anything on the task bar, because once I ended it I could click the task bar again. Also, my inability to click the task bar began when a pop-up window appeared in the lower right hand corner, along with an icon that I do not think I have seen on my computer before. This a picture of the pop-up, along with the icon circled in red:

The pop-up went away after a while of clicking on other windows I believe, and the icon went away when I canceled the fourth process. All of the above processes have reappeared a few times since the original file was opened. I have started the steps in the forum about posting logs, but GMER is still running after I started it three hours ago. I was wondering if anyone had advice about this situation without the files requested in the forum instructions
jamisonsalamand is offline  
Sponsored Links
Advertisement
 
Old 07-08-2010, 06:12 PM   #2
Registered Member
 
Join Date: Jul 2010
Posts: 19
OS: XP



All right, GMER finished so I can post the logs now


DDS (Ver_10-03-17.01) - NTFSx86
Run by All at 20:44:27.88 on Wed 07/07/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1320 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
C:\Program Files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Apyqya.exe
C:\Program Files\Adobe\Acrobat 4.0\Reader\AcroRd32.exe
C:\Documents and Settings\All\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uWindow Title = Windows Internet Explorer provided by Yahoo!
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = about:blank
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
BHO: Mirar: {8d830395-6209-4b22-963f-0e86a12b68ac} - c:\windows\system32\winqj77.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Mirar: {8d830394-6209-4b22-963f-0e86a12b68ac} - c:\windows\system32\winqj77.dll
TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} - c:\program files\aim toolbar\AIMBar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\MSMSGS.EXE" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [iexplorer] c:\docume~1\all\locals~1\temp\ixp000.tmp\iexplorer.exe
uRun: [Performance Center] c:\program files\ascentive\performance center\APCMain.exe -m
uRun: [EWABQAF7KL] c:\docume~1\all\locals~1\temp\Aw1.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [Lexmark X74-X75] "c:\program files\lexmark x74-x75\lxbbbmgr.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\mcupdate.exe
mRun: [cftmon] c:\windows\system32\gtky.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\McAgent.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [eBook Library Launcher] c:\program files\sony\reader\data\bin\launcher\Reader Library Launcher.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [McRegWiz] c:\progra~1\mcafee.com\agent\mcregwiz.exe /autorun
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-us\local\search.html
IE: &Search - https://edits.mywebsearch.com/toolbar...tml?p=ZJfox000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135780814625
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\all\applic~1\mozilla\firefox\profiles\na5uvgt8.default\
FF - plugin: c:\documents and settings\all\application data\mozilla\firefox\profiles\na5uvgt8.default\extensions\[email protected]\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\musicnotes\npmusicn.dll
FF - plugin: c:\program files\musicnotes\NPSibelius.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\program files\sony\reader\data\bin\npebldetectmoz.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R2 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\Mcdetect.exe [2005-12-22 126976]
R2 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe [2005-12-22 122368]
S3 LTower;LEGO USB Tower Driver;c:\windows\system32\drivers\LTower.sys [2004-12-28 36981]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2005-12-22 245760]
S3 oUltraf;oUltraf;\??\c:\docume~1\all\locals~1\temp\oultraf.sys --> c:\docume~1\all\locals~1\temp\oUltraf.sys [?]
S3 PRSUSB;Sony Reader;c:\windows\system32\drivers\PRSUSB.sys [2009-2-3 18944]

=============== Created Last 30 ================

2010-07-07 23:52:57 175104 ----a-w- c:\windows\Apyqya.exe
2010-07-07 23:52:52 114688 --sha-r- c:\windows\system32\wpabalni.dll
2010-07-07 01:28:30 0 d-----w- c:\windows\system32\NtmsData
2010-06-29 16:10:24 0 d-----w- c:\docume~1\all\applic~1\Thinstall

==================== Find3M ====================

2010-05-12 22:29:48 54408 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-04 12:39:27 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-04 12:39:27 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-05-02 05:56:34 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:56:34 1850880 ------w- c:\windows\system32\dllcache\win32k.sys
2010-04-20 05:51:20 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:51:20 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
2010-04-16 11:43:25 634656 ------w- c:\windows\system32\dllcache\iexplore.exe
2010-04-16 11:43:23 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2005-07-14 17:31:20 27648 --sha-r- c:\windows\system32\AVSredirect.dll
2005-06-26 20:32:28 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 03:37:42 45568 --sha-r- c:\windows\system32\cygz.dll
2006-05-03 0954 163328 --sh--r- c:\windows\system32\flvDX.dll
2004-01-25 05:00:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
2007-02-21 10:47:16 31232 --sh--r- c:\windows\system32\msfDX.dll
2007-12-17 12:43:00 27648 --sh--w- c:\windows\system32\Smab0.dll
2005-02-28 18:16:22 240128 --sha-r- c:\windows\system32\x.264.exe
2004-01-25 05:00:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll

============= FINISH: 20:45:06.02 ===============
Attached Files
File Type: zip attach.zip (5.1 KB, 24 views)
jamisonsalamand is offline  
Old 07-11-2010, 01:32 AM   #3
Security Team
Analyst
 
Join Date: May 2009
Location: South East Asia
Posts: 447
OS: W7 64-bit



Hello and welcome to Tech Support Forum.

I am currently assessing your situation and will be back with a fix for your problem as soon as possible.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this, click Thread Tools, then click Subscribe to this Thread. Under the Notification Type: title, make sure it is set to Instant notification by email, then click Add Subscription.

Please be patient with me during this time.

Meanwhile, please make a reply to this topic to acknowledge that you have read this and is still with me to tackle the problem until the end. If I do not get any response within 3 days, this topic will be closed.
Jack&Jill is offline  
Sponsored Links
Advertisement
 
Old 07-11-2010, 01:58 AM   #4
Registered Member
 
Join Date: Jul 2010
Posts: 19
OS: XP



Thank you very much for replying and offering to help with my issue, it is really appreciated!
jamisonsalamand is offline  
Old 07-11-2010, 05:31 PM   #5
Security Team
Analyst
 
Join Date: May 2009
Location: South East Asia
Posts: 447
OS: W7 64-bit



Hello jamisonsalamand ,

Quote:
I downloaded a file that was a supposed crack of a program, and it was not
Cracks and the sites that host them are usually used by malware authors to spread their wares. It is never a good idea to get cracks or use them as the risk of getting infected is almost sure.

Have a look here:
https://www.techsupportforum.com/f50/...re-248501.html

Please remove any cracks if still on board your computer and stay away from them in the future.

--------------------

Please download ComboFix from one of the links below and save it to your desktop.

Link 1
Link 2

Do not mouse click on ComboFix while it is running. That may cause it to stall. ComboFix is a powerful tool and must not be used without supervision.

Install Recovery Console and run ComboFix
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running ComboFix. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here and here.
  • Double click on ComboFix.exe and follow the prompts.
  • As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. You will be asked to install it if it is not present in your computer. Click Yes to proceed.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    Note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, click on Yes to continue scanning for malware.
  • When finished, a log will be produced as C:\ComboFix.txt. Please post this log in your next reply.
  • If you lose Internet connection after running ComboFix, right click on the network icon at the system tray and select Repair, or you can reboot the computer.
  • Enable back your security softwares as soon as you completed the ComboFix steps.

A detailed step by step tutorial to run ComboFix can be found here if you need help.

--------------------

Please post back:
1. the ComboFix log
Jack&Jill is offline  
Old 07-12-2010, 03:06 PM   #6
Registered Member
 
Join Date: Jul 2010
Posts: 19
OS: XP



Before it started, it said there was a dll trying to attach itself to the program, and to write it down because it might be needed. The file was c:\windows\system32\ntvdDT32.dll
Here is the combofix log now


ComboFix 10-07-12.02 - All 07/12/2010 17:29:06.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1576 [GMT -4:00]
Running from: c:\documents and settings\All\Desktop\ComboFix.exe
.
The following files were disabled during the run:
c:\windows\system32\ntvdDT32.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\~WRD2636.tmp
c:\documents and settings\All Users\Favorites\_favdata.dat
c:\documents and settings\All\Application Data\FunWebProducts
c:\documents and settings\All\Application Data\FunWebProducts\Data\All\avatar.dat
c:\documents and settings\All\Application Data\FunWebProducts\Data\All\register.dat
c:\documents and settings\All\Local Settings\Application Data\{B8EF706E-52BF-42B9-BB42-D22C07B1EF88}
c:\documents and settings\All\Local Settings\Application Data\{B8EF706E-52BF-42B9-BB42-D22C07B1EF88}\chrome.manifest
c:\documents and settings\All\Local Settings\Application Data\{B8EF706E-52BF-42B9-BB42-D22C07B1EF88}\chrome\content\_cfg.js
c:\documents and settings\All\Local Settings\Application Data\{B8EF706E-52BF-42B9-BB42-D22C07B1EF88}\chrome\content\overlay.xul
c:\documents and settings\All\Local Settings\Application Data\{B8EF706E-52BF-42B9-BB42-D22C07B1EF88}\install.rdf
c:\documents and settings\All\Local Settings\Application Data\yjqmjlscn
c:\documents and settings\All\Local Settings\Application Data\yjqmjlscn\fvufxqgtssd.exe
c:\program files\FunWebProducts
c:\program files\FunWebProducts\Shared\002FF642.dat
c:\program files\MyWebSearch
c:\program files\MyWebSearch\bar\History\search2
c:\program files\MyWebSearch\bar\Settings\s_pid.dat
c:\windows\abanuzaf.dll
c:\windows\Apyqya.exe
c:\windows\imigojer.dll
c:\windows\KBDMPR.dll
c:\windows\oxekimaki.dll
c:\windows\system32\drivers\fad.sys
c:\windows\system32\fonts
c:\windows\system32\fonts\ACADEMY_.PFB
c:\windows\system32\fonts\ACADEMY_.PFM
c:\windows\system32\fonts\ACADEMY_.TTF
c:\windows\system32\logs
c:\windows\system32\winset.ini
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\xpsp1hfm.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OULTRAF
-------\Legacy_SVCHOST32
-------\Service_oUltraf
-------\Service_svchost32


((((((((((((((((((((((((( Files Created from 2010-06-12 to 2010-07-12 )))))))))))))))))))))))))))))))
.

2010-07-08 01:03 . 2010-07-08 01:03 63 ----a-w- c:\documents and settings\All\stgh.bat
2010-07-08 00:54 . 2010-07-12 20:41 2716 ----a-w- c:\windows\Rzaxu.dat
2010-07-08 00:54 . 2010-07-08 17:47 0 ----a-w- c:\windows\Yjudagidime.bin
2010-07-08 00:52 . 2010-07-08 00:52 47616 ----a-w- c:\windows\system32\ntvdDT32.dll
2010-07-07 23:52 . 2010-07-07 23:52 114688 --sha-r- c:\windows\system32\wpabalni.dll
2010-07-07 01:28 . 2010-07-07 16:43 -------- d-----w- c:\windows\system32\NtmsData
2010-06-29 16:10 . 2010-06-29 16:10 -------- d-----w- c:\documents and settings\All\Application Data\Thinstall

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-09 01:48 . 2008-10-10 21:03 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2010-07-07 23:48 . 2007-06-24 19:35 -------- d-----w- c:\program files\Music Rescue
2010-07-05 22:38 . 2007-12-05 01:53 -------- d-----w- c:\documents and settings\All\Application Data\uTorrent
2010-06-29 02:07 . 2008-09-02 01:01 -------- d-----w- c:\program files\Alliance
2010-05-26 23:41 . 2004-02-04 01:28 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-17 20:03 . 2010-05-17 20:03 -------- d-----w- c:\program files\DVDStyler
2010-05-16 00:35 . 2010-05-16 00:33 -------- d-----w- c:\documents and settings\All\Application Data\.minecraft
2010-05-12 22:29 . 2009-09-19 00:42 54408 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-04 17:20 . 2005-10-21 17:51 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2002-08-29 11:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:56 . 2002-08-29 11:00 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:51 . 2002-08-29 11:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2008-07-17 20:04 . 2008-07-17 20:03 24 --sh--w- c:\windows\SE652D978.tmp
2005-07-14 17:31 . 2005-07-14 17:31 27648 --sha-r- c:\windows\SYSTEM32\AVSredirect.dll
2005-06-26 20:32 . 2005-06-26 20:32 616448 --sha-r- c:\windows\SYSTEM32\cygwin1.dll
2005-06-22 03:37 . 2005-06-22 03:37 45568 --sha-r- c:\windows\SYSTEM32\cygz.dll
2006-05-03 09:06 . 2008-05-30 22:24 163328 --sha-r- c:\windows\SYSTEM32\flvDX.dll
2004-01-25 05:00 . 2004-01-25 05:00 70656 --sha-r- c:\windows\SYSTEM32\i420vfw.dll
2007-02-21 10:47 . 2008-05-30 22:24 31232 --sha-r- c:\windows\SYSTEM32\msfDX.dll
2007-12-17 12:43 . 2008-05-30 22:24 27648 --sha-w- c:\windows\SYSTEM32\Smab0.dll
2005-02-28 18:16 . 2005-02-28 18:16 240128 --sha-r- c:\windows\SYSTEM32\x.264.exe
2004-01-25 05:00 . 2004-01-25 05:00 70656 --sha-r- c:\windows\SYSTEM32\yv12vfw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8D830395-6209-4B22-963F-0E86A12B68AC}]
2009-01-21 02:11 401408 ----a-w- c:\windows\SYSTEM32\winqj77.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{8D830394-6209-4B22-963F-0E86A12B68AC}"= "c:\windows\system32\winqj77.dll" [2009-01-21 401408]

[HKEY_CLASSES_ROOT\clsid\{8d830394-6209-4b22-963f-0e86a12b68ac}]
[HKEY_CLASSES_ROOT\TypeLib\{3195222F-8BBE-4F32-9232-BD7D19C57692}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{8D830394-6209-4B22-963F-0E86A12B68AC}"= "c:\windows\system32\winqj77.dll" [2009-01-21 401408]

[HKEY_CLASSES_ROOT\clsid\{8d830394-6209-4b22-963f-0e86a12b68ac}]
[HKEY_CLASSES_ROOT\TypeLib\{3195222F-8BBE-4F32-9232-BD7D19C57692}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2005-10-19 126976]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]
"Lexmark X74-X75"="c:\program files\Lexmark X74-X75\lxbbbmgr.exe" [2002-06-25 57344]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 28672]
"MCUpdateExe"="c:\progra~1\McAfee.com\Agent\McUpdate.exe" [2006-01-11 212992]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-27 185896]
"MCAgentExe"="c:\progra~1\McAfee.com\Agent\McAgent.exe" [2005-09-22 303104]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"eBook Library Launcher"="c:\program files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe" [2009-11-24 906640]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All^Start Menu^Programs^Startup^Alliance background mode.lnk]
path=c:\documents and settings\All\Start Menu\Programs\Startup\Alliance background mode.lnk
backup=c:\windows\pss\Alliance background mode.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All^Start Menu^Programs^Startup^RollerCoaster Tycoon 3 Registration.lnk]
path=c:\documents and settings\All\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk
backup=c:\windows\pss\RollerCoaster Tycoon 3 Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
2006-08-01 19:35 67112 ----a-w- c:\progra~1\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2008-12-19 20:32 342848 -c--a-w- c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-09-26 00:52 50736 -c--a-w- c:\program files\Common Files\AOL\1135224883\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 05:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
2005-09-22 23:29 303104 ----a-w- c:\progra~1\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz]
2003-08-22 00:40 135168 ----a-w- c:\progra~1\McAfee.com\Agent\mcregwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
2006-01-11 17:05 212992 ----a-w- c:\progra~1\McAfee.com\Agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-06-10 08:27 144784 -c--a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-01-27 19:20 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2008-01-15 22:54 37376 -c--a-w- c:\program files\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Linksys Wireless-G USB Wireless Network Monitor\\InvokeSvc2.exe"=
"c:\\Program Files\\Common Files\\AOL\\1135224883\\ee\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Common Files\\AOL\\1135224883\\ee\\aolsoftware.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitBlinder\\BitBlinder.exe"=
"c:\\Program Files\\BitBlinder\\Tor.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S3 LTower;LEGO USB Tower Driver;c:\windows\SYSTEM32\DRIVERS\LTower.sys [12/28/2004 11:22 AM 36981]
S3 PRSUSB;Sony Reader;c:\windows\SYSTEM32\DRIVERS\PRSUSB.sys [2/3/2009 1:57 PM 18944]
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5577
uSearchAssistant = about:blank
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
FF - ProfilePath - c:\documents and settings\All\Application Data\Mozilla\Firefox\Profiles\na5uvgt8.default\
FF - plugin: c:\documents and settings\All\Application Data\Mozilla\Firefox\Profiles\na5uvgt8.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Musicnotes\npmusicn.dll
FF - plugin: c:\program files\Musicnotes\NPSibelius.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Sony\Reader\Data\bin\npebldetectmoz.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Performance Center - c:\program files\Ascentive\Performance Center\APCMain.exe
HKCU-Run-Emuhozoxuje - c:\windows\KBDMPR.dll
HKCU-Run-yftwcrrc - c:\documents and settings\All\Local Settings\Application Data\yjqmjlscn\fvufxqgtssd.exe
HKLM-Run-yftwcrrc - c:\documents and settings\All\Local Settings\Application Data\yjqmjlscn\fvufxqgtssd.exe
HKLM-Run-Wkubizuqazaqe - c:\windows\oxekimaki.dll
MSConfigStartUp-AOLSPScheduler - c:\program files\Common Files\AOL\1135224883\ee\services\sscAntiSpywarePlugin\ver1_10_3_1\AOLSP Scheduler.exe
MSConfigStartUp-BitTorrent - c:\program files\BitTorrent\bittorrent.exe
MSConfigStartUp-CloneCDTray - c:\program files\SlySoft\CloneCD\CloneCDTray.exe
MSConfigStartUp-lxdjamon - c:\program files\Lexmark 1400 Series\lxdjamon.exe
MSConfigStartUp-lxdjmon - c:\program files\Lexmark 1400 Series\lxdjmon.exe
MSConfigStartUp-MoneyAgent - c:\program files\Microsoft Money\System\mnyexpr.exe
MSConfigStartUp-RIS2PostReboot - c:\program files\LEGO MINDSTORMS\RIS 2.0\LaunchRIS2.exe
MSConfigStartUp-sscRun - c:\program files\Common Files\AOL\1135224883\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
AddRemove-AOLAntivirus - c:\program files\mcafee.com\antivirus\uninst.exe
AddRemove-Audacity_is1 - e:\programs\Audacity\unins000.exe
AddRemove-Excel - c:\program files\Microsoft Office\Office\Setup\AcmeXl.exe
AddRemove-ImTOO Audio Maker - c:\documents and settings\All\Desktop\lindsay\Audio Maker\Uninstall.exe
AddRemove-Music Rescue_is1 - f:\music rescue\unins000.exe
AddRemove-Viewpoint Manager - c:\program files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2010-07-12 17:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\WinHound.com\WinHound\WinHound\License*]
"Data"="InstallTime=1c606ac:c545b7e0\0d\0aLastRunTime=1c6074f:5f3111e0\0d\0a"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3276)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\WinSCP\DragExt.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\rundll32.exe
c:\windows\system32\LEXPPS.EXE
c:\progra~1\COMMON~1\AOL\ACS\acsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\progra~1\mcafee.com\agent\mctskshd.exe
c:\windows\wanmpsvc.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
c:\windows\system32\wscntfy.exe
c:\windows\BCMSMMSG.exe
c:\program files\Lexmark X74-X75\lxbbbmon.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-07-12 17:58:08 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-12 21:57

Pre-Run: 1,633,443,840 bytes free
Post-Run: 10,781,589,504 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - E68D98FCBA839EA432178389DF2F66DA
jamisonsalamand is offline  
Old 07-13-2010, 05:43 PM   #7
Security Team
Analyst
 
Join Date: May 2009
Location: South East Asia
Posts: 447
OS: W7 64-bit



Hello jamisonsalamand ,

P2P software
  • IMPORTANT: I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

    µTorrent
    BitBlinder
    DNA


  • Please read Perils of P2P File Sharing where we explain why it's not a good idea to have them.
  • Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

--------------------

Go to Control Panel > Add/Remove Programs, then uninstall this:
Mirar

--------------------

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use. Do not mouse click on ComboFix while it is running. That may cause it to stall.

Run ComboFix script
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running ComboFix. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here and here.
  • Open Notepad. Copy and paste the following text into it:
    Code:
    https://www.techsupportforum.com/f100/virus-processes-appeared-after-i-opened-a-file-i-downloaded-495860.html
    Collect::
    c:\windows\system32\wpabalni.dll
    c:\documents and settings\All\stgh.bat
    c:\windows\Rzaxu.dat
    c:\windows\system32\ntvdDT32.dll
    c:\windows\system32\winqj77.dll
    
    File::
    c:\StubInstaller.exe
    c:\windows\SE652D978.tmp
    c:\windows\Yjudagidime.bin
    
    Folder::
    c:\documents and settings\All\Application Data\uTorrent
    c:\Program Files\uTorrent
    c:\Program Files\DNA
    c:\Program Files\BitBlinder
    
    DirLook::
    c:\windows\system32\NtmsData
    
    Registry::
    [-HKEY_CLASSES_ROOT\TypeLib\{3195222F-8BBE-4F32-9232-BD7D19C57692}]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\StubInstaller.exe"=-
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=-
    "c:\\Program Files\\DNA\\btdna.exe"=-
    "c:\\Program Files\\BitBlinder\\BitBlinder.exe"=-
    "c:\\Program Files\\BitBlinder\\Tor.exe"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"=dword:00000001
    
    RegNull::
    [HKEY_LOCAL_MACHINE\software\WinHound.com\WinHound\WinHound\License*]
    
    DDS::
    uInternet Settings,ProxyServer = http=127.0.0.1:5577
    uSearchAssistant = about:blank
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [iexplorer] c:\docume~1\all\locals~1\temp\ixp000.tmp\iexplorer.exe
    uRun: [EWABQAF7KL] c:\docume~1\all\locals~1\temp\Aw1.exe
    mRun: [KernelFaultCheck]
    mRun: [UserFaultCheck]
    mRun: [cftmon] c:\windows\system32\gtky.exe
    IE: &Search - https://edits.mywebsearch.com/toolbar...tml?p=ZJfox000
    STS: {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - No File
  • Save it as CFScript.txt at the desktop. Make sure the Save as type: is All Files (*.*).


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • ComboFix will also ask to upload some bad files for analysis. Please follow the steps accordingly.
  • When finished, a log will be produced as C:\ComboFix.txt. Copy and paste the contents of the log in your next reply.
  • If you lose Internet connection after running ComboFix, right click on the network icon at the system tray and select Repair, or you can reboot the computer.
  • Enable back your security softwares as soon as you completed the ComboFix steps.

--------------------

Do an online scan with ESET Online Scanner.
Please be patient as scanning will take quite some time. If you have problem running the scan, you might want to disable any real time protection that you have.
  • Click here to go to ESET Online Scanner page.
  • Click on ESET Online Scanner. A new window will open.
    For FireFox user, you will need to download and install esetsmartinstaller_enu.exe. Click on it and save the file to a convenient location. Double click on it to install and a new window will open.
  • After reading through the Terms of Use, check YES, I accept the Terms of Use and click Start to begin scan.
  • You will be prompted to install an ActiveX Control from ESET. Please install.
  • At the Computer scan settings section, uncheck (untick) Remove found threats and then check Scan archives.
  • Now, click on Advanced settings and make sure all these are checked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Click on Scan to proceed.
  • Click Finish and close the window.
  • Navigate to C:\Program Files\ESET\ESET Online Scanner using Windows Explorer and look for log.txt.
  • Post the contents of log.txt in your reply.

--------------------

Please post back:
1. the ComboFix log and if the upload is successful
2. ESET online scan result
Jack&Jill is offline  
Old 07-14-2010, 09:58 AM   #8
Registered Member
 
Join Date: Jul 2010
Posts: 19
OS: XP



It said the combofix log had too many characters in it, so I attached the txt file. It said the upload was successful. Did combofix uninstall uTorrent and Bitblinder?

Here is the ESET log

[email protected] as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=a74b6882c9d2e74a8704a199e71228f1
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2010-07-14 08:01:12
# local_time=2010-07-14 04:01:12 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=147325
# found=84
# cleaned=0
# scan_time=13581
C:\Documents and Settings\All\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-4aa77bde probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I
C:\Documents and Settings\All\Application Data\Sun\Java\Deployment\cache\6.0\52\66b0bd34-591ae3dc probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I
C:\Documents and Settings\All\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-1ab034e7-42062214.zip probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I
C:\Documents and Settings\All\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-29ffee3e.zip probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I
C:\Documents and Settings\All\Desktop\Chelsea's Temporary Music folder\from playlist dot com\good things bodeans.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 00000000000000000000000000000000 I
C:\Documents and Settings\All\Desktop\Chelsea's Temporary Music folder\from playlist dot com\stitched up herbie hancock [160k quality].mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 00000000000000000000000000000000 I
C:\Documents and Settings\All\My Documents\Lindsay's stuff\music\Incomplete\Preview-T-3545425-good things bodeans.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 00000000000000000000000000000000 I
C:\Documents and Settings\All\My Documents\Lindsay's stuff\music\Incomplete\Preview-T-5868257-cyborg slayers dethklok (new album).mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 00000000000000000000000000000000 I
C:\Documents and Settings\All\My Documents\Lindsay's stuff\music\Lemonrope\cyborg slayers dethklok (new album).mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 00000000000000000000000000000000 I
C:\Documents and Settings\All\My Documents\Lindsay's stuff\music\Lemonrope\day of rain thriving ivory.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 00000000000000000000000000000000 I
C:\Documents and Settings\All\My Documents\Lindsay's stuff\music\Lemonrope\dynamo of volition jason mraz - greatest hits.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 00000000000000000000000000000000 I
C:\Documents and Settings\All\My Documents\Lindsay's stuff\music\Lemonrope\eric hutchinson sounds like sexy girl has shaking orgasm during sex.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 00000000000000000000000000000000 I
C:\Documents and Settings\All\My Documents\Lindsay's stuff\music\Lemonrope\good things bodeans.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 00000000000000000000000000000000 I
C:\Documents and Settings\All\My Documents\Lindsay's stuff\music\Lemonrope\only fooling myself kate dont.mp3 WMA/TrojanDownloader.GetCodec.C trojan 00000000000000000000000000000000 I
C:\Documents and Settings\All\My Documents\Lindsay's stuff\music\Lemonrope\undone kat tingey.mp3 a variant of WMA/TrojanDownloader.GetCodec.gen trojan 00000000000000000000000000000000 I
C:\Documents and Settings\All\My Documents\Lindsay's stuff\music\Lemonrope\you without me eddie tadross - greatest hits.wma probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I
C:\Documents and Settings\All\My Documents\Lindsay's stuff\music\Lemonrope\you without me eddie tadross.mp3 WMA/TrojanDownloader.GetCodec.C trojan 00000000000000000000000000000000 I
C:\Documents and Settings\All\My Documents\Lindsay's stuff\music\Lemonrope\June 10\Prodigy, the - breathe.mp3 WMA/TrojanDownloader.GetCodec.C trojan 00000000000000000000000000000000 I
C:\Documents and Settings\All\My Documents\Lindsay's stuff\music\Lemonrope\may 6\lover all gone clay aiken.mp3 WMA/TrojanDownloader.GetCodec.C trojan 00000000000000000000000000000000 I
C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131\setup.exe probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I
C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_eu\6.1.23.1\setup.exe probably a variant of Win32/Agent trojan 00000000000000000000000000000000 I
C:\Program Files\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Documents and Settings\All\Local Settings\Application Data\yjqmjlscn\fvufxqgtssd.exe.vir Win32/Adware.SpywareProtect2009 application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\Program Files\BitBlinder\tcpz.exe.vir a variant of Win32/TCPZ.F application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\Apyqya.exe.vir Win32/TrojanDownloader.FakeAlert.AVU trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\KBDMPR.dll.vir a variant of Win32/Cimag.CW trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\oxekimaki.dll.vir a variant of Win32/Cimag.CK trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\gtky.exe.vir Win32/Agent.PIB trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\AMu6E.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\ARe0J.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\Bnd4r.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\BOCo2.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\Br6yj.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\CZ9Al.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\DBe9U.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\DINl6.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\eEt3p.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\eka3N.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\EnVq2.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\FCTv9.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\fJz8F.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\fU09Q.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\GTDownDE_87.ocx probably a variant of Win32/Adware.Agent application 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\huVd2.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\jj3UH.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\KAi1b.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\KeK99.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\KUp5d.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\KXi8k.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\lVn3F.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\m7YQB.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\MEw5F.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\mph5H.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\Mtpt3.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\NdXi7.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\O6YJm.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\OCb6x.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\oEx6J.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\OXf8J.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\Qp2mm.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\R9XWo.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\rHb2r.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\slZy8.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\SNQb0.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\sq1N9.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\StRy8.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\t4Fe7.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\TLWr7.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\v8MPu.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\VDz4L.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\VXsJ7.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\WEa3J.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\wkKd9.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\wRl8h.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\WtKi4.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\wUq71.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\xERu5.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\xwP6D.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\ybert.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\yJyV6.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\YLUf0.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\zc6LX.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\zIs8h.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
C:\WINDOWS\SYSTEM32\zWAc7.exe a variant of Win32/Injector.TW trojan 00000000000000000000000000000000 I
Attached Files
File Type: txt combofix.txt (110.4 KB, 28 views)
jamisonsalamand is offline  
Old 07-15-2010, 08:41 AM   #9
Security Team
Analyst
 
Join Date: May 2009
Location: South East Asia
Posts: 447
OS: W7 64-bit



Hello jamisonsalamand ,

Quote:
Did combofix uninstall uTorrent and Bitblinder?
Yes, but I will restore them as their removal will be your decision.

Some of the media files on your computer as detected by the ESET onlince scan are bad, so I will be removing them in the subsequent steps.

--------------------

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use. Do not mouse click on ComboFix while it is running. That may cause it to stall.

Run ComboFix script
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running ComboFix. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here and here.
  • Open Notepad. Copy and paste the following text into it:
    Code:
    https://www.techsupportforum.com/f100/virus-processes-appeared-after-i-opened-a-file-i-downloaded-495860.html
    Collect::
    C:\Program Files\AIM\Sysfiles\WxBug.EXE
    C:\WINDOWS\SYSTEM32\AMu6E.exe 
    C:\WINDOWS\SYSTEM32\ARe0J.exe 
    C:\WINDOWS\SYSTEM32\Bnd4r.exe 
    C:\WINDOWS\SYSTEM32\BOCo2.exe 
    C:\WINDOWS\SYSTEM32\Br6yj.exe 
    C:\WINDOWS\SYSTEM32\CZ9Al.exe 
    C:\WINDOWS\SYSTEM32\DBe9U.exe 
    C:\WINDOWS\SYSTEM32\DINl6.exe 
    C:\WINDOWS\SYSTEM32\eEt3p.exe 
    C:\WINDOWS\SYSTEM32\eka3N.exe 
    C:\WINDOWS\SYSTEM32\EnVq2.exe 
    C:\WINDOWS\SYSTEM32\FCTv9.exe 
    C:\WINDOWS\SYSTEM32\fJz8F.exe 
    C:\WINDOWS\SYSTEM32\fU09Q.exe 
    C:\WINDOWS\SYSTEM32\GTDownDE_87.ocx 
    C:\WINDOWS\SYSTEM32\huVd2.exe 
    C:\WINDOWS\SYSTEM32\jj3UH.exe 
    C:\WINDOWS\SYSTEM32\KAi1b.exe 
    C:\WINDOWS\SYSTEM32\KeK99.exe
    C:\WINDOWS\SYSTEM32\KUp5d.exe
    C:\WINDOWS\SYSTEM32\KXi8k.exe
    C:\WINDOWS\SYSTEM32\lVn3F.exe
    C:\WINDOWS\SYSTEM32\m7YQB.exe
    C:\WINDOWS\SYSTEM32\MEw5F.exe
    C:\WINDOWS\SYSTEM32\mph5H.exe
    C:\WINDOWS\SYSTEM32\Mtpt3.exe
    C:\WINDOWS\SYSTEM32\NdXi7.exe
    C:\WINDOWS\SYSTEM32\O6YJm.exe
    C:\WINDOWS\SYSTEM32\OCb6x.exe
    C:\WINDOWS\SYSTEM32\oEx6J.exe
    C:\WINDOWS\SYSTEM32\OXf8J.exe
    C:\WINDOWS\SYSTEM32\Qp2mm.exe
    C:\WINDOWS\SYSTEM32\R9XWo.exe
    C:\WINDOWS\SYSTEM32\rHb2r.exe
    C:\WINDOWS\SYSTEM32\slZy8.exe
    C:\WINDOWS\SYSTEM32\SNQb0.exe
    C:\WINDOWS\SYSTEM32\sq1N9.exe
    C:\WINDOWS\SYSTEM32\StRy8.exe
    C:\WINDOWS\SYSTEM32\t4Fe7.exe
    C:\WINDOWS\SYSTEM32\TLWr7.exe
    C:\WINDOWS\SYSTEM32\v8MPu.exe
    C:\WINDOWS\SYSTEM32\VDz4L.exe
    C:\WINDOWS\SYSTEM32\VXsJ7.exe
    C:\WINDOWS\SYSTEM32\WEa3J.exe
    C:\WINDOWS\SYSTEM32\wkKd9.exe
    C:\WINDOWS\SYSTEM32\wRl8h.exe
    C:\WINDOWS\SYSTEM32\WtKi4.exe
    C:\WINDOWS\SYSTEM32\wUq71.exe
    C:\WINDOWS\SYSTEM32\xERu5.exe
    C:\WINDOWS\SYSTEM32\xwP6D.exe
    C:\WINDOWS\SYSTEM32\ybert.exe
    C:\WINDOWS\SYSTEM32\yJyV6.exe
    C:\WINDOWS\SYSTEM32\YLUf0.exe
    C:\WINDOWS\SYSTEM32\zc6LX.exe
    C:\WINDOWS\SYSTEM32\zIs8h.exe
    C:\WINDOWS\SYSTEM32\zWAc7.exe
    
    File::
    C:\Documents and Settings\All\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-4aa77bde
    C:\Documents and Settings\All\Application Data\Sun\Java\Deployment\cache\6.0\52\66b0bd34-591ae3dc
    C:\Documents and Settings\All\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-1ab034e7-42062214.zip
    C:\Documents and Settings\All\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-29ffee3e.zip
    C:\Documents and Settings\All\Desktop\Chelsea's Temporary Music folder\from playlist dot com\good things bodeans.mp3
    C:\Documents and Settings\All\Desktop\Chelsea's Temporary Music folder\from playlist dot com\stitched up herbie hancock [160k quality].mp3
    C:\Documents and Settings\All\My Documents\Lindsay's stuff\music\Incomplete\Preview-T-3545425-good things bodeans.mp3
    C:\Documents and Settings\All\My Documents\Lindsay's stuff\music\Incomplete\Preview-T-5868257-cyborg slayers dethklok (new album).mp3
    C:\Documents and Settings\All\My Documents\Lindsay's stuff\music\Lemonrope\cyborg slayers dethklok (new album).mp3
    C:\Documents and Settings\All\My Documents\Lindsay's stuff\music\Lemonrope\day of rain thriving ivory.mp3
    C:\Documents and Settings\All\My Documents\Lindsay's stuff\music\Lemonrope\dynamo of volition jason mraz - greatest hits.mp3
    C:\Documents and Settings\All\My Documents\Lindsay's stuff\music\Lemonrope\eric hutchinson sounds like sexy girl has shaking orgasm during sex.mp3
    C:\Documents and Settings\All\My Documents\Lindsay's stuff\music\Lemonrope\good things bodeans.mp3
    C:\Documents and Settings\All\My Documents\Lindsay's stuff\music\Lemonrope\only fooling myself kate dont.mp3
    C:\Documents and Settings\All\My Documents\Lindsay's stuff\music\Lemonrope\undone kat tingey.mp3
    C:\Documents and Settings\All\My Documents\Lindsay's stuff\music\Lemonrope\you without me eddie tadross - greatest hits.wma
    C:\Documents and Settings\All\My Documents\Lindsay's stuff\music\Lemonrope\you without me eddie tadross.mp3
    C:\Documents and Settings\All\My Documents\Lindsay's stuff\music\Lemonrope\June 10\Prodigy, the - breathe.mp3
    C:\Documents and Settings\All\My Documents\Lindsay's stuff\music\Lemonrope\may 6\lover all gone clay aiken.mp3
    
    DDS::
    uSearchAssistant = about:blank
    
    DeQuarantine::
    C:\Qoobox\Quarantine\C\documents and settings\All\Application Data\uTorrent
    C:\Qoobox\Quarantine\C\Program Files\uTorrent
    C:\Qoobox\Quarantine\C\Program Files\DNA
    C:\Qoobox\Quarantine\C\Program Files\BitBlinder
  • Save it as CFScript.txt at the desktop. Make sure the Save as type: is All Files (*.*).


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • ComboFix will also ask to upload some bad files for analysis. Please follow the steps accordingly.
  • When finished, a log will be produced as C:\ComboFix.txt. Copy and paste the contents of the log in your next reply.
  • If you lose Internet connection after running ComboFix, right click on the network icon at the system tray and select Repair, or you can reboot the computer.
  • Enable back your security softwares as soon as you completed the ComboFix steps.

--------------------

Restore some registry keys
  • Open Notepad. Copy and paste the following text into it:
    Code:
    @echo off
    regedit "C:\QooBox\Quarantine\Registry_Backups\MSConfigStartUp-BitTorrent DNA.reg.dat"
    regedit "C:\QooBox\Quarantine\Registry_Backups\AddRemove-BitBlinder.reg.dat"
    regedit "C:\QooBox\Quarantine\Registry_Backups\AddRemove-BitTorrent DNA.reg.dat"
    regedit "C:\QooBox\Quarantine\Registry_Backups\AddRemove-uTorrent.reg.dat"
    exit
  • Save it as regrestore.bat on the desktop. Make sure the Save as type: is All Files (*.*).
  • Double click on regrestore.bat to run it. Allow if prompted by any security software.
  • When it asks you to merge the information to the registry, click Yes.

--------------------

Please download Malwarebytes' Anti-Malware (MBAM)© from Malwarebytes and save it to your desktop. Click here.

Run MBAM
  • Double click on mbam-setup.exe and follow the prompts to install the program.
  • At the end of installation, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • MBAM will now check for updates. If your firewall prompts, please allow it. If you can't update it, select the Update tab. Under Update mirror, select one of the websites and click on Check for Updates.
  • Upon completion of update and loading, select the Scanner tab. Click on Perform full scan, then click on Scan.
  • Leave the default options as it is and click on Start Scan.
  • If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process.
  • When done, you will be prompted. Click OK, then click on Show Results.
  • Check (tick) all items except items in the C:\System Volume Information folder and click on Remove Selected.
  • After it has removed the items, a log in Notepad will open. Please post this log in your next reply. You can also find the log in the Logs tab. The bottom most log is the latest.

If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware. If you receive an (Error Loading) error on reboot, please reboot a second time . It is normal for this error to occur once and does not need to be reported unless it returns on future reboots.

--------------------

Please post back:
1. the ComboFix log
2. MBAM report
Jack&Jill is offline  
Old 07-15-2010, 06:54 PM   #10
Registered Member
 
Join Date: Jul 2010
Posts: 19
OS: XP



Here is the combofix log

ComboFix 10-07-12.02 - All 07/15/2010 13:12:00.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1662 [GMT -4:00]
Running from: c:\documents and settings\All\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\All\Desktop\CFScript.txt

FILE ::
"c:\documents and settings\All\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-4aa77bde"
"c:\documents and settings\All\Application Data\Sun\Java\Deployment\cache\6.0\52\66b0bd34-591ae3dc"
"c:\documents and settings\All\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-1ab034e7-42062214.zip"
"c:\documents and settings\All\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-29ffee3e.zip"
"c:\documents and settings\All\Desktop\Chelsea's Temporary Music folder\from playlist dot com\good things bodeans.mp3"
"c:\documents and settings\All\Desktop\Chelsea's Temporary Music folder\from playlist dot com\stitched up herbie hancock [160k quality].mp3"
"c:\documents and settings\All\My Documents\Lindsay's stuff\music\Incomplete\Preview-T-3545425-good things bodeans.mp3"
"c:\documents and settings\All\My Documents\Lindsay's stuff\music\Incomplete\Preview-T-5868257-cyborg slayers dethklok (new album).mp3"
"c:\documents and settings\All\My Documents\Lindsay's stuff\music\Lemonrope\cyborg slayers dethklok (new album).mp3"
"c:\documents and settings\All\My Documents\Lindsay's stuff\music\Lemonrope\day of rain thriving ivory.mp3"
"c:\documents and settings\All\My Documents\Lindsay's stuff\music\Lemonrope\dynamo of volition jason mraz - greatest hits.mp3"
"c:\documents and settings\All\My Documents\Lindsay's stuff\music\Lemonrope\eric hutchinson sounds like sexy girl has shaking orgasm during sex.mp3"
"c:\documents and settings\All\My Documents\Lindsay's stuff\music\Lemonrope\good things bodeans.mp3"
"c:\documents and settings\All\My Documents\Lindsay's stuff\music\Lemonrope\June 10\Prodigy, the - breathe.mp3"
"c:\documents and settings\All\My Documents\Lindsay's stuff\music\Lemonrope\may 6\lover all gone clay aiken.mp3"
"c:\documents and settings\All\My Documents\Lindsay's stuff\music\Lemonrope\only fooling myself kate dont.mp3"
"c:\documents and settings\All\My Documents\Lindsay's stuff\music\Lemonrope\undone kat tingey.mp3"
"c:\documents and settings\All\My Documents\Lindsay's stuff\music\Lemonrope\you without me eddie tadross - greatest hits.wma"
"c:\documents and settings\All\My Documents\Lindsay's stuff\music\Lemonrope\you without me eddie tadross.mp3"

file zipped: c:\program files\AIM\Sysfiles\WxBug.EXE
file zipped: c:\windows\SYSTEM32\AMu6E.exe
file zipped: c:\windows\SYSTEM32\ARe0J.exe
file zipped: c:\windows\SYSTEM32\Bnd4r.exe
file zipped: c:\windows\SYSTEM32\BOCo2.exe
file zipped: c:\windows\SYSTEM32\Br6yj.exe
file zipped: c:\windows\SYSTEM32\CZ9Al.exe
file zipped: c:\windows\SYSTEM32\DBe9U.exe
file zipped: c:\windows\SYSTEM32\DINl6.exe
file zipped: c:\windows\SYSTEM32\eEt3p.exe
file zipped: c:\windows\SYSTEM32\eka3N.exe
file zipped: c:\windows\SYSTEM32\EnVq2.exe
file zipped: c:\windows\SYSTEM32\FCTv9.exe
file zipped: c:\windows\SYSTEM32\fJz8F.exe
file zipped: c:\windows\SYSTEM32\fU09Q.exe
file zipped: c:\windows\SYSTEM32\GTDownDE_87.ocx
file zipped: c:\windows\SYSTEM32\huVd2.exe
file zipped: c:\windows\SYSTEM32\jj3UH.exe
file zipped: c:\windows\SYSTEM32\KAi1b.exe
file zipped: c:\windows\SYSTEM32\KeK99.exe
file zipped: c:\windows\SYSTEM32\KUp5d.exe
file zipped: c:\windows\SYSTEM32\KXi8k.exe
file zipped: c:\windows\SYSTEM32\lVn3F.exe
file zipped: c:\windows\SYSTEM32\m7YQB.exe
file zipped: c:\windows\SYSTEM32\MEw5F.exe
file zipped: c:\windows\SYSTEM32\mph5H.exe
file zipped: c:\windows\SYSTEM32\Mtpt3.exe
file zipped: c:\windows\SYSTEM32\NdXi7.exe
file zipped: c:\windows\SYSTEM32\O6YJm.exe
file zipped: c:\windows\SYSTEM32\OCb6x.exe
file zipped: c:\windows\SYSTEM32\oEx6J.exe
file zipped: c:\windows\SYSTEM32\OXf8J.exe
file zipped: c:\windows\SYSTEM32\Qp2mm.exe
file zipped: c:\windows\SYSTEM32\R9XWo.exe
file zipped: c:\windows\SYSTEM32\rHb2r.exe
file zipped: c:\windows\SYSTEM32\slZy8.exe
file zipped: c:\windows\SYSTEM32\SNQb0.exe
file zipped: c:\windows\SYSTEM32\sq1N9.exe
file zipped: c:\windows\SYSTEM32\StRy8.exe
file zipped: c:\windows\SYSTEM32\t4Fe7.exe
file zipped: c:\windows\SYSTEM32\TLWr7.exe
file zipped: c:\windows\SYSTEM32\v8MPu.exe
file zipped: c:\windows\SYSTEM32\VDz4L.exe
file zipped: c:\windows\SYSTEM32\VXsJ7.exe
file zipped: c:\windows\SYSTEM32\WEa3J.exe
file zipped: c:\windows\SYSTEM32\wkKd9.exe
file zipped: c:\windows\SYSTEM32\wRl8h.exe
file zipped: c:\windows\SYSTEM32\WtKi4.exe
file zipped: c:\windows\SYSTEM32\wUq71.exe
file zipped: c:\windows\SYSTEM32\xERu5.exe
file zipped: c:\windows\SYSTEM32\xwP6D.exe
file zipped: c:\windows\SYSTEM32\ybert.exe
file zipped: c:\windows\SYSTEM32\yJyV6.exe
file zipped: c:\windows\SYSTEM32\YLUf0.exe
file zipped: c:\windows\SYSTEM32\zc6LX.exe
file zipped: c:\windows\SYSTEM32\zIs8h.exe
file zipped: c:\windows\SYSTEM32\zWAc7.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-4aa77bde
c:\documents and settings\All\Application Data\Sun\Java\Deployment\cache\6.0\52\66b0bd34-591ae3dc
c:\documents and settings\All\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-1ab034e7-42062214.zip
c:\documents and settings\All\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-29ffee3e.zip
c:\documents and settings\All\Desktop\Chelsea's Temporary Music folder\from playlist dot com\good things bodeans.mp3
c:\documents and settings\All\Desktop\Chelsea's Temporary Music folder\from playlist dot com\stitched up herbie hancock [160k quality].mp3
c:\documents and settings\All\My Documents\Lindsay's stuff\music\Incomplete\Preview-T-3545425-good things bodeans.mp3
c:\documents and settings\All\My Documents\Lindsay's stuff\music\Incomplete\Preview-T-5868257-cyborg slayers dethklok (new album).mp3
c:\documents and settings\All\My Documents\Lindsay's stuff\music\Lemonrope\cyborg slayers dethklok (new album).mp3
c:\documents and settings\All\My Documents\Lindsay's stuff\music\Lemonrope\day of rain thriving ivory.mp3
c:\documents and settings\All\My Documents\Lindsay's stuff\music\Lemonrope\dynamo of volition jason mraz - greatest hits.mp3
c:\documents and settings\All\My Documents\Lindsay's stuff\music\Lemonrope\eric hutchinson sounds like sexy girl has shaking orgasm during sex.mp3
c:\documents and settings\All\My Documents\Lindsay's stuff\music\Lemonrope\good things bodeans.mp3
c:\documents and settings\All\My Documents\Lindsay's stuff\music\Lemonrope\June 10\Prodigy, the - breathe.mp3
c:\documents and settings\All\My Documents\Lindsay's stuff\music\Lemonrope\may 6\lover all gone clay aiken.mp3
c:\documents and settings\All\My Documents\Lindsay's stuff\music\Lemonrope\only fooling myself kate dont.mp3
c:\documents and settings\All\My Documents\Lindsay's stuff\music\Lemonrope\undone kat tingey.mp3
c:\documents and settings\All\My Documents\Lindsay's stuff\music\Lemonrope\you without me eddie tadross - greatest hits.wma
c:\documents and settings\All\My Documents\Lindsay's stuff\music\Lemonrope\you without me eddie tadross.mp3
c:\program files\AIM\Sysfiles\WxBug.EXE
c:\windows\SYSTEM32\AMu6E.exe
c:\windows\SYSTEM32\ARe0J.exe
c:\windows\SYSTEM32\Bnd4r.exe
c:\windows\SYSTEM32\BOCo2.exe
c:\windows\SYSTEM32\Br6yj.exe
c:\windows\SYSTEM32\CZ9Al.exe
c:\windows\SYSTEM32\DBe9U.exe
c:\windows\SYSTEM32\DINl6.exe
c:\windows\SYSTEM32\eEt3p.exe
c:\windows\SYSTEM32\eka3N.exe
c:\windows\SYSTEM32\EnVq2.exe
c:\windows\SYSTEM32\FCTv9.exe
c:\windows\SYSTEM32\fJz8F.exe
c:\windows\SYSTEM32\fU09Q.exe
c:\windows\SYSTEM32\GTDownDE_87.ocx
c:\windows\SYSTEM32\huVd2.exe
c:\windows\SYSTEM32\jj3UH.exe
c:\windows\SYSTEM32\KAi1b.exe
c:\windows\SYSTEM32\KeK99.exe
c:\windows\SYSTEM32\KUp5d.exe
c:\windows\SYSTEM32\KXi8k.exe
c:\windows\SYSTEM32\lVn3F.exe
c:\windows\SYSTEM32\m7YQB.exe
c:\windows\SYSTEM32\MEw5F.exe
c:\windows\SYSTEM32\mph5H.exe
c:\windows\SYSTEM32\Mtpt3.exe
c:\windows\SYSTEM32\NdXi7.exe
c:\windows\SYSTEM32\O6YJm.exe
c:\windows\SYSTEM32\OCb6x.exe
c:\windows\SYSTEM32\oEx6J.exe
c:\windows\SYSTEM32\OXf8J.exe
c:\windows\SYSTEM32\Qp2mm.exe
c:\windows\SYSTEM32\R9XWo.exe
c:\windows\SYSTEM32\rHb2r.exe
c:\windows\SYSTEM32\slZy8.exe
c:\windows\SYSTEM32\SNQb0.exe
c:\windows\SYSTEM32\sq1N9.exe
c:\windows\SYSTEM32\StRy8.exe
c:\windows\SYSTEM32\t4Fe7.exe
c:\windows\SYSTEM32\TLWr7.exe
c:\windows\SYSTEM32\v8MPu.exe
c:\windows\SYSTEM32\VDz4L.exe
c:\windows\SYSTEM32\VXsJ7.exe
c:\windows\SYSTEM32\WEa3J.exe
c:\windows\SYSTEM32\wkKd9.exe
c:\windows\SYSTEM32\wRl8h.exe
c:\windows\SYSTEM32\WtKi4.exe
c:\windows\SYSTEM32\wUq71.exe
c:\windows\SYSTEM32\xERu5.exe
c:\windows\SYSTEM32\xwP6D.exe
c:\windows\SYSTEM32\ybert.exe
c:\windows\SYSTEM32\yJyV6.exe
c:\windows\SYSTEM32\YLUf0.exe
c:\windows\SYSTEM32\zc6LX.exe
c:\windows\SYSTEM32\zIs8h.exe
c:\windows\SYSTEM32\zWAc7.exe

.
((((((((((((((((((((((((( Files Created from 2010-06-15 to 2010-07-15 )))))))))))))))))))))))))))))))
.

2010-07-15 17:11 . 2010-07-15 17:11 -------- d-----w- c:\program files\uTorrent
2010-07-15 17:11 . 2010-07-15 17:11 -------- d-----w- c:\program files\DNA
2010-07-15 17:10 . 2010-07-15 17:11 -------- d-----w- c:\program files\BitBlinder
2010-07-15 17:10 . 2010-07-15 17:10 -------- d-----w- c:\documents and settings\All\Application Data\uTorrent
2010-07-14 04:08 . 2010-07-14 04:08 -------- d-----w- c:\program files\ESET
2010-07-14 03:10 . 2010-06-14 14:30 743936 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-07 01:28 . 2010-07-07 16:43 -------- d-----w- c:\windows\system32\NtmsData
2010-06-29 16:10 . 2010-06-29 16:10 -------- d-----w- c:\documents and settings\All\Application Data\Thinstall

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-09 01:48 . 2008-10-10 21:03 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2010-07-07 23:48 . 2007-06-24 19:35 -------- d-----w- c:\program files\Music Rescue
2010-06-29 02:07 . 2008-09-02 01:01 -------- d-----w- c:\program files\Alliance
2010-06-14 14:30 . 2002-08-29 11:00 743936 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-05-26 23:41 . 2004-02-04 01:28 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-17 20:03 . 2010-05-17 20:03 -------- d-----w- c:\program files\DVDStyler
2010-05-12 22:29 . 2009-09-19 00:42 54408 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-04 17:20 . 2005-10-21 17:51 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2002-08-29 11:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:56 . 2002-08-29 11:00 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-04-24 18:37 . 2010-04-24 18:37 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.1.0.79\SetupAdmin.exe
2010-04-23 15:59 . 2010-04-23 15:59 128682 ----a-w- c:\documents and settings\All\Application Data\Yamb\Uninstall.exe
2010-04-22 01:45 . 2010-04-22 01:45 25214 ----a-r- c:\documents and settings\All\Application Data\Microsoft\Installer\{C1FCDCA1-2759-4E5E-84EE-3A665BB2F513}\_E38944F26F8D876B004311.exe
2010-04-22 01:45 . 2010-04-22 01:45 10398 ----a-r- c:\documents and settings\All\Application Data\Microsoft\Installer\{C1FCDCA1-2759-4E5E-84EE-3A665BB2F513}\_6FA99008F6BBB97A091E2D.exe
2010-04-20 05:51 . 2002-08-29 11:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-17 21:26 . 2010-04-17 21:26 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.22.7\SetupAdmin.exe
2005-07-14 17:31 . 2005-07-14 17:31 27648 --sha-r- c:\windows\SYSTEM32\AVSredirect.dll
2005-06-26 20:32 . 2005-06-26 20:32 616448 --sha-r- c:\windows\SYSTEM32\cygwin1.dll
2005-06-22 03:37 . 2005-06-22 03:37 45568 --sha-r- c:\windows\SYSTEM32\cygz.dll
2006-05-03 09:06 . 2008-05-30 22:24 163328 --sha-r- c:\windows\SYSTEM32\flvDX.dll
2004-01-25 05:00 . 2004-01-25 05:00 70656 --sha-r- c:\windows\SYSTEM32\i420vfw.dll
2007-02-21 10:47 . 2008-05-30 22:24 31232 --sha-r- c:\windows\SYSTEM32\msfDX.dll
2007-12-17 12:43 . 2008-05-30 22:24 27648 --sha-w- c:\windows\SYSTEM32\Smab0.dll
2005-02-28 18:16 . 2005-02-28 18:16 240128 --sha-r- c:\windows\SYSTEM32\x.264.exe
2004-01-25 05:00 . 2004-01-25 05:00 70656 --sha-r- c:\windows\SYSTEM32\yv12vfw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2005-10-19 126976]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]
"Lexmark X74-X75"="c:\program files\Lexmark X74-X75\lxbbbmgr.exe" [2002-06-25 57344]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 28672]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-27 185896]
"MCAgentExe"="c:\progra~1\McAfee.com\Agent\McAgent.exe" [2005-09-22 303104]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"eBook Library Launcher"="c:\program files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe" [2009-11-24 906640]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All^Start Menu^Programs^Startup^Alliance background mode.lnk]
path=c:\documents and settings\All\Start Menu\Programs\Startup\Alliance background mode.lnk
backup=c:\windows\pss\Alliance background mode.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All^Start Menu^Programs^Startup^RollerCoaster Tycoon 3 Registration.lnk]
path=c:\documents and settings\All\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk
backup=c:\windows\pss\RollerCoaster Tycoon 3 Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
2006-08-01 19:35 67112 ----a-w- c:\progra~1\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-09-26 00:52 50736 -c--a-w- c:\program files\Common Files\AOL\1135224883\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 05:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
2005-09-22 23:29 303104 ----a-w- c:\progra~1\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz]
2003-08-22 00:40 135168 ----a-w- c:\progra~1\McAfee.com\Agent\mcregwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
2006-01-11 17:05 212992 ----a-w- c:\progra~1\McAfee.com\Agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-06-10 08:27 144784 -c--a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-01-27 19:20 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2008-01-15 22:54 37376 -c--a-w- c:\program files\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Linksys Wireless-G USB Wireless Network Monitor\\InvokeSvc2.exe"=
"c:\\Program Files\\Common Files\\AOL\\1135224883\\ee\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Common Files\\AOL\\1135224883\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S3 LTower;LEGO USB Tower Driver;c:\windows\SYSTEM32\DRIVERS\LTower.sys [12/28/2004 11:22 AM 36981]
S3 PRSUSB;Sony Reader;c:\windows\SYSTEM32\DRIVERS\PRSUSB.sys [2/3/2009 1:57 PM 18944]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = about:blank
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
FF - ProfilePath - c:\documents and settings\All\Application Data\Mozilla\Firefox\Profiles\na5uvgt8.default\
FF - plugin: c:\documents and settings\All\Application Data\Mozilla\Firefox\Profiles\na5uvgt8.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Musicnotes\npmusicn.dll
FF - plugin: c:\program files\Musicnotes\NPSibelius.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Sony\Reader\Data\bin\npebldetectmoz.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2010-07-15 13:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-07-15 13:30:55
ComboFix-quarantined-files.txt 2010-07-15 17:30
ComboFix2.txt 2010-07-14 03:51
ComboFix3.txt 2010-07-12 21:58
C:\DeQuarantine.txt

Pre-Run: 12,854,886,400 bytes free
Post-Run: 12,751,577,088 bytes free

- - End Of File - - 374EFDFE969122330D4C92F0EFB398EE



Here is the MBAM log

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4316

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

7/15/2010 9:27:10 PM
mbam-log-2010-07-15 (21-27-10).txt

Scan type: Full scan (C:\|E:\|F:\|)
Objects scanned: 277984
Time elapsed: 4 hour(s), 0 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\EWABQAF7KL (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\Documents and Settings\All\Local Settings\Application Data\yjqmjlscn\fvufxqgtssd.exe.vir (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\Apyqya.exe.vir (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\KBDMPR.dll.vir (Trojan.Hiloti) -> Quarantined and deleted successfully.
jamisonsalamand is offline  
Old 07-15-2010, 09:47 PM   #11
Security Team
Analyst
 
Join Date: May 2009
Location: South East Asia
Posts: 447
OS: W7 64-bit



Hello jamisonsalamand ,

Well done. We are almost at the end. Any issue with the registry restore after the ComboFix step?

Check list of quarantined files
  • Go to Start > Run.... Copy and paste the following text into the white box:
    Code:
    C:\QooBox\ComboFix-quarantined-files.txt
  • Click OK and a log will open.
  • Please post the contents of that log.

--------------------

Your Firefox browser is outdated. Older versions have security vulnerabilities that can be exploited.

Please update your Firefox browser to the latest. You may need to use Internet Explorer temporarily for this, or download the program first before continuing the uninstall step.
It is important that you uninstall any previous versions by using Add/Remove Programs in your Control Panel before installing a newer version. Please uninstall:

Mozilla Firefox (3.0.19)
  • Go to the Mozilla Firefox download page. Click here.
  • Click on the Free Download button and save the setup file to a convenient location.
  • Double click on the setup file and follow the steps accordingly.

--------------------

Your Java Runtime Environment is outdated. Older versions have security vulnerabilities that can be exploited.

Please update JRE to the latest.
It is important that you uninstall any previous versions by using Add/Remove Programs in your Control Panel before installing a newer version. Please uninstall:

J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2
Java(TM) 6 Update 7

  • Go to the Java SE download page. Click here.
  • Look for JDK 6 Update 21 (JDK or JRE). Click the Download JRE button to the right.
  • Select Windows from the drop-down list for Platform.
  • Check I agree to the Java SE Runtime Environment 6u21 with JavaFX 1 License Agreement after reading it, and click Continue >>. The page will refresh.
  • Under the Windows Offline Installation title, click on the link which says jre-6u21-windows-i586.exe and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Then, from your desktop, double click on the download to install the newest version. Reboot your computer.

--------------------

Please post back:
1. the log of ComboFix quarantined files
2. fresh DDS logs (DDS.txt and Attach.txt)
3. Any more problems?
Jack&Jill is offline  
Old 07-16-2010, 07:18 AM   #12
Registered Member
 
Join Date: Jul 2010
Posts: 19
OS: XP



There haven't been any more problems, my computer has been acting fine. If these are the final steps, then I'll say thank you very much for the help. I am quite grateful for what you've done! The attach.txt shows the older versions of Java and Firefox because I am updating those after I post this.


DDS log

DDS (Ver_10-03-17.01) - NTFSx86
Run by All at 9:35:35.03 on Fri 07/16/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1644 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
C:\Program Files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\All\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = about:blank
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} - c:\program files\aim toolbar\AIMBar.dll
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [Lexmark X74-X75] "c:\program files\lexmark x74-x75\lxbbbmgr.exe"
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\mcupdate.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\McAgent.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [eBook Library Launcher] c:\program files\sony\reader\data\bin\launcher\Reader Library Launcher.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-us\local\search.html
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135780814625
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\all\applic~1\mozilla\firefox\profiles\na5uvgt8.default\
FF - plugin: c:\documents and settings\all\application data\mozilla\firefox\profiles\na5uvgt8.default\extensions\[email protected]\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\musicnotes\npmusicn.dll
FF - plugin: c:\program files\musicnotes\NPSibelius.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\program files\sony\reader\data\bin\npebldetectmoz.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R2 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\Mcdetect.exe [2005-12-22 126976]
R2 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe [2005-12-22 122368]
S3 LTower;LEGO USB Tower Driver;c:\windows\system32\drivers\LTower.sys [2004-12-28 36981]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2005-12-22 245760]
S3 PRSUSB;Sony Reader;c:\windows\system32\drivers\PRSUSB.sys [2009-2-3 18944]

=============== Created Last 30 ================

2010-07-15 17:52:03 0 d-----w- c:\docume~1\all\applic~1\Malwarebytes
2010-07-15 17:51:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-15 17:51:46 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-15 17:51:46 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-15 17:51:46 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-15 17:11:59 0 d-----w- c:\program files\uTorrent
2010-07-15 17:11:58 0 d-----w- c:\program files\DNA
2010-07-15 17:10:53 0 d-----w- c:\program files\BitBlinder
2010-07-15 17:10:38 0 d-----w- c:\docume~1\all\applic~1\uTorrent
2010-07-15 17:10:35 1308 ----a-w- C:\CF-Submit.htm
2010-07-14 04:08:09 0 d-----w- c:\program files\ESET
2010-07-14 03:10:47 743936 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-12 21:19:51 0 d-sha-r- C:\cmdcons
2010-07-12 21:14:41 98816 ----a-w- c:\windows\sed.exe
2010-07-12 21:14:41 77312 ----a-w- c:\windows\MBR.exe
2010-07-12 21:14:41 256512 ----a-w- c:\windows\PEV.exe
2010-07-12 21:14:41 161792 ----a-w- c:\windows\SWREG.exe
2010-07-09 01:16:52 0 ----a-w- c:\documents and settings\all\tasklist.rtf
2010-07-07 01:28:30 0 d-----w- c:\windows\system32\NtmsData
2010-06-29 16:10:24 0 d-----w- c:\docume~1\all\applic~1\Thinstall

==================== Find3M ====================

2010-05-12 22:29:48 54408 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-04 12:39:27 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-04 12:39:27 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-05-02 05:56:34 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:56:34 1850880 ------w- c:\windows\system32\dllcache\win32k.sys
2010-04-20 05:51:20 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:51:20 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
2005-07-14 17:31:20 27648 --sha-r- c:\windows\system32\AVSredirect.dll
2005-06-26 20:32:28 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 03:37:42 45568 --sha-r- c:\windows\system32\cygz.dll
2006-05-03 0954 163328 --sha-r- c:\windows\system32\flvDX.dll
2004-01-25 05:00:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
2007-02-21 10:47:16 31232 --sha-r- c:\windows\system32\msfDX.dll
2007-12-17 12:43:00 27648 --sha-w- c:\windows\system32\Smab0.dll
2005-02-28 18:16:22 240128 --sha-r- c:\windows\system32\x.264.exe
2004-01-25 05:00:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll

============= FINISH: 9:37:23.50 ===============
Attached Files
File Type: txt Attach.txt (17.7 KB, 25 views)
File Type: txt ComboFix-quarantined-files.txt (247.9 KB, 17 views)
jamisonsalamand is offline  
Old 07-17-2010, 06:28 AM   #13
Security Team
Analyst
 
Join Date: May 2009
Location: South East Asia
Posts: 447
OS: W7 64-bit



Hello jamisonsalamand ,

Please upload the following zip file to this upload channel and follow the steps accordingly:

C:\Qoobox\Quarantine\[4]-Submit_2010-07-15_13.07.23.zip

You will be taken to a new post page (at a different forum). Please fill in the necessary details and provide a link to this topic.
  • In the Name box, type in your name.
  • In the Email box, type in your email address.
  • In the Subject box, copy and paste the following text into it:
    Code:
    File for analysis from TSF: C:\Qoobox\Quarantine\[4]-Submit_2010-07-15_13.07.23.zip
  • In the big text box, copy and paste the following text into it:
    Code:
    Link to log: https://www.techsupportforum.com/f100/virus-processes-appeared-after-i-opened-a-file-i-downloaded-495860.html#post2806644
  • Type in the Visual verification.
  • Click on Browse and find the following file:
    Code:
    C:\Qoobox\Quarantine\[4]-Submit_2010-07-15_13.07.23.zip
  • Press OK and Post.

When you are done, please let me know so that I can check, and I will provide you some tips and recommendations after that.
Jack&Jill is offline  
Old 07-17-2010, 08:18 PM   #14
Registered Member
 
Join Date: Jul 2010
Posts: 19
OS: XP



The file uploaded to that site.
I have a slight issue that's appeared since I've started using the computer again, however. Since I went back to normal use yesterday, the computer will occasionally have moments where the mouse lags and everything starts going considerably slow. Task manager will say the CPU is at 100%, and it'll keep going this slow for long enough of a time for it to be annoying. It will happen at moments when the computer shouldn't be going slow in the slightest and shouldn't be at 100%, compared to how it used to perform. I don't know if it has anything to do with this work we've done, or why it might be suddenly occurring.
jamisonsalamand is offline  
Old 07-17-2010, 08:40 PM   #15
Registered Member
 
Join Date: Jul 2010
Posts: 19
OS: XP



Now that I've used the computer more, it seems like it is almost always running as slow as I mentioned in the above post.
jamisonsalamand is offline  
Old 07-18-2010, 09:03 AM   #16
Security Team
Analyst
 
Join Date: May 2009
Location: South East Asia
Posts: 447
OS: W7 64-bit



Hello jamisonsalamand ,

Thank you for uploading the file.

For your slow problem, lets check one more time. When you say going back to normal use, what are you doing actually and what programs are you running?

Your disk space is a little low. It could have the slow effect.
Quote:
C: is FIXED (NTFS) - 74 GiB total, 11.855 GiB free.
--------------------

Please download ATF (Atribune Temp File) Cleaner© by Atribune from one of the links below and save it to your desktop.

Link 1
Link 2
Link 3

Run ATF Cleaner
  • Double-click ATF Cleaner.exe to open it.
  • Click Run if prompted.
  • At the bottom of the list, check (tick) Select All.
  • Note: If you would like to keep your cookies, please uncheck this option as it will remove all cookies, including the useful ones you may want to keep.
  • Then click the Empty Selected button.
  • Firefox:
    • Click Firefox at the top and choose: Select All. Uncheck the cookies option if you want to keep them.
    • Click the Empty Selected button.
    • Note: If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.

--------------------

Do an online scan with Kaspersky Online Scanner.
Please be patient as scanning will take quite some time. If you have problem running the scan, you might want to disable any real time protection that you have.
  • Click here to go to Kaspersky Online Scanner page.
  • Read through the requirements and privacy statement and click on the Accept button.
  • Download and installation of the scanner and virus definitions will begin. If prompted to install from Kaspersky, please proceed.
  • When the downloads have finished, click on Settings on the lower left of the window.
  • Make sure all these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computer under Scan tab to start scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place as KasperskyScan.txt. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Post the contents of that report in your reply.

--------------------

Please post back:
1. the answers to my questions
2. the Kaspersky online scan result
3. fresh DDS logs (DDS.txt and Attach.txt)
Jack&Jill is offline  
Old 07-20-2010, 09:42 AM   #17
Registered Member
 
Join Date: Jul 2010
Posts: 19
OS: XP



I deleted 30GB of stuff from the C drive, but it didn't help any with the problem. However, I do think it had something to do with uTorrent trying to recheck three very large files all at once. It hadn't happened before so I didn't guess it, but I removed the torrents and it has been fine since then. Normal use is using Firefox and uTorrent seeding with the window hidden. I'm gonna say the problem is solved now.

Here's the Kaspersky log

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, July 20, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, July 19, 2010 21:31:18
Records in database: 4228926
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Objects scanned: 146700
Threats found: 12
Infected objects found: 76
Suspicious objects found: 0
Scan duration: 06:50:45


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\Documents and Settings\All\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-4aa77bde.vir Infected: Exploit.Java.Gimsh.b 1
C:\Qoobox\Quarantine\C\Documents and Settings\All\Application Data\Sun\Java\Deployment\cache\6.0\52\66b0bd34-591ae3dc.vir Infected: Exploit.Java.Gimsh.b 1
C:\Qoobox\Quarantine\C\Documents and Settings\All\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-1ab034e7-42062214.zip.vir Infected: Exploit.Java.Gimsh.b 1
C:\Qoobox\Quarantine\C\Documents and Settings\All\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-29ffee3e.zip.vir Infected: Exploit.Java.Gimsh.b 1
C:\Qoobox\Quarantine\C\Documents and Settings\All\Desktop\Chelsea's Temporary Music folder\from playlist dot com\good things bodeans.mp3.vir Infected: Trojan-Downloader.WMA.GetCodec.aa 1
C:\Qoobox\Quarantine\C\Documents and Settings\All\Desktop\Chelsea's Temporary Music folder\from playlist dot com\stitched up herbie hancock [160k quality].mp3.vir Infected: Trojan-Downloader.WMA.GetCodec.u 1
C:\Qoobox\Quarantine\C\Documents and Settings\All\My Documents\Lindsay's stuff\music\Incomplete\Preview-T-3545425-good things bodeans.mp3.vir Infected: Trojan-Downloader.WMA.GetCodec.u 1
C:\Qoobox\Quarantine\C\Documents and Settings\All\My Documents\Lindsay's stuff\music\Incomplete\Preview-T-5868257-cyborg slayers dethklok (new album).mp3.vir Infected: Trojan-Downloader.WMA.GetCodec.u 1
C:\Qoobox\Quarantine\C\Documents and Settings\All\My Documents\Lindsay's stuff\music\Lemonrope\cyborg slayers dethklok (new album).mp3.vir Infected: Trojan-Downloader.WMA.GetCodec.u 1
C:\Qoobox\Quarantine\C\Documents and Settings\All\My Documents\Lindsay's stuff\music\Lemonrope\day of rain thriving ivory.mp3.vir Infected: Trojan-Downloader.WMA.GetCodec.r 1
C:\Qoobox\Quarantine\C\Documents and Settings\All\My Documents\Lindsay's stuff\music\Lemonrope\dynamo of volition jason mraz - greatest hits.mp3.vir Infected: Trojan-Downloader.WMA.GetCodec.n 1
C:\Qoobox\Quarantine\C\Documents and Settings\All\My Documents\Lindsay's stuff\music\Lemonrope\eric hutchinson sounds like sexy girl has shaking orgasm during sex.mp3.vir Infected: Trojan-Downloader.WMA.GetCodec.e 1
C:\Qoobox\Quarantine\C\Documents and Settings\All\My Documents\Lindsay's stuff\music\Lemonrope\good things bodeans.mp3.vir Infected: Trojan-Downloader.WMA.GetCodec.u 1
C:\Qoobox\Quarantine\C\Documents and Settings\All\My Documents\Lindsay's stuff\music\Lemonrope\June 10\Prodigy, the - breathe.mp3.vir Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Qoobox\Quarantine\C\Documents and Settings\All\My Documents\Lindsay's stuff\music\Lemonrope\may 6\lover all gone clay aiken.mp3.vir Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Qoobox\Quarantine\C\Documents and Settings\All\My Documents\Lindsay's stuff\music\Lemonrope\only fooling myself kate dont.mp3.vir Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Qoobox\Quarantine\C\Documents and Settings\All\My Documents\Lindsay's stuff\music\Lemonrope\undone kat tingey.mp3.vir Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Qoobox\Quarantine\C\Documents and Settings\All\My Documents\Lindsay's stuff\music\Lemonrope\you without me eddie tadross - greatest hits.wma.vir Infected: Trojan-Downloader.WMA.Wimad.n 1
C:\Qoobox\Quarantine\C\Documents and Settings\All\My Documents\Lindsay's stuff\music\Lemonrope\you without me eddie tadross.mp3.vir Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\gtky.exe.vir Infected: Trojan-Dropper.Win32.Stabs.atw 1
C:\Qoobox\Quarantine\[4]-Submit_2010-07-15_13.07.23.zip Infected: Trojan.Win32.Buzus.bmct 55
C:\WINDOWS\SYSTEM32\Setup\svchost.exe Infected: Packed.Win32.Krap.hm 1

Selected area has been scanned.


Here's the DDS log

DDS (Ver_10-03-17.01) - NTFSx86
Run by All at 12:38:51.50 on Tue 07/20/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1595 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv4.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\All\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = about:blank
uURLSearchHooks: AOLTBSearch Class: {ea756889-2338-43db-8f07-d1ca6fb9c90d} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AOL Toolbar Launcher: {7c554162-8cb7-45a4-b8f4-8ea1c75885f9} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AOL Toolbar: {de9c389f-3316-41a7-809b-aa305ed9d922} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: AIM Search: {40d41a8b-d79b-43d7-99a7-9ee0f344c385} - c:\program files\aim toolbar\AIMBar.dll
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [Lexmark X74-X75] "c:\program files\lexmark x74-x75\lxbbbmgr.exe"
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [MCUpdateExe] c:\progra~1\mcafee.com\agent\McUpdate.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [MCAgentExe] c:\progra~1\mcafee.com\agent\McAgent.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [eBook Library Launcher] c:\program files\sony\reader\data\bin\launcher\Reader Library Launcher.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
IE: &AIM Search - c:\program files\aim toolbar\AIMBar.dll/aimsearch.htm
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-us\local\search.html
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {3369AF0D-62E9-4bda-8103-B4C75499B578} - {DE9C389F-3316-41A7-809B-AA305ED9D922} - c:\program files\aol\aol toolbar 2.0\aoltb.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135780814625
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\all\applic~1\mozilla\firefox\profiles\na5uvgt8.default\
FF - plugin: c:\documents and settings\all\application

data\mozilla\firefox\profiles\na5uvgt8.default\extensions\[email protected]\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\musicnotes\npmusicn.dll
FF - plugin: c:\program files\musicnotes\NPSibelius.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\program files\sony\reader\data\bin\npebldetectmoz.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation

foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R2 McDetect.exe;McAfee WSC Integration;c:\program files\mcafee.com\agent\Mcdetect.exe [2005-12-22 126976]
R2 McTskshd.exe;McAfee Task Scheduler;c:\progra~1\mcafee.com\agent\mctskshd.exe [2005-12-22 122368]
S3 LTower;LEGO USB Tower Driver;c:\windows\system32\drivers\LTower.sys [2004-12-28 36981]
S3 mcupdmgr.exe;McAfee SecurityCenter Update Manager;c:\progra~1\mcafee.com\agent\mcupdmgr.exe [2005-12-22 245760]
S3 PRSUSB;Sony Reader;c:\windows\system32\drivers\PRSUSB.sys [2009-2-3 18944]

=============== Created Last 30 ================

2010-07-20 16:29:57 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-19 03:14:47 0 d-----w- c:\docume~1\alluse~1\applic~1\Blizzard Entertainment
2010-07-18 19:44:38 0 d-----w- c:\docume~1\alluse~1\applic~1\Blizzard
2010-07-18 19:41:14 0 d-----w- c:\program files\common files\Blizzard Entertainment
2010-07-15 17:52:03 0 d-----w- c:\docume~1\all\applic~1\Malwarebytes
2010-07-15 17:51:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-15 17:51:46 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-15 17:51:46 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-15 17:51:46 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-15 17:11:59 0 d-----w- c:\program files\uTorrent
2010-07-15 17:11:58 0 d-----w- c:\program files\DNA
2010-07-15 17:10:53 0 d-----w- c:\program files\BitBlinder
2010-07-15 17:10:38 0 d-----w- c:\docume~1\all\applic~1\uTorrent
2010-07-15 17:10:35 1308 ----a-w- C:\CF-Submit.htm
2010-07-14 04:08:09 0 d-----w- c:\program files\ESET
2010-07-14 03:10:47 743936 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-12 21:19:51 0 d-sha-r- C:\cmdcons
2010-07-12 21:14:41 98816 ----a-w- c:\windows\sed.exe
2010-07-12 21:14:41 77312 ----a-w- c:\windows\MBR.exe
2010-07-12 21:14:41 256512 ----a-w- c:\windows\PEV.exe
2010-07-12 21:14:41 161792 ----a-w- c:\windows\SWREG.exe
2010-07-09 01:16:52 0 ----a-w- c:\documents and settings\all\tasklist.rtf
2010-07-07 01:28:30 0 d-----w- c:\windows\system32\NtmsData
2010-06-29 16:10:24 0 d-----w- c:\docume~1\all\applic~1\Thinstall

==================== Find3M ====================

2010-05-12 22:29:48 54408 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-04 12:39:27 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-04 12:39:27 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-05-02 05:56:34 1850880 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:56:34 1850880 ------w- c:\windows\system32\dllcache\win32k.sys
2005-07-14 17:31:20 27648 --sha-r- c:\windows\system32\AVSredirect.dll
2005-06-26 20:32:28 616448 --sha-r- c:\windows\system32\cygwin1.dll
2005-06-22 03:37:42 45568 --sha-r- c:\windows\system32\cygz.dll
2006-05-03 0954 163328 --sha-r- c:\windows\system32\flvDX.dll
2004-01-25 05:00:00 70656 --sha-r- c:\windows\system32\i420vfw.dll
2007-02-21 10:47:16 31232 --sha-r- c:\windows\system32\msfDX.dll
2007-12-17 12:43:00 27648 --sha-w- c:\windows\system32\Smab0.dll
2005-02-28 18:16:22 240128 --sha-r- c:\windows\system32\x.264.exe
2004-01-25 05:00:00 70656 --sha-r- c:\windows\system32\yv12vfw.dll

============= FINISH: 12:39:57.01 ===============
Attached Files
File Type: txt Attach.txt (18.2 KB, 42 views)
jamisonsalamand is offline  
Old 07-20-2010, 07:07 PM   #18
Security Team
Analyst
 
Join Date: May 2009
Location: South East Asia
Posts: 447
OS: W7 64-bit



Hello jamisonsalamand ,

A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use. Do not mouse click on ComboFix while it is running. That may cause it to stall.

Run ComboFix script
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily when running ComboFix. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here and here.
  • Open Notepad. Copy and paste the following text into it:
    Code:
    https://www.techsupportforum.com/f100/virus-processes-appeared-after-i-opened-a-file-i-downloaded-495860.html#post2812746
    Collect::
    C:\WINDOWS\SYSTEM32\Setup\svchost.exe
  • Save it as CFScript.txt at the desktop. Make sure the Save as type: is All Files (*.*).


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update, please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • ComboFix will also ask to upload some bad files for analysis. Please follow the steps accordingly.
  • When finished, a log will be produced as C:\ComboFix.txt. Copy and paste the contents of the log in your next reply.
  • If you lose Internet connection after running ComboFix, right click on the network icon at the system tray and select Repair, or you can reboot the computer.
  • Enable back your security softwares as soon as you completed the ComboFix steps.

--------------------

The remainder of the online scan's findings include backups that were created during the course of this fix.

We shall be taking care of them during the final cleanup.

--------------------

Check for additional security risks
  • Please download CKScanner© by askey127 and save to your desktop. Click here.
  • Double click on CKScanner.exe and click Search For Files.
  • After a very short time, when the cursor hourglass disappears, click Save List To File. You will be prompted, click OK.
  • Post the contents of ckfiles.txt in your reply, it is located on your desktop.

--------------------

Please post back:
1. ComboFix log
2. CKScanner log
Jack&Jill is offline  
Old 07-21-2010, 10:04 PM   #19
Registered Member
 
Join Date: Jul 2010
Posts: 19
OS: XP



ComboFix 10-07-12.02 - All 07/22/2010 0:01.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1544 [GMT -4:00]
Running from: c:\documents and settings\All\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\All\Desktop\CFScript.txt
.
- REDUCED FUNCTIONALITY MODE -

file zipped: c:\windows\SYSTEM32\Setup\svchost.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\SYSTEM32\Setup\svchost.exe

.
((((((((((((((((((((((((( Files Created from 2010-06-22 to 2010-07-22 )))))))))))))))))))))))))))))))
.

2010-07-20 16:29 . 2010-07-20 16:29 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-19 03:14 . 2010-07-19 04:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard Entertainment
2010-07-18 19:44 . 2010-07-18 19:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Blizzard
2010-07-18 19:41 . 2010-07-18 23:09 -------- d-----w- c:\program files\Common Files\Blizzard Entertainment
2010-07-15 17:52 . 2010-07-15 17:52 -------- d-----w- c:\documents and settings\All\Application Data\Malwarebytes
2010-07-15 17:51 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-15 17:51 . 2010-07-15 17:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-15 17:51 . 2010-07-15 17:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-15 17:51 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-15 17:11 . 2010-07-15 17:11 -------- d-----w- c:\program files\uTorrent
2010-07-15 17:11 . 2010-07-15 17:11 -------- d-----w- c:\program files\DNA
2010-07-15 17:10 . 2010-07-15 17:11 -------- d-----w- c:\program files\BitBlinder
2010-07-15 17:10 . 2010-07-22 04:01 -------- d-----w- c:\documents and settings\All\Application Data\uTorrent
2010-07-14 04:08 . 2010-07-14 04:08 -------- d-----w- c:\program files\ESET
2010-07-14 03:10 . 2010-06-14 14:30 743936 ------w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-07 01:28 . 2010-07-07 16:43 -------- d-----w- c:\windows\system32\NtmsData
2010-06-29 16:10 . 2010-06-29 16:10 -------- d-----w- c:\documents and settings\All\Application Data\Thinstall

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-20 16:30 . 2004-02-04 01:17 -------- d-----w- c:\program files\Common Files\Java
2010-07-20 16:29 . 2004-02-04 01:17 -------- d-----w- c:\program files\Java
2010-07-09 01:48 . 2008-10-10 21:03 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2010-07-07 23:48 . 2007-06-24 19:35 -------- d-----w- c:\program files\Music Rescue
2010-06-29 02:07 . 2008-09-02 01:01 -------- d-----w- c:\program files\Alliance
2010-06-14 14:30 . 2002-08-29 11:00 743936 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\helpsvc.exe
2010-05-26 23:41 . 2004-02-04 01:28 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-12 22:29 . 2009-09-19 00:42 54408 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-04 17:20 . 2005-10-21 17:51 832512 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 17:20 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-04 17:20 . 2002-08-29 11:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-05-02 05:56 . 2002-08-29 11:00 1850880 ----a-w- c:\windows\system32\win32k.sys
2005-07-14 17:31 . 2005-07-14 17:31 27648 --sha-r- c:\windows\SYSTEM32\AVSredirect.dll
2005-06-26 20:32 . 2005-06-26 20:32 616448 --sha-r- c:\windows\SYSTEM32\cygwin1.dll
2005-06-22 03:37 . 2005-06-22 03:37 45568 --sha-r- c:\windows\SYSTEM32\cygz.dll
2006-05-03 09:06 . 2008-05-30 22:24 163328 --sha-r- c:\windows\SYSTEM32\flvDX.dll
2004-01-25 05:00 . 2004-01-25 05:00 70656 --sha-r- c:\windows\SYSTEM32\i420vfw.dll
2007-02-21 10:47 . 2008-05-30 22:24 31232 --sha-r- c:\windows\SYSTEM32\msfDX.dll
2007-12-17 12:43 . 2008-05-30 22:24 27648 --sha-w- c:\windows\SYSTEM32\Smab0.dll
2005-02-28 18:16 . 2005-02-28 18:16 240128 --sha-r- c:\windows\SYSTEM32\x.264.exe
2004-01-25 05:00 . 2004-01-25 05:00 70656 --sha-r- c:\windows\SYSTEM32\yv12vfw.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2005-10-19 126976]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"DVDSentry"="c:\windows\System32\DSentry.exe" [2003-08-13 28672]
"PCMService"="c:\program files\Dell\Media Experience\PCMService.exe" [2003-08-27 204800]
"Lexmark X74-X75"="c:\program files\Lexmark X74-X75\lxbbbmgr.exe" [2002-06-25 57344]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 28672]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-27 185896]
"MCAgentExe"="c:\progra~1\McAfee.com\Agent\McAgent.exe" [2005-09-22 303104]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"eBook Library Launcher"="c:\program files\Sony\Reader\Data\bin\launcher\Reader Library Launcher.exe" [2009-11-24 906640]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak software updater.lnk
backup=c:\windows\pss\Kodak software updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All^Start Menu^Programs^Startup^Alliance background mode.lnk]
path=c:\documents and settings\All\Start Menu\Programs\Startup\Alliance background mode.lnk
backup=c:\windows\pss\Alliance background mode.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All^Start Menu^Programs^Startup^RollerCoaster Tycoon 3 Registration.lnk]
path=c:\documents and settings\All\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk
backup=c:\windows\pss\RollerCoaster Tycoon 3 Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
2006-08-01 19:35 67112 ----a-w- c:\progra~1\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
2008-12-19 20:32 342848 ----a-w- c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-09-26 00:52 50736 -c--a-w- c:\program files\Common Files\AOL\1135224883\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-03-26 05:10 142120 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
2005-09-22 23:29 303104 ----a-w- c:\progra~1\McAfee.com\Agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McRegWiz]
2003-08-22 00:40 135168 ----a-w- c:\progra~1\McAfee.com\Agent\mcregwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
2006-01-11 17:05 212992 ----a-w- c:\progra~1\McAfee.com\Agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 01:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2008-06-10 08:27 144784 -c--a-w- c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2008-01-27 19:20 185896 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2008-01-15 22:54 37376 -c--a-w- c:\program files\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Linksys Wireless-G USB Wireless Network Monitor\\InvokeSvc2.exe"=
"c:\\Program Files\\Common Files\\AOL\\1135224883\\ee\\AOLServiceHost.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Common Files\\AOL\\1135224883\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"e:\\World of Warcraft\\WoW-3.2.0-enGB-downloader.exe"=
"e:\\World of Warcraft\\Launcher.exe"=
"e:\\World of Warcraft\\WoW.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S3 LTower;LEGO USB Tower Driver;c:\windows\SYSTEM32\DRIVERS\LTower.sys [12/28/2004 11:22 AM 36981]
S3 PRSUSB;Sony Reader;c:\windows\SYSTEM32\DRIVERS\PRSUSB.sys [2/3/2009 1:57 PM 18944]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GTNDIS5
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.yahoo.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = about:blank
IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm
IE: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
FF - ProfilePath - c:\documents and settings\All\Application Data\Mozilla\Firefox\Profiles\na5uvgt8.default\
FF - plugin: c:\documents and settings\All\Application Data\Mozilla\Firefox\Profiles\na5uvgt8.default\extensions\[email protected]\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Musicnotes\npmusicn.dll
FF - plugin: c:\program files\Musicnotes\NPSibelius.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Sony\Reader\Data\bin\npebldetectmoz.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2010-07-22 00:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-07-22 00:15:14
ComboFix-quarantined-files.txt 2010-07-22 04:14
ComboFix2.txt 2010-07-15 17:30
ComboFix3.txt 2010-07-14 03:51
ComboFix4.txt 2010-07-12 21:58

Pre-Run: 37,726,248,960 bytes free
Post-Run: 37,913,223,168 bytes free

- - End Of File - - 5D6FE77609037E82E62582930422C5A5
Upload was successful


CKScanner log

CKScanner - Additional Security Risks - These are not necessarily bad
c:\documents and settings\all\desktop\everyones folders\data\effect\ska\cracker\cracker.aml
c:\documents and settings\all\desktop\everyones folders\data\effect\ska\cracker\cracker.bm
c:\documents and settings\all\desktop\everyones folders\data\effect\ska\cracker\cracker.bmc
c:\documents and settings\all\desktop\everyones folders\data\effect\ska\cracker\cracker.smc
c:\documents and settings\all\desktop\everyones folders\data\effect\ska\cracker\cracker.tex
c:\documents and settings\all\desktop\everyones folders\data\effect\texture\crack2.tex
c:\documents and settings\all\desktop\everyones folders\data\effect\texture\n_crack.tex
c:\documents and settings\all\desktop\everyones folders\data\textures\effects\particles\firecracker.tex
c:\program files\gimp-2.0\share\gimp\2.0\patterns\cracked.pat
c:\program files\jasc software inc\paint shop photo album\frames\black crackle.pspframe
c:\program files\jasc software inc\paint shop pro 8\picture frames\black crackle.pspframe
scanner sequence 3.FF.11
----- EOF -----
jamisonsalamand is offline  
Old 07-22-2010, 08:11 AM   #20
Security Team
Analyst
 
Join Date: May 2009
Location: South East Asia
Posts: 447
OS: W7 64-bit



Hello jamisonsalamand ,

The CKScanner log is incomplete. Please post a complete one.
Jack&Jill is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 05:41 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts