HELP!... PC INFECTED with "Win32/Adware.Virtumonde"!

Need a geek? Geeks to Go offers free, quality tech support -- in terms anyone can understand. Volunteers are waiting to help, friendly, technology experts who have knowledge to share, and enjoy helping others. Feel free to browse the site as a guest. However, you must log in to reply to existing topics, or to start a new topic. Other benefits of joining include richer forum features, and removal of all advertising. Learn more in our Welcome Guide Infected? Malware and Spyware Cleaning Guide. What are you waiting for? Click here to join for free today!

> Geeks to Go! » Security » Virus, Spyware and Trojan Removal

HELP!... PC INFECTED with "Win32/Adware.Virtumonde"!

Options

viral_attack View Member Profile	Oct 30 2008, 09:53 PM Post #1
New Member Posts: 6 OS: xp	there's a dialog box from NOD32 stating that my pc was being infected with a "Win32/Adware.Virtumonde" virus or something... and it's keeping my pc hanging... it said that it's located in: C:\WINDOWS\system32\ddcBTLed.dll although it says that it can be deleted it still pops every now and then.. when i ran the hijackthis it displayed: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:18:52 AM, on 10/31/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\RunDll32.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Veoh Networks\Veoh\VeohClient.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Eset\nod32krn.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Eset\nod32.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Safari\Safari.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [f8b86af5] rundll32.exe "C:\WINDOWS\system32\greuligv.dll",b O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0 O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll (file missing) O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} (CPlayFirstCookingDasControl Object) - http://games.bigfishgames.com/en_cooking-d...Web.1.0.0.9.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.ph/com/EGamesPlugin.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1213958372802 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {D40F5876-A494-4124-8161-82625BB28C06} (CPlayFirstChocolatieControl Object) - http://games.bigfishgames.com/en_chocolati...eb.1.0.0.10.cab O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab O20 - AppInit_DLLs: gyxqtc.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe -- End of file - 7208 bytes many thanks in advance for those who will be helping!!... This post has been edited by viral_attack*: Oct 30 2008, 09:56 PM

Rorschach112 View Member Profile	Oct 31 2008, 06:16 AM Post #2
GeekU Teacher Posts: 34,385 From: Dublin OS: XP	Hello Disable resident protections (Antivirus...); you'll re-enable them after the scan Download Lop S&D < here Double-click Lop S&D.exe Choose the language, then choose Option 1 (Search) Wait till the end of the scan Post the log which is created: (%SystemDrive%\lopR.txt)

viral_attack View Member Profile	Nov 1 2008, 12:13 AM Post #3
New Member Posts: 6 OS: xp	done scanning with lops&d.. here's wat it says: (btw, thanks for fast reply!.. ) --------------------\\ Lop S&D 4.2.4-9b XP/Vista Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 3 X86-based PC ( Uniprocessor Free : Intel® Pentium® 4 CPU 1.80GHz ) BIOS : Phoenix - AwardBIOS v6.00PG USER : Vergara ( Administrator ) BOOT : Normal boot Antivirus : ESET NOD32 antivirus system 2.70 2.70 (Activated) A:\ (USB) C:\ (Local Disk) - NTFS - Total:29 Go (Free:10 Go) D:\ (Local Disk) - FAT32 - Total:8 Go (Free:5 Go) E:\ (CD or DVD) F:\ (CD or DVD) "C:\Lop SD" ( MAJ : 01-11-2008\|04:15 ) Option : [1] ( Sat 11/01/2008\|13:39 ) --------------------\\ Listing folders in APPLIC~1 [03/06/2008\|02:42] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Identities [03/06/2008\|02:53] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Microsoft [09/19/2008\|07:17] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> {3276BE95_AF08_429F_A64F_CA64CB79BCF6} [08/31/2008\|12:27] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe [03/23/2008\|09:26] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple [03/23/2008\|09:31] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple Computer [03/08/2008\|11:34] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Downloaded Installations [03/07/2008\|07:08] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Genimo [03/06/2008\|03:27] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft [03/08/2008\|11:36] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> PC Suite [10/11/2008\|01:31] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> PlayFirst [03/07/2008\|04:44] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Sandlot Games [10/15/2008\|03:36] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> TEMP [03/06/2008\|03:20] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Windows Genuine Advantage [03/06/2008\|03:33] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Yahoo! [08/19/2008\|07:07] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Yahoo! Companion [03/06/2008\|02:34] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Microsoft [03/06/2008\|03:24] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Microsoft [08/25/2008\|01:12] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Adobe [08/25/2008\|01:12] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Macromedia [03/10/2008\|05:45] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Microsoft [08/17/2008\|06:53] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Xfire [08/25/2008\|10:10] C:\DOCUME~1\Vergara\APPLIC~1\<DIR> Adobe [08/31/2008\|08:08] C:\DOCUME~1\Vergara\APPLIC~1\<DIR> AdobeUM [08/27/2008\|05:42] C:\DOCUME~1\Vergara\APPLIC~1\<DIR> Apple Computer [08/20/2008\|01:09] C:\DOCUME~1\Vergara\APPLIC~1\<DIR> com.Multiply.AutoUploader.C7DF09F73C2059D294831784007C5F0856677385.1 [03/12/2008\|03:32] C:\DOCUME~1\Vergara\APPLIC~1\<DIR> Datalayer [08/14/2008\|06:18] C:\DOCUME~1\Vergara\APPLIC~1\<DIR> GarageGames [03/07/2008\|07:01] C:\DOCUME~1\Vergara\APPLIC~1\<DIR> Genimo [05/18/2008\|06:29] C:\DOCUME~1\Vergara\APPLIC~1\<DIR> Help [03/06/2008\|03:15] C:\DOCUME~1\Vergara\APPLIC~1\<DIR> Identities [04/05/2008\|07:25] C:\DOCUME~1\Vergara\APPLIC~1\<DIR> InstallShield [10/31/2008\|01:07] C:\DOCUME~1\Vergara\APPLIC~1\<DIR> LimeWire [08/25/2008\|10:10] C:\DOCUME~1\Vergara\APPLIC~1\<DIR> Macromedia [09/13/2008\|02:14] C:\DOCUME~1\Vergara\APPLIC~1\<DIR> Microsoft [09/10/2008\|04:34] C:\DOCUME~1\Vergara\APPLIC~1\<DIR> Nokia [03/20/2008\|11:30] C:\DOCUME~1\Vergara\APPLIC~1\<DIR> Nokia Multimedia Player [03/06/2008\|03:35] C:\DOCUME~1\Vergara\APPLIC~1\<DIR> Opera [03/08/2008\|11:37] C:\DOCUME~1\Vergara\APPLIC~1\<DIR> PC Suite [10/11/2008\|01:31] C:\DOCUME~1\Vergara\APPLIC~1\<DIR> PlayFirst [06/11/2008\|07:41] C:\DOCUME~1\Vergara\APPLIC~1\<DIR> ShoppingReport [05/18/2008\|05:59] C:\DOCUME~1\Vergara\APPLIC~1\<DIR> Sony Corporation [03/09/2008\|11:24] C:\DOCUME~1\Vergara\APPLIC~1\<DIR> Sony Ericsson [04/12/2008\|11:35] C:\DOCUME~1\Vergara\APPLIC~1\<DIR> Sun [05/16/2008\|02:55] C:\DOCUME~1\Vergara\APPLIC~1\<DIR> Syntrillium [03/10/2008\|12:21] C:\DOCUME~1\Vergara\APPLIC~1\<DIR> Teleca [04/24/2008\|12:52] C:\DOCUME~1\Vergara\APPLIC~1\<DIR> WinRAR [08/18/2008\|01:17] C:\DOCUME~1\Vergara\APPLIC~1\<DIR> Xfire [08/19/2008\|07:07] C:\DOCUME~1\Vergara\APPLIC~1\<DIR> Yahoo! --------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks [08/30/2008 05:45 AM][--a------] C:\WINDOWS\tasks\At1.job [10/24/2008 05:16 PM][--a------] C:\WINDOWS\tasks\AppleSoftwareUpdate.job [11/01/2008 10:38 AM][--ah-----] C:\WINDOWS\tasks\SA.DAT [08/23/2001 08:00 PM][-r-h-----] C:\WINDOWS\tasks\desktop.ini --------------------\\ Listing Folders in C:\Program Files [10/15/2008\|04:08] C:\Program Files\<DIR> Adobe [08/26/2008\|08:13] C:\Program Files\<DIR> Apple Software Update [09/19/2008\|05:20] C:\Program Files\<DIR> Bonjour [03/06/2008\|04:41] C:\Program Files\<DIR> Butterfly Escape [05/26/2008\|02:52] C:\Program Files\<DIR> C-Media 3D Audio [10/30/2008\|07:10] C:\Program Files\<DIR> Common Files [03/06/2008\|02:30] C:\Program Files\<DIR> ComPlus Applications [03/08/2008\|11:36] C:\Program Files\<DIR> DIFX [08/30/2008\|12:10] C:\Program Files\<DIR> e-Games [05/18/2008\|08:57] C:\Program Files\<DIR> ESET [03/06/2008\|04:43] C:\Program Files\<DIR> GameHouse [08/17/2008\|04:13] C:\Program Files\<DIR> Games-Masters.com [10/31/2008\|06:21] C:\Program Files\<DIR> Garena [06/21/2008\|12:14] C:\Program Files\<DIR> InstallShield Installation Information [10/17/2008\|02:03] C:\Program Files\<DIR> Internet Explorer [09/19/2008\|07:16] C:\Program Files\<DIR> iPod [09/19/2008\|07:17] C:\Program Files\<DIR> iTunes [08/23/2008\|08:47] C:\Program Files\<DIR> Java [09/25/2008\|06:48] C:\Program Files\<DIR> Level Up [03/06/2008\|09:16] C:\Program Files\<DIR> LimeWire [09/29/2008\|02:30] C:\Program Files\<DIR> Messenger [03/06/2008\|03:28] C:\Program Files\<DIR> Microsoft ActiveSync [03/06/2008\|02:35] C:\Program Files\<DIR> microsoft frontpage [03/06/2008\|03:27] C:\Program Files\<DIR> Microsoft Office [03/06/2008\|03:28] C:\Program Files\<DIR> Microsoft.NET [09/29/2008\|02:22] C:\Program Files\<DIR> Movie Maker [03/06/2008\|02:29] C:\Program Files\<DIR> MSN [03/06/2008\|02:29] C:\Program Files\<DIR> MSN Gaming Zone [03/10/2008\|05:45] C:\Program Files\<DIR> MSXML 4.0 [08/20/2008\|01:09] C:\Program Files\<DIR> Multiply [05/24/2008\|09:56] C:\Program Files\<DIR> MWC [09/29/2008\|02:17] C:\Program Files\<DIR> NetMeeting [03/08/2008\|11:35] C:\Program Files\<DIR> Nokia [08/25/2008\|01:12] C:\Program Files\<DIR> Norton PC Checkup [08/16/2008\|01:07] C:\Program Files\<DIR> OGPlanet [03/06/2008\|02:32] C:\Program Files\<DIR> Online Services [03/06/2008\|04:02] C:\Program Files\<DIR> Opera [09/29/2008\|02:17] C:\Program Files\<DIR> Outlook Express [03/07/2008\|12:00] C:\Program Files\<DIR> Platypus II [09/19/2008\|07:10] C:\Program Files\<DIR> QuickTime [03/06/2008\|04:39] C:\Program Files\<DIR> ReflexiveArcade [08/26/2008\|07:45] C:\Program Files\<DIR> Safari [03/08/2008\|12:36] C:\Program Files\<DIR> ShoppingReport [06/13/2008\|11:05] C:\Program Files\<DIR> Sony [06/13/2008\|11:08] C:\Program Files\<DIR> Sony Handheld [03/07/2008\|04:45] C:\Program Files\<DIR> Super Granny 3 [10/31/2008\|11:17] C:\Program Files\<DIR> Trend Micro [03/06/2008\|02:42] C:\Program Files\<DIR> Uninstall Information [04/26/2008\|12:15] C:\Program Files\<DIR> Veoh Networks [10/31/2008\|06:34] C:\Program Files\<DIR> Warcraft III [03/10/2008\|12:52] C:\Program Files\<DIR> Windows Media Connect 2 [09/29/2008\|02:17] C:\Program Files\<DIR> Windows Media Player [09/29/2008\|02:17] C:\Program Files\<DIR> Windows NT [03/06/2008\|02:32] C:\Program Files\<DIR> WindowsUpdate [03/06/2008\|05:07] C:\Program Files\<DIR> WinRAR [03/06/2008\|02:35] C:\Program Files\<DIR> xerox [08/18/2008\|12:51] C:\Program Files\<DIR> Xfire [03/18/2008\|03:27] C:\Program Files\<DIR> Xilisoft [06/27/2008\|02:54] C:\Program Files\<DIR> XviD [10/30/2008\|07:09] C:\Program Files\<DIR> Yahoo! [04/12/2008\|09:17] C:\Program Files\<DIR> YouTube Downloader [03/08/2008\|10:28] C:\Program Files\<DIR> Zuma Deluxe --------------------\\ Listing Folders in C:\Program Files\Common Files [10/15/2008\|04:15] C:\Program Files\Common Files\<DIR> Adobe [08/20/2008\|01:09] C:\Program Files\Common Files\<DIR> Adobe AIR [03/23/2008\|09:26] C:\Program Files\Common Files\<DIR> Apple [03/06/2008\|03:27] C:\Program Files\Common Files\<DIR> DESIGNER [10/15/2008\|03:56] C:\Program Files\Common Files\<DIR> DVDVideoSoft [04/24/2008\|11:49] C:\Program Files\Common Files\<DIR> INCA Shared [06/21/2008\|12:15] C:\Program Files\Common Files\<DIR> InstallShield [03/06/2008\|04:54] C:\Program Files\Common Files\<DIR> Java [08/26/2008\|03:15] C:\Program Files\Common Files\<DIR> Microsoft Shared [03/06/2008\|02:31] C:\Program Files\Common Files\<DIR> MSSoap [03/08/2008\|11:36] C:\Program Files\Common Files\<DIR> Nokia [03/06/2008\|10:23] C:\Program Files\Common Files\<DIR> ODBC [03/08/2008\|11:36] C:\Program Files\Common Files\<DIR> PCSuite [03/07/2008\|04:44] C:\Program Files\Common Files\<DIR> Sandlot Shared [10/30/2008\|07:10] C:\Program Files\Common Files\<DIR> Scanner [03/06/2008\|02:31] C:\Program Files\Common Files\<DIR> Services [03/06/2008\|10:23] C:\Program Files\Common Files\<DIR> SpeechEngines [08/25/2008\|01:24] C:\Program Files\Common Files\<DIR> Symantec Shared [09/29/2008\|02:17] C:\Program Files\Common Files\<DIR> System [06/27/2008\|02:40] C:\Program Files\Common Files\<DIR> wsm --------------------\\ Process ( 32 Processes ) ... OK ! --------------------\\ Searching with S_Lop No Lop folder found ! --------------------\\ Searching for Lop Files - Folders C:\DOCUME~1\Vergara\Cookies\vergara@advertising[1].txt C:\DOCUME~1\Vergara\Cookies\vergara@adopt.euroclick[2].txt C:\DOCUME~1\Vergara\Cookies\vergara@vegas[2].txt --------------------\\ Searching within the Registry ..... OK ! --------------------\\ Checking the Hosts file Hosts file CLEAN --------------------\\ Searching for hidden files with Catchme catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-01 13:54:25 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden files: 0 --------------------\\ Searching for other infections C:\WINDOWS\Tasks\At1.job C:\WINDOWS\system32\aJQAIkkj.ini C:\WINDOWS\system32\aJQAIkkj.ini2 C:\WINDOWS\system32\pWEKlUtv.ini C:\WINDOWS\system32\pWEKlUtv.ini2 C:\WINDOWS\system32\jkkIAQJa.dll ==> VUNDO <== [F:762][D:26]-> C:\DOCUME~1\Vergara\LOCALS~1\Temp [F:1935][D:0]-> C:\DOCUME~1\Vergara\Cookies [F:16597][D:61]-> C:\DOCUME~1\Vergara\LOCALS~1\TEMPOR~1\content.IE5 1 - "C:\Lop SD\LopR_1.txt" - Sat 11/01/2008\|14:04 - Option : [1] --------------------\\ Scan completed at 14:04:57 wat shall i do next?... thanks again!..

Rorschach112 View Member Profile	Nov 1 2008, 07:13 AM Post #4
GeekU Teacher Posts: 34,385 From: Dublin OS: XP	Hello Please download the OTMoveIt3 by OldTimer or from here. Save it to your desktop. Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator). Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): CODE :Processes explorer.exe :Services :Reg :Files :Commands [purity] [emptytemp] [start explorer] [Reboot] Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste. Click the red Moveit! button. Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply. Close OTMoveIt3 Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter .log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles* folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post. Download random's system information tool (RSIT) by random/random from here and save it to your desktop. Double click on RSIT.exe to run RSIT. Click Continue at the disclaimer screen. Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

viral_attack View Member Profile	Nov 1 2008, 08:28 AM Post #5
New Member Posts: 6 OS: xp	wow!.. really thanks for fast replies... hope it will be resolve soon.. here's what OTMoveIt3 diplayed: ========== PROCESSES ========== Process explorer.exe killed successfully. ========== SERVICES/DRIVERS ========== ========== REGISTRY ========== ========== FILES ========== ========== COMMANDS ========== File delete failed. C:\DOCUME~1\Vergara\LOCALS~1\Temp\Perflib_Perfdata_27c.dat scheduled to be deleted on reboot. File delete failed. C:\DOCUME~1\Vergara\LOCALS~1\Temp\~DF47B1.tmp scheduled to be deleted on reboot. User's Temp folder emptied. User's Temporary Internet Files folder emptied. User's Internet Explorer cache folder emptied. Local Service Temp folder emptied. File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot. Local Service Temporary Internet Files folder emptied. Windows Temp folder emptied. Java cache emptied. Temp folders emptied. Explorer started successfully OTMoveIt3 by OldTimer - Version 1.0.7.0 log created on 11012008_221124 ... and here's what RSIT displayed: Logfile of random's system information tool 1.04 (written by random/random) Run by Vergara at 2008-11-01 22:24:48 Microsoft Windows XP Professional Service Pack 3 System drive C: has 12 GB (41%) free of 30 GB Total RAM: 1023 MB (61% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:24:55 PM, on 11/1/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\RunDll32.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Veoh Networks\Veoh\VeohClient.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Eset\nod32krn.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Safari\Safari.exe C:\Documents and Settings\Vergara\Desktop\RSIT.exe C:\Program Files\trend micro\Vergara.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: (no name) - {5E1CE584-5E3F-47C8-9C64-15B29EA64849} - C:\WINDOWS\system32\jkkIAQJa.dll O2 - BHO: (no name) - {6690A949-0104-4CE1-9034-14089A75AE07} - C:\WINDOWS\system32\ddcBTLed.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: {9e63bb0a-ac02-40b8-c0f4-b3dce7a85e7d} - {d7e58a7e-cd3b-4f0c-8b04-20caa0bb36e9} - C:\WINDOWS\system32\qiikft.dll O2 - BHO: (no name) - {D82B79FD-230F-45D4-A405-95B683C3FCBF} - C:\WINDOWS\system32\vtUlKEWp.dll (file missing) O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0 O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll (file missing) O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} (CPlayFirstCookingDasControl Object) - http://games.bigfishgames.com/en_cooking-d...Web.1.0.0.9.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.ph/com/EGamesPlugin.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1213958372802 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {D40F5876-A494-4124-8161-82625BB28C06} (CPlayFirstChocolatieControl Object) - http://games.bigfishgames.com/en_chocolati...eb.1.0.0.10.cab O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab O20 - AppInit_DLLs: qiikft.dll O20 - Winlogon Notify: ddcBTLed - C:\WINDOWS\SYSTEM32\ddcBTLed.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe -- End of file - 7915 bytes ======Scheduled tasks folder====== C:\WINDOWS\tasks\AppleSoftwareUpdate.job C:\WINDOWS\tasks\At1.job ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}] &Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2007-10-20 817936] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5E1CE584-5E3F-47C8-9C64-15B29EA64849}] C:\WINDOWS\system32\jkkIAQJa.dll [2008-10-30 313344] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6690A949-0104-4CE1-9034-14089A75AE07}] C:\WINDOWS\system32\ddcBTLed.dll [2008-10-27 32768] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}] SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d7e58a7e-cd3b-4f0c-8b04-20caa0bb36e9}] C:\WINDOWS\system32\qiikft.dll [2008-11-01 123904] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D82B79FD-230F-45D4-A405-95B683C3FCBF}] C:\WINDOWS\system32\vtUlKEWp.dll [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] {D0943516-5076-4020-A3B5-AEFAF26AB263} - Veoh Browser Plug-in - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll [2008-04-18 352256] {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2007-10-20 817936] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Cmaudio"=RunDll32 cmicnfg.cpl [] "nod32kui"=C:\Program Files\Eset\nod32kui.exe [2008-03-06 949376] "SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784] "PCSuiteTrayApplication"=C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE [2006-06-15 229376] "QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-09-06 413696] "AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2008-09-03 111936] "iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-09-10 289576] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Yahoo! Pager"=C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE [2006-07-31 4617720] "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360] "Veoh"=C:\Program Files\Veoh Networks\Veoh\VeohClient.exe [2008-08-28 3660848] ""= [] "updateMgr"=C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [2006-03-30 313472] C:\Documents and Settings\All Users\Start Menu\Programs\Startup Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLS"="qiikft.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddcBTLed] C:\WINDOWS\system32\ddcBTLed.dll [2008-10-27 32768] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon] C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{6690A949-0104-4CE1-9034-14089A75AE07}"=C:\WINDOWS\system32\ddcBTLed.dll [2008-10-27 32768] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "authentication packages"=msv1_0 C:\WINDOWS\system32\jkkIAQJa [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoDriveTypeAutoRun"=145 [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe::Enabled:Yahoo! Messenger" "C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe::Enabled:Yahoo! FT Server" "C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe::Enabled:LimeWire" "C:\Program Files\Garena\Garena.exe"="C:\Program Files\Garena\Garena.exe::Enabled:Garena" "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe::Enabled:Veoh Client" "C:\Documents and Settings\Vergara\My Documents\patrick\cabalbot.exe"="C:\Documents and Settings\Vergara\My Documents\patrick\cabalbot.exe::Enabled:HookSrv" "C:\Documents and Settings\Vergara\My Documents\patrick\New Folder\cabalbot.exe"="C:\Documents and Settings\Vergara\My Documents\patrick\New Folder\cabalbot.exe::Enabled:HookSrv" "C:\Documents and Settings\Vergara\My Documents\patrick\cabalBot\cabalbot.exe"="C:\Documents and Settings\Vergara\My Documents\patrick\cabalBot\cabalbot.exe::Enabled:HookSrv" "C:\Documents and Settings\Vergara\My Documents\patrick\1.05b\CabalBotPH1.05b\cabalbot.exe"="C:\Documents and Settings\Vergara\My Documents\patrick\1.05b\CabalBotPH1.05b\cabalbot.exe::Enabled:HookSrv" "C:\Documents and Settings\Vergara\My Documents\patrick\New Folder (3)\cabalbot.exe"="C:\Documents and Settings\Vergara\My Documents\patrick\New Folder (3)\cabalbot.exe::Enabled:HookSrv" "C:\Program Files\Xfire\xfire.exe"="C:\Program Files\Xfire\xfire.exe::Enabled:Xfire" "C:\Program Files\Warcraft III\Warcraft III.exe"="C:\Program Files\Warcraft III\Warcraft III.exe::Enabled:Warcraft III" "C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe::Enabled:Bonjour" "C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe::Enabled:iTunes" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "C:\Documents and Settings\Vergara\My Documents\patrick\WoW-BurningCrusade-enUS-Installer-downloader.exe"="C:\Documents and Settings\Vergara\My Documents\patrick\WoW-BurningCrusade-enUS-Installer-downloader.exe::Disabled:Blizzard Downloader" "C:\Program Files\Games-Masters.com\CABAL Online (Europe)\launcher\update\ESTdnheadless.exe"="C:\Program Files\Games-Masters.com\CABAL Online (Europe)\launcher\update\ESTdnheadless.exe::Disabled:EST! download engine" "C:\Program Files\e-Games\CABAL Online (PH)\launcher\update\ESTdnheadless.exe"="C:\Program Files\e-Games\CABAL Online (PH)\launcher\update\ESTdnheadless.exe::Disabled:EST! download engine" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{39a4b514-2307-11dd-955c-0008a1994467}] shell\AutoRun\command - w00g.exe shell\explore\command - w00g.exe shell\open\command - w00g.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9e1cdcd0-8862-11dd-9671-0008a1994467}] shell\AutoRun\command - bar311.exe %1 shell\Explore\command - bar311.exe %1 shell\Open\command - bar311.exe %1 ======List of files/folders created in the last 1 months====== 2008-11-01 22:23:28 ----DC---- C:\rsit 2008-11-01 22:01:05 ----DC---- C:\_OTMoveIt 2008-11-01 13:33:13 ----DC---- C:\Lop SD 2008-11-01 10:47:35 ----A---- C:\WINDOWS\system32\qiikft.dll 2008-11-01 10:47:30 ----A---- C:\WINDOWS\system32\skhjikje.dll 2008-11-01 10:44:34 ----ASH---- C:\WINDOWS\system32\rlkhcmje.ini 2008-11-01 10:44:31 ----A---- C:\WINDOWS\system32\ejmchklr.dll 2008-10-31 23:42:51 ----ASH---- C:\WINDOWS\system32\nmnsvdcs.ini 2008-10-31 23:42:50 ----N---- C:\WINDOWS\system32\scdvsnmn.dll 2008-10-31 23:39:17 ----A---- C:\WINDOWS\system32\rewspf.dll 2008-10-31 23:39:16 ----A---- C:\WINDOWS\system32\gllkyvho.dll 2008-10-31 11:17:45 ----D---- C:\Program Files\Trend Micro 2008-10-30 19:10:22 ----D---- C:\Program Files\Common Files\Scanner 2008-10-30 18:13:08 ----ASH---- C:\WINDOWS\system32\vgiluerg.ini 2008-10-30 18:13:00 ----N---- C:\WINDOWS\system32\greuligv.dll 2008-10-30 18:12:54 ----A---- C:\WINDOWS\system32\gyxqtc.dll 2008-10-30 18:12:50 ----A---- C:\WINDOWS\system32\lbthgsxb.dll 2008-10-30 18:09:43 ----ASH---- C:\WINDOWS\system32\aJQAIkkj.ini2 2008-10-30 18:09:40 ----ASH---- C:\WINDOWS\system32\aJQAIkkj.ini 2008-10-30 18:08:55 ----A---- C:\WINDOWS\system32\jkkIAQJa.dll 2008-10-29 23:26:27 ----A---- C:\WINDOWS\system32\yayaWPFw.dll 2008-10-29 22:26:24 ----A---- C:\WINDOWS\system32\fccdcBUN.dll 2008-10-29 21:26:23 ----A---- C:\WINDOWS\system32\cbXOIyAS.dll 2008-10-29 20:26:21 ----A---- C:\WINDOWS\system32\ssqOGwVP.dll 2008-10-29 19:26:20 ----A---- C:\WINDOWS\system32\fccdecAt.dll 2008-10-29 18:26:37 ----A---- C:\WINDOWS\system32\rqRIyVmM.dll 2008-10-29 17:26:17 ----A---- C:\WINDOWS\system32\geBqQIXq.dll 2008-10-29 03:53:51 ----A---- C:\WINDOWS\system32\pmnllllI.dll 2008-10-29 02:53:54 ----A---- C:\WINDOWS\system32\urqNFwvT.dll 2008-10-29 01:53:45 ----A---- C:\WINDOWS\system32\awturQiJ.dll 2008-10-29 00:53:48 ----A---- C:\WINDOWS\system32\fcccawTm.dll 2008-10-28 23:53:45 ----A---- C:\WINDOWS\system32\pmnoMebX.dll 2008-10-28 22:53:45 ----A---- C:\WINDOWS\system32\tuvTkkiG.dll 2008-10-28 17:54:42 ----A---- C:\WINDOWS\system32\xnvapy.dll 2008-10-28 17:54:27 ----A---- C:\WINDOWS\system32\najpimhk.dll 2008-10-28 17:53:51 ----ASH---- C:\WINDOWS\system32\wcwflban.ini 2008-10-28 17:53:36 ----A---- C:\WINDOWS\system32\nablfwcw.dll 2008-10-27 16:31:31 ----ASH---- C:\WINDOWS\system32\taetqxnu.ini 2008-10-27 16:31:27 ----N---- C:\WINDOWS\system32\unxqteat.dll 2008-10-27 16:29:23 ----A---- C:\WINDOWS\system32\nnpobgrk.dll 2008-10-27 15:26:55 ----ASH---- C:\WINDOWS\system32\ujgpjotr.ini 2008-10-27 15:26:36 ----A---- C:\WINDOWS\system32\nxruiq.dll 2008-10-27 15:26:25 ----A---- C:\WINDOWS\system32\sgmvivjb.dll 2008-10-27 15:25:52 ----A---- C:\WINDOWS\system32\f39bae8b-.txt 2008-10-27 15:25:27 ----ASH---- C:\WINDOWS\system32\pWEKlUtv.ini2 2008-10-27 15:25:25 ----ASH---- C:\WINDOWS\system32\pWEKlUtv.ini 2008-10-27 15:20:37 ----AC---- C:\ctfmon.exe 2008-10-27 15:19:07 ----A---- C:\WINDOWS\system32\ddcBTLed.dll 2008-10-27 15:19:05 ----C---- C:\services.exe 2008-10-25 01:33:55 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$ 2008-10-17 02:04:34 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$ 2008-10-17 02:04:25 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$ 2008-10-17 02:04:15 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$ 2008-10-17 02:02:07 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$ 2008-10-17 02:01:49 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$ 2008-10-15 16:08:36 ----A---- C:\WINDOWS\system32\W95fiber.dll 2008-10-15 16:08:36 ----A---- C:\WINDOWS\system32\Msvcrtd.dll 2008-10-15 16:08:36 ----A---- C:\WINDOWS\system32\Msvcrt10.dll 2008-10-15 16:08:36 ----A---- C:\WINDOWS\system32\Msvcirtd.dll 2008-10-15 16:08:36 ----A---- C:\WINDOWS\system32\Mfcuia32.dll 2008-10-15 16:08:36 ----A---- C:\WINDOWS\system32\Mfco30.dll 2008-10-15 16:08:36 ----A---- C:\WINDOWS\system32\Mfcans32.dll 2008-10-15 16:08:36 ----A---- C:\WINDOWS\system32\Mfc30.dll 2008-10-15 16:08:36 ----A---- C:\WINDOWS\Pcdlib32.dll 2008-10-11 13:31:50 ----D---- C:\Documents and Settings\Vergara\Application Data\PlayFirst 2008-10-11 13:31:50 ----D---- C:\Documents and Settings\All Users\Application Data\PlayFirst ======List of files/folders modified in the last 1 months====== 2008-11-01 22:24:35 ----D---- C:\WINDOWS\Temp 2008-11-01 22:16:26 ----A---- C:\WINDOWS\SchedLgU.Txt 2008-11-01 18:55:06 ----D---- C:\WINDOWS\system32\CatRoot2 2008-11-01 13:33:21 ----D---- C:\WINDOWS\Prefetch 2008-11-01 10:47:35 ----D---- C:\WINDOWS\system32 2008-10-31 13:07:27 ----D---- C:\Documents and Settings\Vergara\Application Data\LimeWire 2008-10-31 11:17:45 ----RD---- C:\Program Files 2008-10-31 09:55:41 ----DC---- C:\4b1735fb208af7f1483cf64d 2008-10-31 06:34:24 ----D---- C:\Program Files\Warcraft III 2008-10-31 06:21:31 ----D---- C:\Program Files\Garena 2008-10-30 19:10:22 ----D---- C:\Program Files\Common Files 2008-10-30 19:09:17 ----D---- C:\Program Files\Yahoo! 2008-10-30 19:05:17 ----SD---- C:\WINDOWS\Downloaded Program Files 2008-10-29 00:31:45 ----HD---- C:\WINDOWS\inf 2008-10-25 09:42:26 ----D---- C:\WINDOWS 2008-10-25 01:33:58 ----RSHDC---- C:\WINDOWS\system32\dllcache 2008-10-25 01:33:15 ----HD---- C:\WINDOWS\$hf_mig$ 2008-10-21 18:42:03 ----D---- C:\WINDOWS\system32\CatRoot 2008-10-17 02:04:39 ----A---- C:\WINDOWS\imsins.BAK 2008-10-17 02:04:36 ----D---- C:\WINDOWS\system32\drivers 2008-10-17 02:03:59 ----D---- C:\Program Files\Internet Explorer 2008-10-17 02:03:33 ----SHDC---- C:\Config.Msi 2008-10-17 02:03:27 ----SHD---- C:\WINDOWS\Installer 2008-10-17 02:03:16 ----A---- C:\WINDOWS\win.ini 2008-10-16 00:34:24 ----A---- C:\WINDOWS\system32\netapi32.dll 2008-10-15 16:15:25 ----D---- C:\Program Files\Common Files\Adobe 2008-10-15 16:10:39 ----RSD---- C:\WINDOWS\Fonts 2008-10-15 16:08:36 ----D---- C:\WINDOWS\SHELLNEW 2008-10-15 16:08:03 ----D---- C:\Program Files\Adobe 2008-10-15 15:56:45 ----D---- C:\Program Files\Common Files\DVDVideoSoft 2008-10-15 15:52:42 ----D---- C:\WINDOWS\WinSxS 2008-10-15 15:36:39 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP 2008-10-08 03:19:40 ----A---- C:\WINDOWS\system32\MRT.exe 2008-10-04 01:41:15 ----A---- C:\WINDOWS\system32\ieframe.dll ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352] R1 nod32drv;nod32drv; C:\WINDOWS\system32\drivers\nod32drv.sys [2008-03-06 15424] R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-23 12032] R2 AMON;AMON; C:\WINDOWS\system32\drivers\amon.sys [2008-03-06 512096] R2 irda;IrDA Protocol; C:\WINDOWS\system32\DRIVERS\irda.sys [2008-04-14 88192] R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-08-03 11868] R3 cmuda;C-Media WDM Audio Interface; C:\WINDOWS\system32\drivers\cmuda.sys [2003-05-01 743367] R3 DM9102;DAVICOM 9102(A) PCI Fast Ethernet Based NT Driver; C:\WINDOWS\system32\DRIVERS\DM9PCI5.SYS [2001-08-17 29696] R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464] R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSFDPSP2.sys [2004-08-03 1041536] R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFBS2S2.sys [2004-08-03 220032] R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-04 1897408] R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584] R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208] R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520] R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608] R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSFCXTS2.sys [2004-08-03 685056] S3 KS-959;Kingsun KS-959 USB Infrared Adapter; C:\WINDOWS\system32\DRIVERS\KS-959.sys [2005-10-08 19034] S3 Nokia USB Generic;Nokia USB Generic; C:\WINDOWS\system32\drivers\nmwcdc.sys [2006-05-29 8704] S3 Nokia USB Modem;Nokia USB Modem; C:\WINDOWS\system32\drivers\nmwcdcm.sys [2006-05-29 13312] S3 Nokia USB Phone Parent;Nokia USB Phone Parent; C:\WINDOWS\system32\drivers\nmwcd.sys [2006-05-29 127488] S3 Nokia USB Port;Nokia USB Port; C:\WINDOWS\system32\drivers\nmwcdcj.sys [2006-05-29 13312] S3 npkcrypt;npkcrypt; \??\C:\Documents and Settings\Vergara\My Documents\patrick\RO\npkcrypt.sys [] S3 NTProcDrv;Process creation detector for NT.; \??\C:\Documents and Settings\Vergara\My Documents\patrick\cabalBot\NtProcDrv.sys [] S3 PalmUSBD;PalmUSBD; C:\WINDOWS\system32\drivers\PalmUSBD.sys [] S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104] S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368] S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568] S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944] S3 XDva190;XDva190; \??\C:\WINDOWS\system32\XDva190.sys [] S3 XDva195;XDva195; \??\C:\WINDOWS\system32\XDva195.sys [] S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys [] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-09-10 116040] R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888] R2 Irmon;Infrared Monitor; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336] R2 NOD32krn;NOD32 Kernel Service; C:\Program Files\Eset\nod32krn.exe [2008-03-06 552064] R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-09-10 536872] R3 ServiceLayer;ServiceLayer; C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe [2006-06-05 174080] S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136] S3 usprserv;User Privilege Service; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336] S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408] S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336] -----------------EOF----------------- thanks again so much in advance!!..

Rorschach112 View Member Profile	Nov 1 2008, 08:58 AM Post #6
GeekU Teacher Posts: 34,385 From: Dublin OS: XP	Hello Please download the OTMoveIt3 by OldTimer or from here. Save it to your desktop. Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator). Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): CODE :Processes explorer.exe :Services :Reg [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{39a4b514-2307-11dd-955c-0008a1994467}] [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9e1cdcd0-8862-11dd-9671-0008a1994467}] :files C:\WINDOWS\system32\skhjikje.dll C:\WINDOWS\system32\rlkhcmje.ini C:\WINDOWS\system32\qiikft.dll C:\WINDOWS\system32\vgiluerg.ini C:\WINDOWS\system32\ejmchklr.dll C:\WINDOWS\system32\nmnsvdcs.ini C:\WINDOWS\system32\scdvsnmn.dll C:\WINDOWS\system32\rewspf.dll C:\WINDOWS\system32\gllkyvho.dll C:\WINDOWS\system32\greuligv.dll C:\WINDOWS\system32\gyxqtc.dll C:\WINDOWS\system32\lbthgsxb.dll C:\WINDOWS\system32\aJQAIkkj.ini2 C:\WINDOWS\system32\aJQAIkkj.ini C:\WINDOWS\system32\jkkIAQJa.dll C:\WINDOWS\system32\yayaWPFw.dll C:\WINDOWS\system32\fccdcBUN.dll C:\WINDOWS\system32\cbXOIyAS.dll C:\WINDOWS\system32\ssqOGwVP.dll C:\WINDOWS\system32\fccdecAt.dll C:\WINDOWS\system32\rqRIyVmM.dll C:\WINDOWS\system32\geBqQIXq.dll C:\WINDOWS\system32\pmnllllI.dll C:\WINDOWS\system32\urqNFwvT.dll C:\WINDOWS\system32\awturQiJ.dll C:\WINDOWS\system32\fcccawTm.dll C:\WINDOWS\system32\pmnoMebX.dll C:\WINDOWS\system32\tuvTkkiG.dll C:\WINDOWS\system32\xnvapy.dll C:\WINDOWS\system32\najpimhk.dll C:\WINDOWS\system32\wcwflban.ini C:\WINDOWS\system32\nablfwcw.dll C:\WINDOWS\system32\taetqxnu.ini C:\WINDOWS\system32\unxqteat.dll C:\WINDOWS\system32\nnpobgrk.dll C:\WINDOWS\system32\ujgpjotr.ini C:\WINDOWS\system32\nxruiq.dll C:\WINDOWS\system32\sgmvivjb.dll C:\WINDOWS\system32\f39bae8b-.txt C:\WINDOWS\system32\pWEKlUtv.ini2 C:\WINDOWS\system32\pWEKlUtv.ini C:\ctfmon.exe C:\WINDOWS\system32\ddcBTLed.dll C:\services.exe :Commands [purity] [emptytemp] [start explorer] [Reboot] Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste. Click the red Moveit! button. Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply. Close OTMoveIt3 Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter .log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles* folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post. Also post a new Rsit log

viral_attack View Member Profile	Nov 1 2008, 11:58 PM Post #7
New Member Posts: 6 OS: xp	hello again... here's wat happened... from OTmoveit3: ========== PROCESSES ========== Process explorer.exe killed successfully. ========== SERVICES/DRIVERS ========== ========== REGISTRY ========== Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{39a4b514-2307-11dd-955c-0008a1994467}\\ not found. Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9e1cdcd0-8862-11dd-9671-0008a1994467}\\ not found. ========== FILES ========== File/Folder C:\WINDOWS\system32\skhjikje.dll not found. File/Folder C:\WINDOWS\system32\rlkhcmje.ini not found. File/Folder C:\WINDOWS\system32\qiikft.dll not found. File/Folder C:\WINDOWS\system32\vgiluerg.ini not found. File/Folder C:\WINDOWS\system32\ejmchklr.dll not found. File/Folder C:\WINDOWS\system32\nmnsvdcs.ini not found. File/Folder C:\WINDOWS\system32\scdvsnmn.dll not found. File/Folder C:\WINDOWS\system32\rewspf.dll not found. File/Folder C:\WINDOWS\system32\gllkyvho.dll not found. File/Folder C:\WINDOWS\system32\greuligv.dll not found. File/Folder C:\WINDOWS\system32\gyxqtc.dll not found. File/Folder C:\WINDOWS\system32\lbthgsxb.dll not found. File/Folder C:\WINDOWS\system32\aJQAIkkj.ini2 not found. File/Folder C:\WINDOWS\system32\aJQAIkkj.ini not found. File/Folder C:\WINDOWS\system32\jkkIAQJa.dll not found. File/Folder C:\WINDOWS\system32\yayaWPFw.dll not found. File/Folder C:\WINDOWS\system32\fccdcBUN.dll not found. File/Folder C:\WINDOWS\system32\cbXOIyAS.dll not found. File/Folder C:\WINDOWS\system32\ssqOGwVP.dll not found. File/Folder C:\WINDOWS\system32\fccdecAt.dll not found. File/Folder C:\WINDOWS\system32\rqRIyVmM.dll not found. File/Folder C:\WINDOWS\system32\geBqQIXq.dll not found. File/Folder C:\WINDOWS\system32\pmnllllI.dll not found. File/Folder C:\WINDOWS\system32\urqNFwvT.dll not found. File/Folder C:\WINDOWS\system32\awturQiJ.dll not found. File/Folder C:\WINDOWS\system32\fcccawTm.dll not found. File/Folder C:\WINDOWS\system32\pmnoMebX.dll not found. File/Folder C:\WINDOWS\system32\tuvTkkiG.dll not found. File/Folder C:\WINDOWS\system32\xnvapy.dll not found. File/Folder C:\WINDOWS\system32\najpimhk.dll not found. File/Folder C:\WINDOWS\system32\wcwflban.ini not found. File/Folder C:\WINDOWS\system32\nablfwcw.dll not found. File/Folder C:\WINDOWS\system32\taetqxnu.ini not found. File/Folder C:\WINDOWS\system32\unxqteat.dll not found. File/Folder C:\WINDOWS\system32\nnpobgrk.dll not found. File/Folder C:\WINDOWS\system32\ujgpjotr.ini not found. File/Folder C:\WINDOWS\system32\nxruiq.dll not found. File/Folder C:\WINDOWS\system32\sgmvivjb.dll not found. File/Folder C:\WINDOWS\system32\f39bae8b-.txt not found. File/Folder C:\WINDOWS\system32\pWEKlUtv.ini2 not found. File/Folder C:\WINDOWS\system32\pWEKlUtv.ini not found. File/Folder C:\ctfmon.exe not found. LoadLibrary failed for C:\WINDOWS\system32\ddcBTLed.dll C:\WINDOWS\system32\ddcBTLed.dll NOT unregistered. File move failed. C:\WINDOWS\system32\ddcBTLed.dll scheduled to be moved on reboot. File/Folder C:\services.exe not found. ========== COMMANDS ========== File delete failed. C:\DOCUME~1\Vergara\LOCALS~1\Temp\Perflib_Perfdata_76c.dat scheduled to be deleted on reboot. File delete failed. C:\DOCUME~1\Vergara\LOCALS~1\Temp\~DF8570.tmp scheduled to be deleted on reboot. User's Temp folder emptied. User's Temporary Internet Files folder emptied. User's Internet Explorer cache folder emptied. Local Service Temp folder emptied. File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot. Local Service Temporary Internet Files folder emptied. Windows Temp folder emptied. Java cache emptied. Temp folders emptied. Explorer started successfully OTMoveIt3 by OldTimer - Version 1.0.7.0 log created on 11022008_134525 and from RSIT: Logfile of random's system information tool 1.04 (written by random/random) Run by Vergara at 2008-11-02 13:53:12 Microsoft Windows XP Professional Service Pack 3 System drive C: has 12 GB (41%) free of 30 GB Total RAM: 1023 MB (63% free) Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:53:31 PM, on 11/2/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16735) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\RunDll32.exe C:\Program Files\Eset\nod32kui.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Veoh Networks\Veoh\VeohClient.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\Eset\nod32krn.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Safari\Safari.exe C:\WINDOWS\system32\notepad.exe C:\Documents and Settings\Vergara\Desktop\RSIT.exe C:\Program Files\trend micro\Vergara.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O2 - BHO: {45967547-c6e2-ae6a-7464-f0fa8613d6f3} - {3f6d3168-af0f-4647-a6ea-2e6c74576954} - C:\WINDOWS\system32\vdrjfm.dll O2 - BHO: (no name) - {6690A949-0104-4CE1-9034-14089A75AE07} - C:\WINDOWS\system32\ddcBTLed.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: (no name) - {D5395560-7773-441D-B827-986F284C6D96} - C:\WINDOWS\system32\jkkIAQJa.dll (file missing) O2 - BHO: (no name) - {D82B79FD-230F-45D4-A405-95B683C3FCBF} - C:\WINDOWS\system32\vtUlKEWp.dll (file missing) O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_1_0 O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll (file missing) O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShoppingReport\Bin\2.5.0\ShoppingReport.dll (file missing) O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} (CPlayFirstCookingDasControl Object) - http://games.bigfishgames.com/en_cooking-d...Web.1.0.0.9.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.ph/com/EGamesPlugin.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1213958372802 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab O16 - DPF: {D40F5876-A494-4124-8161-82625BB28C06} (CPlayFirstChocolatieControl Object) - http://games.bigfishgames.com/en_chocolati...eb.1.0.0.10.cab O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab O20 - AppInit_DLLs: vdrjfm.dll O20 - Winlogon Notify: ddcBTLed - C:\WINDOWS\SYSTEM32\ddcBTLed.dll O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe -- End of file - 7947 bytes ======Scheduled tasks folder====== C:\WINDOWS\tasks\AppleSoftwareUpdate.job C:\WINDOWS\tasks\At1.job ======Registry dump====== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}] &Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2007-10-20 817936] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3f6d3168-af0f-4647-a6ea-2e6c74576954}] C:\WINDOWS\system32\vdrjfm.dll [2008-11-02 123904] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6690A949-0104-4CE1-9034-14089A75AE07}] C:\WINDOWS\system32\ddcBTLed.dll [2008-10-27 32768] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}] SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D5395560-7773-441D-B827-986F284C6D96}] C:\WINDOWS\system32\jkkIAQJa.dll [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D82B79FD-230F-45D4-A405-95B683C3FCBF}] C:\WINDOWS\system32\vtUlKEWp.dll [] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] {D0943516-5076-4020-A3B5-AEFAF26AB263} - Veoh Browser Plug-in - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll [2008-04-18 352256] {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2007-10-20 817936] [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "Cmaudio"=RunDll32 cmicnfg.cpl [] "nod32kui"=C:\Program Files\Eset\nod32kui.exe [2008-03-06 949376] "SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784] "PCSuiteTrayApplication"=C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE [2006-06-15 229376] "QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-09-06 413696] "AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2008-09-03 111936] "iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-09-10 289576] [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Yahoo! Pager"=C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [2006-07-31 4617720] "ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360] "Veoh"=C:\Program Files\Veoh Networks\Veoh\VeohClient.exe [2008-08-28 3660848] ""= [] "updateMgr"=C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [2006-03-30 313472] C:\Documents and Settings\All Users\Start Menu\Programs\Startup Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows] "AppInit_DLLS"="vdrjfm.dll" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddcBTLed] C:\WINDOWS\system32\ddcBTLed.dll [2008-10-27 32768] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon] C:\WINDOWS\system32\WgaLogon.dll [2008-09-05 241704] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad] WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{6690A949-0104-4CE1-9034-14089A75AE07}"=C:\WINDOWS\system32\ddcBTLed.dll [2008-10-27 32768] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "authentication packages"=msv1_0 C:\WINDOWS\system32\jkkIAQJa [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] "dontdisplaylastusername"=0 "legalnoticecaption"= "legalnoticetext"= "shutdownwithoutlogon"=1 "undockwithoutlogon"=1 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer] "NoDriveTypeAutoRun"=145 [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe::Enabled:Yahoo! Messenger" "C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe::Enabled:Yahoo! FT Server" "C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe::Enabled:LimeWire" "C:\Program Files\Garena\Garena.exe"="C:\Program Files\Garena\Garena.exe::Enabled:Garena" "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe::Enabled:Veoh Client" "C:\Documents and Settings\Vergara\My Documents\patrick\cabalbot.exe"="C:\Documents and Settings\Vergara\My Documents\patrick\cabalbot.exe::Enabled:HookSrv" "C:\Documents and Settings\Vergara\My Documents\patrick\New Folder\cabalbot.exe"="C:\Documents and Settings\Vergara\My Documents\patrick\New Folder\cabalbot.exe::Enabled:HookSrv" "C:\Documents and Settings\Vergara\My Documents\patrick\cabalBot\cabalbot.exe"="C:\Documents and Settings\Vergara\My Documents\patrick\cabalBot\cabalbot.exe::Enabled:HookSrv" "C:\Documents and Settings\Vergara\My Documents\patrick\1.05b\CabalBotPH1.05b\cabalbot.exe"="C:\Documents and Settings\Vergara\My Documents\patrick\1.05b\CabalBotPH1.05b\cabalbot.exe::Enabled:HookSrv" "C:\Documents and Settings\Vergara\My Documents\patrick\New Folder (3)\cabalbot.exe"="C:\Documents and Settings\Vergara\My Documents\patrick\New Folder (3)\cabalbot.exe::Enabled:HookSrv" "C:\Program Files\Xfire\xfire.exe"="C:\Program Files\Xfire\xfire.exe::Enabled:Xfire" "C:\Program Files\Warcraft III\Warcraft III.exe"="C:\Program Files\Warcraft III\Warcraft III.exe::Enabled:Warcraft III" "C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe::Enabled:Bonjour" "C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe::Enabled:iTunes" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "C:\Documents and Settings\Vergara\My Documents\patrick\WoW-BurningCrusade-enUS-Installer-downloader.exe"="C:\Documents and Settings\Vergara\My Documents\patrick\WoW-BurningCrusade-enUS-Installer-downloader.exe::Disabled:Blizzard Downloader" "C:\Program Files\Games-Masters.com\CABAL Online (Europe)\launcher\update\ESTdnheadless.exe"="C:\Program Files\Games-Masters.com\CABAL Online (Europe)\launcher\update\ESTdnheadless.exe::Disabled:EST! download engine" "C:\Program Files\e-Games\CABAL Online (PH)\launcher\update\ESTdnheadless.exe"="C:\Program Files\e-Games\CABAL Online (PH)\launcher\update\ESTdnheadless.exe::Disabled:EST! download engine" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" ======List of files/folders created in the last 1 months====== 2008-11-02 13:53:37 ----ASH---- C:\WINDOWS\system32\gPrtBcfe.ini2 2008-11-02 13:53:36 ----ASH---- C:\WINDOWS\system32\gPrtBcfe.ini 2008-11-02 13:53:15 ----A---- C:\WINDOWS\system32\efcBtrPg.dll 2008-11-02 10:50:08 ----A---- C:\WINDOWS\system32\vdrjfm.dll 2008-11-02 10:50:05 ----A---- C:\WINDOWS\system32\nlqfyyvx.dll 2008-11-02 10:47:12 ----ASH---- C:\WINDOWS\system32\drblcwfj.ini 2008-11-02 10:47:06 ----A---- C:\WINDOWS\system32\jfwclbrd.dll 2008-11-01 22:23:28 ----DC---- C:\rsit 2008-11-01 22:01:05 ----DC---- C:\_OTMoveIt 2008-11-01 13:33:13 ----DC---- C:\Lop SD 2008-10-31 11:17:45 ----D---- C:\Program Files\Trend Micro 2008-10-30 19:10:22 ----D---- C:\Program Files\Common Files\Scanner 2008-10-27 15:19:07 ----A---- C:\WINDOWS\system32\ddcBTLed.dll 2008-10-25 01:33:55 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$ 2008-10-17 02:04:34 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$ 2008-10-17 02:04:25 ----HDC---- C:\WINDOWS\$NtUninstallKB956391$ 2008-10-17 02:04:15 ----HDC---- C:\WINDOWS\$NtUninstallKB957095$ 2008-10-17 02:02:07 ----HDC---- C:\WINDOWS\$NtUninstallKB954211$ 2008-10-17 02:01:49 ----HDC---- C:\WINDOWS\$NtUninstallKB956841$ 2008-10-15 16:08:36 ----A---- C:\WINDOWS\system32\W95fiber.dll 2008-10-15 16:08:36 ----A---- C:\WINDOWS\system32\Msvcrtd.dll 2008-10-15 16:08:36 ----A---- C:\WINDOWS\system32\Msvcrt10.dll 2008-10-15 16:08:36 ----A---- C:\WINDOWS\system32\Msvcirtd.dll 2008-10-15 16:08:36 ----A---- C:\WINDOWS\system32\Mfcuia32.dll 2008-10-15 16:08:36 ----A---- C:\WINDOWS\system32\Mfco30.dll 2008-10-15 16:08:36 ----A---- C:\WINDOWS\system32\Mfcans32.dll 2008-10-15 16:08:36 ----A---- C:\WINDOWS\system32\Mfc30.dll 2008-10-15 16:08:36 ----A---- C:\WINDOWS\Pcdlib32.dll 2008-10-11 13:31:50 ----D---- C:\Documents and Settings\Vergara\Application Data\PlayFirst 2008-10-11 13:31:50 ----D---- C:\Documents and Settings\All Users\Application Data\PlayFirst ======List of files/folders modified in the last 1 months====== 2008-11-02 13:53:37 ----D---- C:\WINDOWS\system32 2008-11-02 13:51:32 ----D---- C:\WINDOWS\Temp 2008-11-02 13:46:53 ----A---- C:\WINDOWS\SchedLgU.Txt 2008-11-01 18:55:06 ----D---- C:\WINDOWS\system32\CatRoot2 2008-11-01 13:33:21 ----D---- C:\WINDOWS\Prefetch 2008-10-31 13:07:27 ----D---- C:\Documents and Settings\Vergara\Application Data\LimeWire 2008-10-31 11:17:45 ----RD---- C:\Program Files 2008-10-31 09:55:41 ----DC---- C:\4b1735fb208af7f1483cf64d 2008-10-31 06:34:24 ----D---- C:\Program Files\Warcraft III 2008-10-31 06:21:31 ----D---- C:\Program Files\Garena 2008-10-30 19:10:22 ----D---- C:\Program Files\Common Files 2008-10-30 19:09:17 ----D---- C:\Program Files\Yahoo! 2008-10-30 19:05:17 ----SD---- C:\WINDOWS\Downloaded Program Files 2008-10-29 00:31:45 ----HD---- C:\WINDOWS\inf 2008-10-25 09:42:26 ----D---- C:\WINDOWS 2008-10-25 01:33:58 ----RSHDC---- C:\WINDOWS\system32\dllcache 2008-10-25 01:33:15 ----HD---- C:\WINDOWS\$hf_mig$ 2008-10-21 18:42:03 ----D---- C:\WINDOWS\system32\CatRoot 2008-10-17 02:04:39 ----A---- C:\WINDOWS\imsins.BAK 2008-10-17 02:04:36 ----D---- C:\WINDOWS\system32\drivers 2008-10-17 02:03:59 ----D---- C:\Program Files\Internet Explorer 2008-10-17 02:03:33 ----SHDC---- C:\Config.Msi 2008-10-17 02:03:27 ----SHD---- C:\WINDOWS\Installer 2008-10-17 02:03:16 ----A---- C:\WINDOWS\win.ini 2008-10-16 00:34:24 ----A---- C:\WINDOWS\system32\netapi32.dll 2008-10-15 16:15:25 ----D---- C:\Program Files\Common Files\Adobe 2008-10-15 16:10:39 ----RSD---- C:\WINDOWS\Fonts 2008-10-15 16:08:36 ----D---- C:\WINDOWS\SHELLNEW 2008-10-15 16:08:03 ----D---- C:\Program Files\Adobe 2008-10-15 15:56:45 ----D---- C:\Program Files\Common Files\DVDVideoSoft 2008-10-15 15:52:42 ----D---- C:\WINDOWS\WinSxS 2008-10-15 15:36:39 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP 2008-10-08 03:19:40 ----A---- C:\WINDOWS\system32\MRT.exe 2008-10-04 01:41:15 ----A---- C:\WINDOWS\system32\ieframe.dll ======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352] R1 nod32drv;nod32drv; C:\WINDOWS\system32\drivers\nod32drv.sys [2008-03-06 15424] R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-23 12032] R2 AMON;AMON; C:\WINDOWS\system32\drivers\amon.sys [2008-03-06 512096] R2 irda;IrDA Protocol; C:\WINDOWS\system32\DRIVERS\irda.sys [2008-04-14 88192] R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-08-03 11868] R3 cmuda;C-Media WDM Audio Interface; C:\WINDOWS\system32\drivers\cmuda.sys [2003-05-01 743367] R3 DM9102;DAVICOM 9102(A) PCI Fast Ethernet Based NT Driver; C:\WINDOWS\system32\DRIVERS\DM9PCI5.SYS [2001-08-17 29696] R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464] R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSFDPSP2.sys [2004-08-03 1041536] R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFBS2S2.sys [2004-08-03 220032] R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2004-08-04 1897408] R3 Rasirda;WAN Miniport (IrDA); C:\WINDOWS\system32\DRIVERS\rasirda.sys [2001-08-17 19584] R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208] R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520] R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608] R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSFCXTS2.sys [2004-08-03 685056] S3 KS-959;Kingsun KS-959 USB Infrared Adapter; C:\WINDOWS\system32\DRIVERS\KS-959.sys [2005-10-08 19034] S3 Nokia USB Generic;Nokia USB Generic; C:\WINDOWS\system32\drivers\nmwcdc.sys [2006-05-29 8704] S3 Nokia USB Modem;Nokia USB Modem; C:\WINDOWS\system32\drivers\nmwcdcm.sys [2006-05-29 13312] S3 Nokia USB Phone Parent;Nokia USB Phone Parent; C:\WINDOWS\system32\drivers\nmwcd.sys [2006-05-29 127488] S3 Nokia USB Port;Nokia USB Port; C:\WINDOWS\system32\drivers\nmwcdcj.sys [2006-05-29 13312] S3 npkcrypt;npkcrypt; \??\C:\Documents and Settings\Vergara\My Documents\patrick\RO\npkcrypt.sys [] S3 NTProcDrv;Process creation detector for NT.; \??\C:\Documents and Settings\Vergara\My Documents\patrick\cabalBot\NtProcDrv.sys [] S3 PalmUSBD;PalmUSBD; C:\WINDOWS\system32\drivers\PalmUSBD.sys [] S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104] S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368] S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568] S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944] S3 XDva190;XDva190; \??\C:\WINDOWS\system32\XDva190.sys [] S3 XDva195;XDva195; \??\C:\WINDOWS\system32\XDva195.sys [] S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys [] ======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)====== R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-09-10 116040] R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888] R2 Irmon;Infrared Monitor; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336] R2 NOD32krn;NOD32 Kernel Service; C:\Program Files\Eset\nod32krn.exe [2008-03-06 552064] R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-09-10 536872] R3 ServiceLayer;ServiceLayer; C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe [2006-06-05 174080] S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136] S3 usprserv;User Privilege Service; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336] S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408] S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336] -----------------EOF----------------- thanks for the replies.. obviously i don't know much about Pc..

Rorschach112 View Member Profile	Nov 2 2008, 04:18 PM Post #8
GeekU Teacher Posts: 34,385 From: Dublin OS: XP	Hello Download ComboFix from one of these locations: Link 1 Link 2 Link 3 * IMPORTANT !!! Save ComboFix.exe to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt** in your next reply.

viral_attack View Member Profile	Nov 3 2008, 04:28 AM Post #9
New Member Posts: 6 OS: xp	done running combofix... here's wat it says: * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\system32\ngcmlsna.ini . ---- Previous Run ------- . C:\Documents and Settings\Vergara\Application Data\ShoppingReport C:\Documents and Settings\Vergara\Application Data\ShoppingReport\cs\Config.xml C:\Documents and Settings\Vergara\Application Data\ShoppingReport\cs\db\Aliases.dbs C:\Documents and Settings\Vergara\Application Data\ShoppingReport\cs\db\Sites.dbs C:\Documents and Settings\Vergara\Application Data\ShoppingReport\cs\dwld\WhiteList.xip C:\Documents and Settings\Vergara\Application Data\ShoppingReport\cs\report\aggr_storage.xml C:\Documents and Settings\Vergara\Application Data\ShoppingReport\cs\report\send_storage.xml C:\Documents and Settings\Vergara\Application Data\ShoppingReport\cs\res2\WhiteList.dbs C:\Program Files\ShoppingReport C:\Program Files\ShoppingReport\Uninst.exe C:\RECYCLER\ADAPT_Installer.exe C:\WINDOWS\system32\drblcwfj.ini C:\WINDOWS\system32\efcBtrPg.dll C:\WINDOWS\system32\gPrtBcfe.ini C:\WINDOWS\system32\gPrtBcfe.ini2 C:\WINDOWS\system32\jfwclbrd.dll C:\WINDOWS\system32\jqwlepiq.ini C:\WINDOWS\system32\ngcmlsna.ini C:\WINDOWS\system32\nlqfyyvx.dll C:\WINDOWS\system32\rblehsln.ini C:\WINDOWS\system32\vdrjfm.dll . ((((((((((((((((((((((((( Files Created from 2008-10-03 to 2008-11-03 ))))))))))))))))))))))))))))))) . 2008-11-03 17:07 . 2008-11-03 17:07 101,888 --a------ C:\WINDOWS\system32\ksiukt.dll 2008-11-03 17:07 . 2008-11-03 17:07 69,120 --a------ C:\WINDOWS\system32\anslmcgn.dll 2008-11-03 17:06 . 2008-11-03 17:07 101,888 --a------ C:\WINDOWS\system32\fkbwkjmr.dll 2008-11-03 13:59 . 2008-11-03 13:59 101,888 --a------ C:\WINDOWS\system32\nqbrgdkx.dll 2008-11-03 13:59 . 2008-11-03 13:59 101,888 --a------ C:\WINDOWS\system32\jtvlnc.dll 2008-11-03 13:56 . 2008-11-03 13:56 69,120 --a------ C:\WINDOWS\system32\qipelwqj.dll 2008-11-02 13:56 . 2008-11-02 13:56 102,400 --a------ C:\WINDOWS\system32\pppujyro.dll 2008-11-02 13:56 . 2008-11-02 13:56 102,400 --a------ C:\WINDOWS\system32\jrvcxc.dll 2008-11-01 22:23 . 2008-11-01 22:24 <DIR> d----c--- C:\rsit 2008-11-01 22:01 . 2008-11-01 22:01 <DIR> d----c--- C:\_OTMoveIt 2008-11-01 13:33 . 2008-11-01 14:04 <DIR> d----c--- C:\Lop SD 2008-10-31 11:17 . 2008-11-02 13:53 <DIR> d-------- C:\Program Files\Trend Micro 2008-10-30 19:10 . 2008-10-30 19:10 <DIR> d-------- C:\Program Files\Common Files\Scanner 2008-10-27 15:19 . 2008-10-27 15:19 32,768 --a------ C:\WINDOWS\system32\ddcBTLed.dll 2008-10-24 19:49 . 2008-10-16 00:34 337,408 -----c--- C:\WINDOWS\system32\dllcache\netapi32.dll 2008-10-16 23:37 . 2008-08-14 18:11 2,189,184 -----c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe 2008-10-16 23:37 . 2008-08-14 18:09 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe 2008-10-16 23:37 . 2008-08-14 17:33 2,066,048 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe 2008-10-16 23:37 . 2008-08-14 17:33 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe 2008-10-16 21:38 . 2008-09-15 20:12 1,846,400 -----c--- C:\WINDOWS\system32\dllcache\win32k.sys 2008-10-16 20:18 . 2008-09-08 18:41 333,824 -----c--- C:\WINDOWS\system32\dllcache\srv.sys 2008-10-15 16:11 . 2008-10-15 16:11 1,901 --a------ C:\WINDOWS\panose.bin 2008-10-15 16:08 . 2001-04-11 13:03 401,484 --a------ C:\WINDOWS\system32\Msvcrtd.dll 2008-10-15 16:08 . 2001-04-11 13:02 322,832 --a------ C:\WINDOWS\system32\Mfc30.dll 2008-10-15 16:08 . 2001-04-11 13:02 212,480 --a------ C:\WINDOWS\Pcdlib32.dll 2008-10-15 16:08 . 2001-04-11 13:03 210,944 --a------ C:\WINDOWS\system32\Msvcrt10.dll 2008-10-15 16:08 . 2001-04-11 13:03 133,904 --a------ C:\WINDOWS\system32\Mfcans32.dll 2008-10-15 16:08 . 2001-04-11 13:03 133,392 --a------ C:\WINDOWS\system32\Mfco30.dll 2008-10-15 16:08 . 2001-04-11 13:03 94,285 --a------ C:\WINDOWS\system32\Msvcirtd.dll 2008-10-15 16:08 . 2001-04-11 13:03 6,144 --a------ C:\WINDOWS\system32\W95fiber.dll 2008-10-15 16:08 . 2001-04-11 13:03 5,632 --a------ C:\WINDOWS\system32\Mfcuia32.dll 2008-10-11 13:31 . 2008-10-11 13:31 <DIR> d-------- C:\Documents and Settings\Vergara\Application Data\PlayFirst 2008-10-11 13:31 . 2008-10-11 13:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-03 06:47 --------- d-----w C:\Documents and Settings\Vergara\Application Data\LimeWire 2008-10-30 22:34 --------- d-----w C:\Program Files\Warcraft III 2008-10-30 22:21 --------- d-----w C:\Program Files\Garena 2008-10-30 11:09 --------- d-----w C:\Program Files\Yahoo! 2008-10-15 08:15 --------- d-----w C:\Program Files\Common Files\Adobe 2008-10-15 07:56 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft 2008-10-15 07:36 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP 2008-09-25 10:48 --------- d-----w C:\Program Files\Level Up 2008-09-19 11:17 --------- d-----w C:\Program Files\iTunes 2008-09-19 11:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-09-19 11:16 --------- d-----w C:\Program Files\iPod 2008-09-19 11:10 --------- d-----w C:\Program Files\QuickTime 2008-09-19 09:20 --------- d-----w C:\Program Files\Bonjour 2008-09-15 12:12 1,846,400 ----a-w C:\WINDOWS\system32\win32k.sys 2008-09-10 08:34 --------- d-----w C:\Documents and Settings\Vergara\Application Data\Nokia 2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys 2008-08-29 02:18 87,336 ----a-w C:\WINDOWS\system32\dns-sd.exe 2008-08-29 01:53 61,440 ----a-w C:\WINDOWS\system32\dnssd.dll 2008-08-26 07:24 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-08-14 10:11 2,189,184 ----a-w C:\WINDOWS\system32\ntoskrnl.exe 2008-08-14 09:33 2,066,048 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe 2008-08-12 22:08 42,320 ----a-w C:\WINDOWS\system32\xfcodec.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6690A949-0104-4CE1-9034-14089A75AE07}] 2008-10-27 15:19 32768 --a------ C:\WINDOWS\system32\ddcBTLed.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{af5cb8d4-8ca9-4f34-8472-ce3bd44702a4}] 2008-11-03 17:07 101888 --a------ C:\WINDOWS\system32\ksiukt.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C4183B4B-6833-42CC-88F5-770CF7E3F758}] C:\WINDOWS\system32\efcBtrPg.dll [BU] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D5395560-7773-441D-B827-986F284C6D96}] C:\WINDOWS\system32\jkkIAQJa.dll [BU] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D82B79FD-230F-45D4-A405-95B683C3FCBF}] C:\WINDOWS\system32\vtUlKEWp.dll [BU] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-07-31 4617720] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360] "Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-03-06 949376] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" [2006-06-15 229376] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-09-06 413696] "AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-09-10 289576] "f8b86af5"="C:\WINDOWS\system32\anslmcgn.dll" [2008-11-03 69120] "Cmaudio"="cmicnfg.cpl" [BU] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-10-15 113664] Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{6690A949-0104-4CE1-9034-14089A75AE07}"= "C:\WINDOWS\system32\ddcBTLed.dll" [2008-10-27 32768] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcBTLed] 2008-10-27 15:19 32768 C:\WINDOWS\system32\ddcBTLed.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=ksiukt.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.xvid"= xvid.dll "VIDC.XFR1"= xfcodec.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\Garena\\Garena.exe"= "C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"= "C:\\Program Files\\Xfire\\xfire.exe"= "C:\\Program Files\\Warcraft III\\Warcraft III.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Documents and Settings\\Vergara\\My Documents\\patrick\\WoW-BurningCrusade-enUS-Installer-downloader.exe"= "C:\\Program Files\\Games-Masters.com\\CABAL Online (Europe)\\launcher\\update\\ESTdnheadless.exe"= . Contents of the 'Scheduled Tasks' folder 2008-10-24 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] 2008-08-29 C:\WINDOWS\Tasks\At1.job - c:\program files\norton pc checkup\pc_checkup.exe [2008-06-30 05:50] . . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = about:blank R1 -: HKCU-Internet Settings,ProxyOverride = .local R1 -: HKCU-SearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ycomp/defaults/su/http://www.yahoo.com O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 -: {C5428486-50A0-4a02-9D20-520B59A9F9B3} - {A16AD1E9-F69A-45af-9462-B1C286708842} - O16 -: {195B4BBF-E1E4-4020-9773-0A8C6F65EA35} - hxxp://games.bigfishgames.com/en_cooking-dash/online/CookingDashWeb.1.0.0.9.cab C:\WINDOWS\Downloaded Program Files\CookingDashWeb.1.0.0.9.inf C:\WINDOWS\Downloaded Program Files\CookingDashWeb.1.0.0.9.dll O16 -: {D40F5876-A494-4124-8161-82625BB28C06} - hxxp://games.bigfishgames.com/en_chocolatier-2-secret-ingredients/online/Chocolatier2Web.1.0.0.10.cab C:\WINDOWS\Downloaded Program Files\Chocolatier2Web.1.0.0.10.inf C:\WINDOWS\Downloaded Program Files\Chocolatier2Web.1.0.0.10.dll O16 -: {DB7BF79A-FC51-4B5A-92BC-A65731174380} - hxxp://www.instantaction.com/download/iaplayer.cab C:\WINDOWS\Downloaded Program Files\cab.inf C:\WINDOWS\Downloaded Program Files\iaplayer.dll . ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-03 18:05:16 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\winlogon.exe -> C:\WINDOWS\system32\ddcBTLed.dll . Completion time: 2008-11-03 18:13:52 ComboFix-quarantined-files.txt 2008-11-03 10:13:18 Pre-Run: 13,624,528,896 bytes free Post-Run: 13,616,300,032 bytes free 193 --- E O F --- 2008-10-24 17:34:07

Rorschach112 View Member Profile	Nov 3 2008, 07:17 AM Post #10
GeekU Teacher Posts: 34,385 From: Dublin OS: XP	Hello Open notepad and copy/paste the text in the quotebox below into it: CODE http://www.geekstogo.com/forum/HELP-PC-INFECTED-Win32-Adware-Virtumondeand33-t216088.html Collect:: C:\WINDOWS\system32\ksiukt.dll C:\WINDOWS\system32\anslmcgn.dll C:\WINDOWS\system32\fkbwkjmr.dll C:\WINDOWS\system32\nqbrgdkx.dll C:\WINDOWS\system32\jtvlnc.dll C:\WINDOWS\system32\qipelwqj.dll C:\WINDOWS\system32\pppujyro.dll C:\WINDOWS\system32\jrvcxc.dll C:\WINDOWS\system32\ddcBTLed.dll C:\WINDOWS\panose.bin Registry:: [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{6690A949-0104-4CE1-9034-14089A75AE07}"=- Suspect:: Save this as CFScript.txt Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you. Post that log in your next reply. Note When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis. Ensure you are connected to the internet and click OK on the message box. A browser will open. Simply follow the instructions to copy/paste/send the requested file.

viral_attack View Member Profile	Nov 4 2008, 06:36 AM Post #11
New Member Posts: 6 OS: xp	hello again!... done with running combofix... * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\panose.bin c:\windows\system32\aJjPonmp.ini c:\windows\system32\aJjPonmp.ini2 c:\windows\system32\ddcBTLed.dll c:\windows\system32\ecnxdmgh.ini c:\windows\system32\fkbwkjmr.dll c:\windows\system32\gqevxxen.ini c:\windows\system32\jrvcxc.dll c:\windows\system32\jtvlnc.dll c:\windows\system32\ksiukt.dll c:\windows\system32\ngcmlsna.ini c:\windows\system32\nqbrgdkx.dll c:\windows\system32\pmnoPjJa.dll c:\windows\system32\pppujyro.dll c:\windows\system32\qipelwqj.dll . ((((((((((((((((((((((((( Files Created from 2008-10-04 to 2008-11-04 ))))))))))))))))))))))))))))))) . 2008-11-04 18:31 . 2008-11-04 18:31 101,888 --a------ c:\windows\system32\lgwqmyho.dll 2008-11-04 18:31 . 2008-11-04 18:31 101,888 --a------ c:\windows\system32\bwxpkv.dll 2008-11-04 18:31 . 2008-11-04 18:31 68,096 --a------ c:\windows\system32\hgmdxnce.dll 2008-11-03 18:29 . 2008-11-03 18:29 69,120 --a------ c:\windows\system32\nexxveqg.dll 2008-11-03 18:27 . 2008-11-03 18:27 101,888 --a------ c:\windows\system32\pzfqpy.dll 2008-11-03 18:27 . 2008-11-03 18:27 101,888 --a------ c:\windows\system32\frurpbcq.dll 2008-11-01 22:23 . 2008-11-01 22:24 <DIR> d----c--- C:\rsit 2008-11-01 22:01 . 2008-11-01 22:01 <DIR> d----c--- C:\_OTMoveIt 2008-11-01 13:33 . 2008-11-01 14:04 <DIR> d----c--- C:\Lop SD 2008-10-31 11:17 . 2008-11-02 13:53 <DIR> d-------- c:\program files\Trend Micro 2008-10-30 19:10 . 2008-10-30 19:10 <DIR> d-------- c:\program files\Common Files\Scanner 2008-10-24 19:49 . 2008-10-16 00:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll 2008-10-16 23:37 . 2008-08-14 18:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe 2008-10-16 23:37 . 2008-08-14 18:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe 2008-10-16 23:37 . 2008-08-14 17:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe 2008-10-16 23:37 . 2008-08-14 17:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe 2008-10-16 21:38 . 2008-09-15 20:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys 2008-10-16 20:18 . 2008-09-08 18:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys 2008-10-15 16:08 . 2001-04-11 13:03 401,484 --a------ c:\windows\system32\Msvcrtd.dll 2008-10-15 16:08 . 2001-04-11 13:02 322,832 --a------ c:\windows\system32\Mfc30.dll 2008-10-15 16:08 . 2001-04-11 13:02 212,480 --a------ c:\windows\Pcdlib32.dll 2008-10-15 16:08 . 2001-04-11 13:03 210,944 --a------ c:\windows\system32\Msvcrt10.dll 2008-10-15 16:08 . 2001-04-11 13:03 133,904 --a------ c:\windows\system32\Mfcans32.dll 2008-10-15 16:08 . 2001-04-11 13:03 133,392 --a------ c:\windows\system32\Mfco30.dll 2008-10-15 16:08 . 2001-04-11 13:03 94,285 --a------ c:\windows\system32\Msvcirtd.dll 2008-10-15 16:08 . 2001-04-11 13:03 6,144 --a------ c:\windows\system32\W95fiber.dll 2008-10-15 16:08 . 2001-04-11 13:03 5,632 --a------ c:\windows\system32\Mfcuia32.dll 2008-10-11 13:31 . 2008-10-11 13:31 <DIR> d-------- c:\documents and settings\Vergara\Application Data\PlayFirst 2008-10-11 13:31 . 2008-10-11 13:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\PlayFirst . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-11-03 15:34 --------- d-----w c:\documents and settings\Vergara\Application Data\LimeWire 2008-10-30 22:34 --------- d-----w c:\program files\Warcraft III 2008-10-30 22:21 --------- d-----w c:\program files\Garena 2008-10-30 11:09 --------- d-----w c:\program files\Yahoo! 2008-10-15 08:15 --------- d-----w c:\program files\Common Files\Adobe 2008-10-15 07:56 --------- d-----w c:\program files\Common Files\DVDVideoSoft 2008-10-15 07:36 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP 2008-09-25 10:48 --------- d-----w c:\program files\Level Up 2008-09-19 11:17 --------- d-----w c:\program files\iTunes 2008-09-19 11:17 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6} 2008-09-19 11:16 --------- d-----w c:\program files\iPod 2008-09-19 11:10 --------- d-----w c:\program files\QuickTime 2008-09-19 09:20 --------- d-----w c:\program files\Bonjour 2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys 2008-09-10 08:34 --------- d-----w c:\documents and settings\Vergara\Application Data\Nokia 2008-09-08 10:41 333,824 ----a-w c:\windows\system32\drivers\srv.sys 2008-08-29 02:18 87,336 ----a-w c:\windows\system32\dns-sd.exe 2008-08-29 01:53 61,440 ----a-w c:\windows\system32\dnssd.dll 2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll 2008-08-14 10:11 2,189,184 ----a-w c:\windows\system32\ntoskrnl.exe 2008-08-14 09:33 2,066,048 ----a-w c:\windows\system32\ntkrnlpa.exe 2008-08-12 22:08 42,320 ----a-w c:\windows\system32\xfcodec.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3e0c17fa-9e98-4c29-b416-a490324f47fc}] 2008-11-04 18:31 101888 --a------ c:\windows\system32\bwxpkv.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C4183B4B-6833-42CC-88F5-770CF7E3F758}] c:\windows\system32\efcBtrPg.dll [BU] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D5395560-7773-441D-B827-986F284C6D96}] c:\windows\system32\jkkIAQJa.dll [BU] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D82B79FD-230F-45D4-A405-95B683C3FCBF}] c:\windows\system32\vtUlKEWp.dll [BU] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2006-07-31 4617720] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2008-08-28 3660848] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "nod32kui"="c:\program files\Eset\nod32kui.exe" [2008-03-06 949376] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "PCSuiteTrayApplication"="c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE" [2006-06-15 229376] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576] "f8b86af5"="c:\windows\system32\hgmdxnce.dll" [2008-11-04 68096] "Cmaudio"="cmicnfg.cpl" [BU] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-10-15 113664] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=bwxpkv.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.xvid"= xvid.dll "VIDC.XFR1"= xfcodec.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\Garena\\Garena.exe"= "c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"= "c:\\Program Files\\Xfire\\xfire.exe"= "c:\\Program Files\\Warcraft III\\Warcraft III.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Documents and Settings\\Vergara\\My Documents\\patrick\\WoW-BurningCrusade-enUS-Installer-downloader.exe"= "c:\\Program Files\\Games-Masters.com\\CABAL Online (Europe)\\launcher\\update\\ESTdnheadless.exe"= S3 KS-959;Kingsun KS-959 USB Infrared Adapter;c:\windows\system32\DRIVERS\KS-959.sys [2005-10-08 19034] S3 NTProcDrv;Process creation detector for NT.;c:\documents and settings\Vergara\My Documents\patrick\cabalBot\NtProcDrv.sys [ ] S3 XDva190;XDva190;c:\windows\system32\XDva190.sys [ ] S3 XDva195;XDva195;c:\windows\system32\XDva195.sys [ ] . Contents of the 'Scheduled Tasks' folder 2008-10-24 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] 2008-08-29 c:\windows\Tasks\At1.job - c:\program files\norton pc checkup\pc_checkup.exe [2008-06-30 05:50] . - - - - ORPHANS REMOVED - - - - BHO-{6690A949-0104-4CE1-9034-14089A75AE07} - c:\windows\system32\ddcBTLed.dll BHO-{DD1A6BB9-0059-409D-AED6-D39C0BECC74F} - c:\windows\system32\pmnoPjJa.dll Notify-ddcBTLed - ddcBTLed.dll ************************************************************************ catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-11-04 20:21:56 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... c:\windows\system32\ecnxdmgh.ini 1871805 bytes scan completed successfully hidden files: 1 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: c:\windows\explorer.exe -> c:\windows\system32\hgmdxnce.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Bonjour\mDNSResponder.exe c:\program files\ESET\nod32krn.exe c:\windows\system32\rundll32.exe c:\windows\system32\rundll32.exe c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe c:\program files\Common Files\PCSuite\Services\ServiceLayer.exe c:\program files\iPod\bin\iPodService.exe . ************************************************************************ . Completion time: 2008-11-04 20:32:53 - machine was rebooted [Vergara] ComboFix-quarantined-files.txt 2008-11-04 12:32:46 ComboFix2.txt 2008-11-03 10:13:59 Pre-Run: 13,521,309,696 bytes free Post-Run: 13,518,819,328 bytes free 179 --- E O F --- 2008-10-24 17:34:07 ... btw, when i turn my pc on and when windos is starting before the desktop was diplayed there's a pop up box that says that my pc doesn't have a memory or something?... thankz again!..

Rorschach112 View Member Profile	Nov 4 2008, 08:30 AM Post #12
GeekU Teacher Posts: 34,385 From: Dublin OS: XP	Hello Open notepad and copy/paste the text in the quotebox below into it: CODE http://www.geekstogo.com/forum/HELP-PC-INFECTED-Win32-Adware-Virtumondeand33-t216088.html Collect:: c:\windows\system32\lgwqmyho.dll c:\windows\system32\bwxpkv.dll c:\windows\system32\hgmdxnce.dll c:\windows\system32\nexxveqg.dll c:\windows\system32\pzfqpy.dll c:\windows\system32\frurpbcq.dll registry:: [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"="" Suspect:: Save this as CFScript.txt Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you. Post that log in your next reply. Note When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis. Ensure you are connected to the internet and click OK on the message box. A browser will open. Simply follow the instructions to copy/paste/send the requested file.

Rorschach112 View Member Profile	Nov 7 2008, 01:07 PM Post #13
GeekU Teacher Posts: 34,385 From: Dublin OS: XP	Due to lack of feedback, this topic has been closed. If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

« Next Oldest · Virus, Spyware and Trojan Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Topic Title	Replies / Views	Topic Information
Virus, Spyware and Trojan Removal Help! Got hit with Worm.win32.Netsky	1 / 401	25th November 2007 - 06:24 PM schwaja3 started - last by schwaja3
Virus, Spyware and Trojan Removal Help! Computer infected with Adware and Spyware! [RESOLVED] 12	16 / 1,343	10th January 2008 - 09:17 AM den110 started - last by Rorschach112
Virus, Spyware and Trojan Removal Help! PC infected with unknown Trojan	0 / 269	31st March 2008 - 08:30 AM dchiotel started - last by dchiotel
Virus, Spyware and Trojan Removal help with infectio win32/adware.virtumonde + win32/privacyremover.m64	0 / 1,185	19th August 2008 - 08:27 AM valleystaky started - last by valleystaky