WoW Password stolen, possible keylogger [CLOSED]

Need a geek? Geeks to Go offers free, quality tech support -- in terms anyone can understand. Volunteers are waiting to help, friendly, technology experts who have knowledge to share, and enjoy helping others. Feel free to browse the site as a guest. However, you must log in to reply to existing topics, or to start a new topic. Other benefits of joining include richer forum features, and removal of all advertising. Learn more in our Welcome Guide Infected? Malware and Spyware Cleaning Guide. What are you waiting for? Click here to join for free today!

> Geeks to Go! » Security » Virus, Spyware and Trojan Removal

WoW Password stolen, possible keylogger [CLOSED]

Options

Dome View Member Profile	Jun 17 2008, 04:20 PM Post #1
Member Posts: 21 OS: Windows XP	Ive ran all the scans available after this predicament, i want to make sure if i got it or not, because i dont wanna risk it again Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 5:19:39 PM, on 6/17/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\windows.ext C:\WINDOWS\Explorer.EXE C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\WebcamMax\wcmmon.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\DAEMON Tools\daemon.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Veoh Networks\Veoh\VeohClient.exe C:\Program Files\Google\Google Updater\GoogleUpdater.exe C:\Program Files\Xfire\xfire.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\WINDOWS\system32\PnkBstrA.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\HijackThis\HijackThis.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [WebcamMaxMoniter] "C:\Program Files\WebcamMax\wcmmon.exe" /a O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide O4 - HKUS\S-1-5-18\..\Run: [ctfmn1.exe] C:\WINDOWS\system32\111.ext (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [ctmon.exe] C:\WINDOWS\633341857211.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [Shell] "C:\WINDOWS\system32\Rundll32.exe" "C:\WINDOWS\system32\shell32.dll",Control_RunDLL "C:\WINDOWS\TEMP\dat16.tmp" (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ctfmn1.exe] C:\WINDOWS\system32\111.ext (User 'Default user') O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\xfire.exe O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1193201011796 O16 - DPF: {77538FC7-CE52-4704-9865-494FE92BC320} (LaunchUBO.Ulit) - http://www.ultimatebaseballonline.com/myubo/launchubo.OCX O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 8979 bytes

Chopin View Member Profile	Jun 21 2008, 09:20 PM Post #2
In love with Chopin! Posts: 2,611 From: My piano? OS: Windows XP Professional SP2	Hello Dome, it doesn't look like there's anything really horrible on there. Let's get a scan first. 1. Deckard's System Scanner ------------------------------------------------ Please download Deckard's System Scanner (DSS) and save it to your Desktop. Close ALL open windows before running the scan. *Note: This program will clear your temporary files.* On the first run, Deckard's System Scanner will provide you with two warnings. Press "OK" and allow DSS to scan. The entire scanning process will take about five minutes, often less. During the scan you may get warnings about sigcheck.exe trying to access the Internet; please make sure you allow it to do so. Your antivirus may also warn you about nircmd.exe; please make sure you do not delete nircmd.exe as it will cause DSS to malfunction. Once the scan is complete, you will get two logfiles - a main.txt (which you see) and an extra.txt (which is minimized). Copy the contents of both into a reply. On subsequent runs, DSS will only provide a significantly shortened main.txt and not an extra.txt.

Chopin View Member Profile	Jun 22 2008, 04:20 PM Post #4
In love with Chopin! Posts: 2,611 From: My piano? OS: Windows XP Professional SP2	Hello Dome, there is some stuff on there but it doesn't really look all that bad. Let's get started! However, first: It looks like you currently have no Anti-Virus protection installed on your computer. This leaves your computer open to the majority of infections out there and is most likely one of the reasons you got infected in the first place. Please download one of the following AV programs: Anti Virus Programs AntiVir Recommended Avast AVG 8 Once you have an AV program installed (make sure you only install one, having more than one installed will give undesirable results), update to the latest definitions/ version and do a full system scan. Make sure you have your AV quarantine any bad files it finds (you should be able to find this option under the anti-virus's scan settings.) Please post the scan report that your AV program produces after it finishes scanning your computer. Please read my entire post before commencing, and please follow my instructions in the order that they are given If you don't understand something, don't be afraid to ask!* 1. Fix Entries with HijackThis ------------------------------------------------ Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below (if present). O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKUS\S-1-5-18\..\Run: [ctfmn1.exe] C:\WINDOWS\system32\111.ext (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [ctmon.exe] C:\WINDOWS\633341857211.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ctfmn1.exe] C:\WINDOWS\system32\111.ext (User 'Default user') Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis. 2. Fix File Associations ------------------------------------------------ Please go to Start > Run. In the box that appears, carefully copy and paste the following: "%Userprofile%\Desktop\dss.exe" /daft Accept the disclaimer, and click the "Scan" button. Place a checkmark next to everything that appears and press "Fix". Afterwards, close the window. 3. Submit File for Testing ------------------------------------------------ Please go to this website: Link Once there, you will see a textbox in the middle of the screen. Copy and paste the following line into the textbox: C:\WINDOWS\system32\CMMGR32.EXE Click the large "Send File" button. Your file will be scanned by MANY different antivirus engines, so until the top says Current status: Finished, don't close the window/copy the results! Once the scan is finished, copy and paste the entire table into a reply so it looks like this: QUOTE AhnLab-V3 2007.9.29.0 2007.09.28 - AntiVir 7.6.0.18 2007.09.28 HEUR/Malware Authentium 4.93.8 2007.09.28 - Avast 4.7.1043.0 2007.09.28 - AVG 7.5.0.488 2007.09.28 - BitDefender 7.2 2007.09.28 - CAT-QuickHeal 9.00 2007.09.28 (Suspicious) - DNAScan ClamAV 0.91.2 2007.09.28 - DrWeb 4.33 2007.09.28 - eSafe 7.0.15.0 2007.09.23 Suspicious Trojan/Worm eTrust-Vet 31.2.5169 2007.09.27 - Ewido 4.0 2007.09.28 - FileAdvisor 1 2007.09.29 - Fortinet 3.11.0.0 2007.09.28 - F-Prot 4.3.2.48 2007.09.27 - F-Secure 6.70.13030.0 2007.09.28 - Ikarus T3.1.1.12 2007.09.28 - Kaspersky 7.0.0.125 2007.09.29 - McAfee 5130 2007.09.28 - Microsoft 1.2803 2007.09.29 - NOD32v2 2558 2007.09.28 - Norman 5.80.02 2007.09.28 - Panda 9.0.0.4 2007.09.28 - Prevx1 V2 2007.09.29 Heuristic: Suspicious Self Modifying EXE Rising 19.42.42.00 2007.09.28 - Sophos 4.21.0 2007.09.28 - Sunbelt 2.2.907.0 2007.09.28 VIPRE.Suspicious Symantec 10 2007.09.28 - TheHacker 6.2.6.073 2007.09.28 - VBA32 3.12.2.4 2007.09.29 - VirusBuster 4.3.26:9 2007.09.28 - Webwasher-Gateway 6.0.1 2007.09.28 Heuristic.Malware Once finished with C:\WINDOWS\system32\CMMGR32.EXE, please repeat the process with this line at the beginning: C:\WINDOWS\system32\vcrxfileju.dll C:\WINDOWS\96435308487.exe Post those results as well. 4. Run ComboFix ------------------------------------------------ Please download ComboFix from Here or Here to your Desktop. Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop Please, never rename Combofix unless instructed. Close any open internet browsers. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. ----------------------------------------------------------- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Click on this link* to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.* ----------------------------------------------------------- Close any open browsers. WARNING: Combofix will disconnect your machine from the Internet as soon as it starts Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished. If there is no internet connection after running Combofix, then restart your computer to restore back your connection. ----------------------------------------------------------- Double click on combofix.exe & follow the prompts. When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall In your next post ------------------------------------------------ Antivirus log 3 VirusTotal logs ComboFix log

Dome View Member Profile	Jun 25 2008, 12:39 PM Post #5
Member Posts: 21 OS: Windows XP	Avira AntiVir Personal Report file date: Wednesday, June 25, 2008 00:50 Scanning for 1165085 virus strains and unwanted programs. Licensed to: Avira AntiVir PersonalEdition Classic Serial number: 0000149996-ADJIE-0001 Platform: Windows XP Windows version: (Service Pack 2) [5.1.2600] Boot mode: Normally booted Username: SYSTEM Computer name: JAKE Version information: BUILD.DAT : 8.1.00.295 16479 Bytes 4/9/2008 16:24:00 AVSCAN.EXE : 8.1.2.12 311553 Bytes 3/18/2008 16:02:56 AVSCAN.DLL : 8.1.1.0 53505 Bytes 2/7/2008 15:43:37 LUKE.DLL : 8.1.2.9 151809 Bytes 2/28/2008 15:41:23 LUKERES.DLL : 8.1.2.1 12033 Bytes 2/21/2008 15:28:40 ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 17:33:34 ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 3/7/2008 20:08:58 ANTIVIR2.VDF : 7.0.3.62 337408 Bytes 3/21/2008 02:12:34 ANTIVIR3.VDF : 7.0.3.68 57856 Bytes 3/25/2008 15:27:50 Engineversion : 8.1.0.28 AEVDF.DLL : 8.1.0.5 102772 Bytes 2/25/2008 16:58:21 AESCRIPT.DLL : 8.1.0.19 229754 Bytes 4/7/2008 22:34:44 AESCN.DLL : 8.1.0.12 115060 Bytes 4/7/2008 22:34:44 AERDL.DLL : 8.1.0.19 418164 Bytes 4/7/2008 22:34:44 AEPACK.DLL : 8.1.1.0 364918 Bytes 3/18/2008 18:20:42 AEOFFICE.DLL : 8.1.0.15 192889 Bytes 4/7/2008 22:34:44 AEHEUR.DLL : 8.1.0.15 1147253 Bytes 4/7/2008 22:34:44 AEHELP.DLL : 8.1.0.11 115061 Bytes 4/7/2008 22:34:43 AEGEN.DLL : 8.1.0.15 299379 Bytes 4/7/2008 22:34:43 AEEMU.DLL : 8.1.0.5 430450 Bytes 4/7/2008 22:34:43 AECORE.DLL : 8.1.0.25 168309 Bytes 4/8/2008 16:58:32 AVWINLL.DLL : 1.0.0.7 14593 Bytes 1/24/2008 00:07:53 AVPREF.DLL : 8.0.0.1 25857 Bytes 2/18/2008 17:37:50 AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 20:26:47 AVREG.DLL : 8.0.0.0 30977 Bytes 1/24/2008 00:07:49 AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 15:29:23 AVEVTLOG.DLL : 8.0.0.11 114945 Bytes 2/28/2008 15:31:31 SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 00:28:02 SMTPLIB.DLL : 1.2.0.19 28929 Bytes 1/24/2008 00:08:39 NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 19:05:10 RCIMAGE.DLL : 8.0.0.35 2371841 Bytes 3/10/2008 21:37:25 RCTEXT.DLL : 8.0.32.0 86273 Bytes 3/6/2008 19:02:11 Configuration settings for the scan: Jobname..........................: Complete system scan Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp Logging..........................: low Primary action...................: interactive Secondary action.................: ignore Scan master boot sector..........: on Scan boot sector.................: on Boot sectors.....................: C:, F:, Scan memory......................: on Process scan.....................: on Scan registry....................: on Search for rootkits..............: off Scan all files...................: Intelligent file selection Scan archives....................: on Recursion depth..................: 20 Smart extensions.................: on Macro heuristic..................: on File heuristic...................: medium Start of the scan: Wednesday, June 25, 2008 00:50 The scan of running processes will be started Scan process 'avscan.exe' - '1' Module(s) have been scanned Scan process 'avcenter.exe' - '1' Module(s) have been scanned Scan process 'firefox.exe' - '1' Module(s) have been scanned Scan process 'notepad.exe' - '1' Module(s) have been scanned Scan process 'explorer.exe' - '1' Module(s) have been scanned Scan process 'xfire.exe' - '1' Module(s) have been scanned Scan process 'GoogleUpdater.exe' - '1' Module(s) have been scanned Scan process 'SUPERANTISPYWARE.EXE' - '1' Module(s) have been scanned Scan process 'VeohClient.exe' - '1' Module(s) have been scanned Scan process 'ctfmon.exe' - '1' Module(s) have been scanned Scan process 'steam.exe' - '1' Module(s) have been scanned Scan process 'daemon.exe' - '1' Module(s) have been scanned Scan process 'avgnt.exe' - '1' Module(s) have been scanned Scan process 'soundman.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'wcmmon.exe' - '1' Module(s) have been scanned Scan process 'jusched.exe' - '1' Module(s) have been scanned Scan process 'wuauclt.exe' - '1' Module(s) have been scanned Scan process 'wscntfy.exe' - '1' Module(s) have been scanned Scan process 'alg.exe' - '1' Module(s) have been scanned Scan process 'ViewpointService.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'StarWindServiceAE.exe' - '1' Module(s) have been scanned Scan process 'PnkBstrA.exe' - '1' Module(s) have been scanned Scan process 'GoogleUpdaterService.exe' - '1' Module(s) have been scanned Scan process 'avguard.exe' - '1' Module(s) have been scanned Scan process 'sched.exe' - '1' Module(s) have been scanned Scan process 'spoolsv.exe' - '1' Module(s) have been scanned Scan process 'aawservice.exe' - '1' Module(s) have been scanned Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'svchost.exe' - '1' Module(s) have been scanned Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned Scan process 'lsass.exe' - '1' Module(s) have been scanned Scan process 'services.exe' - '1' Module(s) have been scanned Scan process 'winlogon.exe' - '1' Module(s) have been scanned Scan process 'csrss.exe' - '1' Module(s) have been scanned Scan process 'smss.exe' - '1' Module(s) have been scanned 41 processes with 41 modules were scanned Starting master boot sector scan: Master boot sector HD0 [INFO] No virus was found! Master boot sector HD1 [INFO] No virus was found! Start scanning boot sectors: Boot sector 'C:\' [INFO] No virus was found! Boot sector 'F:\' [INFO] No virus was found! Starting to scan the registry. The registry was scanned ( '27' files ). Starting the file scan: Begin scan in 'C:\' C:\hiberfil.sys [WARNING] The file could not be opened! C:\pagefile.sys [WARNING] The file could not be opened! C:\Deckard\System Scanner\20080624213325\backup\DOCUME~1\DOMEBU~1\LOCALS~1\Temp\bulmfiles.dll [DETECTION] Contains suspicious code HEUR/Malware [NOTE] The file was moved to '48cddd63.qua'! C:\Deckard\System Scanner\20080624213325\backup\DOCUME~1\DOMEBU~1\LOCALS~1\Temp\mssjfilejs.dll [DETECTION] Is the Trojan horse TR/Spy.Gen [NOTE] The file was moved to '48d4dd68.qua'! C:\Deckard\System Scanner\20080624213325\backup\DOCUME~1\DOMEBU~1\LOCALS~1\Temp\xptcisylgfile.dll [DETECTION] Is the Trojan horse TR/Spy.Gen [NOTE] The file was moved to '48d5dd65.qua'! C:\Deckard\System Scanner\20080624213325\backup\DOCUME~1\DOMEBU~1\LOCALS~1\Temp\xpttisylgfile.dll [DETECTION] Is the Trojan horse TR/Spy.Gen [NOTE] The file was moved to '49719c16.qua'! C:\Deckard\System Scanner\20080624213325\backup\WINDOWS\temp\111eeow.dll [DETECTION] Is the Trojan horse TR/Spy.Gen [NOTE] The file was moved to '4892dd2e.qua'! C:\Deckard\System Scanner\20080624213325\backup\WINDOWS\temp\111ow.dll [DETECTION] Is the Trojan horse TR/Spy.Gen [NOTE] The file was moved to '4930ef1f.qua'! C:\Deckard\System Scanner\20080624213325\backup\WINDOWS\temp\2ow.dll [DETECTION] Contains suspicious code HEUR/Malware [NOTE] The file was moved to '48d8dd6d.qua'! C:\Documents and Settings\Domebuddy\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.80734 [DETECTION] Contains suspicious code HEUR/Malware [NOTE] The file was moved to '48a2dd97.qua'! C:\Program Files\Common Files\Enterbrain\RGSS\Standard\Graphics.exe [WARNING] No further files can be extracted from this archive. The archive will be closed C:\Program Files\The Queen Of Fighters\Uninstall.exe [DETECTION] Is the Trojan horse TR/Delf.axt [NOTE] The file was moved to '48caefae.qua'! C:\QooBox\Quarantine\C\WINDOWS\27531365669.exe.vir [DETECTION] Is the Trojan horse TR/Crypt.NSPM.Gen [NOTE] The file was moved to '4896f1c9.qua'! C:\QooBox\Quarantine\C\WINDOWS\633341857211.exe.vir [DETECTION] Is the Trojan horse TR/Crypt.NSPI.Gen [NOTE] The file was moved to '4894f1c5.qua'! C:\QooBox\Quarantine\C\WINDOWS\96435308487.exe.vir [DETECTION] Contains detection pattern of the dropper DR/Delphi.Gen [NOTE] The file was moved to '4895f1c8.qua'! C:\QooBox\Quarantine\C\WINDOWS\Tasks\0x01xx8p.exe.vir [DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen [NOTE] The file was moved to '4891f20b.qua'! C:\System Volume Information\_restore{BDE1994C-534A-454E-A246-9B87A82EC0F9}\RP208\A0275567.exe [DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen [NOTE] The file was moved to '4893f1da.qua'! C:\System Volume Information\_restore{BDE1994C-534A-454E-A246-9B87A82EC0F9}\RP208\A0276567.exe [DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen [NOTE] The file was moved to '4893f1db.qua'! C:\System Volume Information\_restore{BDE1994C-534A-454E-A246-9B87A82EC0F9}\RP208\A0277567.exe [DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen [NOTE] The file was moved to '4893f1e0.qua'! C:\System Volume Information\_restore{BDE1994C-534A-454E-A246-9B87A82EC0F9}\RP209\A0278567.exe [DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen [NOTE] The file was moved to '4893f1e2.qua'! C:\System Volume Information\_restore{BDE1994C-534A-454E-A246-9B87A82EC0F9}\RP210\A0279567.exe [DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen [NOTE] The file was moved to '4893f1e3.qua'! C:\System Volume Information\_restore{BDE1994C-534A-454E-A246-9B87A82EC0F9}\RP213\A0280567.exe [DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen [NOTE] The file was moved to '4893f1e6.qua'! C:\System Volume Information\_restore{BDE1994C-534A-454E-A246-9B87A82EC0F9}\RP215\A0280652.exe [DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen [NOTE] The file was moved to '4893f1eb.qua'! C:\System Volume Information\_restore{BDE1994C-534A-454E-A246-9B87A82EC0F9}\RP215\A0280655.exe [DETECTION] Is the Trojan horse TR/Crypt.NSPM.Gen [NOTE] The file was moved to '490ceabc.qua'! C:\System Volume Information\_restore{BDE1994C-534A-454E-A246-9B87A82EC0F9}\RP215\A0280656.exe [DETECTION] Is the Trojan horse TR/Crypt.NSPI.Gen [NOTE] The file was moved to '4893f1ed.qua'! C:\System Volume Information\_restore{BDE1994C-534A-454E-A246-9B87A82EC0F9}\RP215\A0280657.exe [DETECTION] Contains detection pattern of the dropper DR/Delphi.Gen [NOTE] The file was moved to '4893f1ec.qua'! C:\System Volume Information\_restore{BDE1994C-534A-454E-A246-9B87A82EC0F9}\RP215\A0280711.dll [DETECTION] Contains suspicious code HEUR/Malware [NOTE] The file was moved to '490ceabe.qua'! C:\System Volume Information\_restore{BDE1994C-534A-454E-A246-9B87A82EC0F9}\RP215\A0280712.dll [DETECTION] Is the Trojan horse TR/Spy.Gen [NOTE] The file was moved to '4893f1ef.qua'! C:\System Volume Information\_restore{BDE1994C-534A-454E-A246-9B87A82EC0F9}\RP215\A0280713.dll [DETECTION] Is the Trojan horse TR/Spy.Gen [NOTE] The file was moved to '4893f1ee.qua'! C:\System Volume Information\_restore{BDE1994C-534A-454E-A246-9B87A82EC0F9}\RP215\A0280714.dll [DETECTION] Is the Trojan horse TR/Spy.Gen [NOTE] The file was moved to '490ceabf.qua'! C:\System Volume Information\_restore{BDE1994C-534A-454E-A246-9B87A82EC0F9}\RP215\A0280715.dll [DETECTION] Is the Trojan horse TR/Spy.Gen [NOTE] The file was moved to '4893f190.qua'! C:\System Volume Information\_restore{BDE1994C-534A-454E-A246-9B87A82EC0F9}\RP215\A0280716.dll [DETECTION] Is the Trojan horse TR/Spy.Gen [NOTE] The file was moved to '490ceac1.qua'! C:\System Volume Information\_restore{BDE1994C-534A-454E-A246-9B87A82EC0F9}\RP215\A0280717.dll [DETECTION] Contains suspicious code HEUR/Malware [NOTE] The file was moved to '490ceaa0.qua'! C:\System Volume Information\_restore{BDE1994C-534A-454E-A246-9B87A82EC0F9}\RP215\A0280723.exe [DETECTION] Is the Trojan horse TR/Delf.axt [NOTE] The file was moved to '4893f1f1.qua'! C:\WINDOWS\system32\drivers\sptd.sys [WARNING] The file could not be opened! Begin scan in 'F:\' End of the scan: Wednesday, June 25, 2008 02:32 Used time: 1:42:15 min The scan has been done completely. 15461 Scanning directories 379337 Files were scanned 26 viruses and/or unwanted programs were found 5 Files were classified as suspicious: 0 files were deleted 0 files were repaired 31 files were moved to quarantine 0 files were renamed 4 Files cannot be scanned 379311 Files not concerned 2224 Archives were scanned 4 Warnings 31 Notes File vcrxfileju.dll received on 06.17.2008 06:53:14 (CET) Current status: finished Result: 13/33 (39.39%) Compact Compact Print results Print results Antivirus Version Last Update Result AhnLab-V3 2008.6.17.0 2008.06.16 - AntiVir 7.8.0.55 2008.06.16 TR/ATRAPS.Gen Authentium 5.1.0.4 2008.06.17 W32/Warezov.gen3!W32DL Avast 4.8.1195.0 2008.06.16 - AVG 7.5.0.516 2008.06.16 - BitDefender 7.2 2008.06.17 Generic.PWStealer.928430AF CAT-QuickHeal 9.50 2008.06.16 - ClamAV 0.93.1 2008.06.17 - DrWeb 4.44.0.09170 2008.06.16 - eSafe 7.0.15.0 2008.06.16 - eTrust-Vet 31.6.5880 2008.06.17 - Ewido 4.0 2008.06.16 - F-Prot 4.4.4.56 2008.06.12 W32/Warezov.gen3!W32DL F-Secure 6.70.13260.0 2008.06.17 - Fortinet 3.14.0.0 2008.06.17 - GData 2.0.7306.1023 2008.06.17 - Ikarus T3.1.1.26.0 2008.06.17 - Kaspersky 7.0.0.125 2008.06.17 - McAfee 5318 2008.06.16 - Microsoft 1.3604 2008.06.17 - NOD32v2 3192 2008.06.17 probably a variant of Win32/Genetik Norman 5.80.02 2008.06.16 - Panda 9.0.0.4 2008.06.16 Suspicious file Prevx1 V2 2008.06.17 Malicious Software Rising 20.49.02.00 2008.06.16 Trojan.PSW.Win32.YBOnline.dw Sophos 4.30.0 2008.06.17 Sus/Behav-1007 Sunbelt 3.0.1153.1 2008.06.15 Trojan-PSW.Win32.Nilage.o Symantec 10 2008.06.17 - TheHacker 6.2.92.352 2008.06.17 - TrendMicro 8.700.0.1004 2008.06.17 PAK_Generic.005 VBA32 3.12.6.7 2008.06.17 suspected of Backdoor.XiaoBird.3 VirusBuster 4.3.26:9 2008.06.12 - Webwasher-Gateway 6.6.2 2008.06.17 Trojan.ATRAPS.Gen The other 2 showed up before, but i forgot to copy the results down, after i did combofix, the files no longer existed ComboFix 08-06-20.4 - Domebuddy 2008-06-24 21:46:34.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.553 [GMT -5:00] Running from: C:\Documents and Settings\Domebuddy\Desktop\ComboFix.exe * Created a new restore point WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Domebuddy\Application Data\inst.exe C:\WINDOWS\27531365669.exe C:\WINDOWS\633341857211.exe C:\WINDOWS\96435308487.exe C:\WINDOWS\system32\CMMGR32.EXE C:\WINDOWS\system32\d.txt C:\WINDOWS\system32\windows.txt C:\WINDOWS\Tasks\0x01xx8p.exe Infected copy of C:\WINDOWS\system32\spoolsv.exe was found & disinfected Restored copy from - C:\WINDOWS\system32\dllcache\spoolsv.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_NETWM ((((((((((((((((((((((((( Files Created from 2008-05-25 to 2008-06-25 ))))))))))))))))))))))))))))))) . 2008-06-24 21:22 . 2008-06-24 21:22 <DIR> d-------- C:\Program Files\Avira 2008-06-24 21:22 . 2008-06-24 21:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira 2008-06-22 16:19 . 2008-06-22 16:19 <DIR> d-------- C:\Deckard 2008-06-22 05:26 . 2008-05-30 14:11 3,850,760 --a------ C:\WINDOWS\system32\D3DX9_38.dll 2008-06-22 05:26 . 2008-05-30 14:11 1,491,992 --a------ C:\WINDOWS\system32\D3DCompiler_38.dll 2008-06-22 05:26 . 2008-05-30 14:19 507,400 --a------ C:\WINDOWS\system32\XAudio2_1.dll 2008-06-22 05:26 . 2008-03-05 16:03 479,752 --a------ C:\WINDOWS\system32\XAudio2_0.dll 2008-06-22 05:26 . 2008-05-30 14:11 467,984 --a------ C:\WINDOWS\system32\d3dx10_38.dll 2008-06-22 05:26 . 2008-05-30 14:18 238,088 --a------ C:\WINDOWS\system32\xactengine3_1.dll 2008-06-22 05:26 . 2008-03-05 16:03 238,088 --a------ C:\WINDOWS\system32\xactengine3_0.dll 2008-06-22 05:26 . 2008-05-30 14:17 65,032 --a------ C:\WINDOWS\system32\XAPOFX1_0.dll 2008-06-22 05:26 . 2008-05-30 14:17 25,608 --a------ C:\WINDOWS\system32\X3DAudio1_4.dll 2008-06-22 05:26 . 2008-03-05 16:00 25,608 --a------ C:\WINDOWS\system32\X3DAudio1_3.dll 2008-06-22 05:25 . 2008-06-22 05:25 <DIR> d-------- C:\WINDOWS\Logs 2008-06-22 05:25 . 2008-03-05 15:56 3,786,760 --a------ C:\WINDOWS\system32\D3DX9_37.dll 2008-06-22 05:25 . 2008-03-05 15:56 1,420,824 --a------ C:\WINDOWS\system32\D3DCompiler_37.dll 2008-06-22 05:25 . 2008-02-05 23:07 462,864 --a------ C:\WINDOWS\system32\d3dx10_37.dll 2008-06-22 05:24 . 2008-06-22 05:24 <DIR> d-------- C:\Program Files\Utherverse Digital Inc 2008-06-22 05:24 . 2008-06-22 05:25 <DIR> d--h-c--- C:\Documents and Settings\All Users\Application Data\{D2A9AAE9-BAF5-4CBE-8CC4-9314EE287B09} 2008-06-21 19:38 . 2008-06-21 19:38 <DIR> d-------- C:\Program Files\Guitar Pro 5 2008-06-19 23:03 . 2008-04-04 18:07 5,632 --a------ C:\WINDOWS\system32\udcpm.dll 2008-06-19 23:02 . 2008-06-19 23:04 <DIR> dr------- C:\UDC Output Files 2008-06-19 23:02 . 2008-06-19 23:03 <DIR> d-------- C:\Program Files\Universal Document Converter 2008-06-19 16:38 . 2008-06-19 16:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-06-19 16:37 . 2008-06-20 17:57 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-06-19 16:37 . 2008-06-19 16:37 <DIR> d-------- C:\Documents and Settings\Domebuddy\Application Data\SUPERAntiSpyware.com 2008-06-18 23:12 . 2008-06-18 23:12 <DIR> dr-h----- C:\Documents and Settings\Domebuddy\Application Data\SecuROM 2008-06-18 14:15 . 2008-06-18 14:15 <DIR> d-------- C:\Documents and Settings\Domebuddy\Application Data\Viewpoint 2008-06-17 17:19 . 2008-06-17 17:19 <DIR> d-------- C:\Program Files\Trend Micro 2008-06-17 15:13 . 2008-06-18 01:11 <DIR> d-------- C:\Program Files\Electronic Arts 2008-06-17 14:44 . 2008-06-17 14:44 <DIR> d-------- C:\ProgramData 2008-06-17 14:44 . 2008-06-18 01:11 2,004 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg 2008-06-16 19:04 . 2008-06-16 19:04 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-06-16 19:04 . 2008-06-16 19:04 <DIR> d-------- C:\Program Files\Common Files\Download Manager 2008-06-16 19:04 . 2008-06-16 19:04 <DIR> d-------- C:\Documents and Settings\Domebuddy\Application Data\Malwarebytes 2008-06-16 19:04 . 2008-06-16 19:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-06-16 19:04 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys 2008-06-16 19:04 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-06-16 18:28 . 2008-06-16 18:29 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy 2008-06-16 18:28 . 2008-06-16 19:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-06-16 15:58 . 2008-06-23 22:31 <DIR> d-------- C:\Documents and Settings\Domebuddy\Application Data\SPORE Creature Creator 2008-06-16 15:58 . 2008-06-16 15:58 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll 2008-06-16 14:00 . 2008-06-16 14:00 <DIR> d-------- C:\Documents and Settings\Domebuddy\Application Data\dyyno-vlc 2008-06-16 13:59 . 2008-06-16 13:59 <DIR> d-------- C:\Program Files\Dyyno 2008-06-12 14:25 . 58 C:\QQ,�DOx��dD�I�,��I�x�x��.url 2008-06-12 14:25 . 47 C:\I��x��x��-E��1_�.url 2008-06-12 14:15 . 2008-06-16 16:09 20,192 ---hs---- C:\WINDOWS\system32\vcrxfileju.dll 2008-06-09 17:26 . 2008-06-09 17:58 <DIR> d-------- C:\Program Files\MAME32k 2008-06-09 14:00 . 2008-06-09 14:00 <DIR> d-------- C:\Program Files\Common Files\plugin 2008-06-04 04:56 . 2008-06-04 05:01 <DIR> d-------- C:\Program Files\keyclone 2008-06-02 19:56 . 2008-06-02 19:56 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll 2008-06-01 02:04 . 2008-06-01 23:11 <DIR> d-------- C:\Documents and Settings\Domebuddy\Application Data\Bamzooki 2008-06-01 02:01 . 2008-06-01 02:01 <DIR> d-------- C:\Program Files\BAMZOOKi . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-25 03:01 --------- d-----w C:\Program Files\Steam 2008-06-25 02:18 --------- d-----w C:\Program Files\Warcraft III 2008-06-25 00:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater 2008-06-24 04:38 --------- d-----w C:\Documents and Settings\Domebuddy\Application Data\MegauploadToolbar 2008-06-24 03:30 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-06-24 02:37 --------- d-----w C:\Documents and Settings\Domebuddy\Application Data\Xfire 2008-06-19 21:35 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard 2008-06-19 19:22 --------- d-----w C:\Program Files\Xfire 2008-06-19 04:08 --------- d-----w C:\Documents and Settings\Domebuddy\Application Data\uTorrent 2008-06-18 00:05 --------- d-----w C:\Documents and Settings\Domebuddy\Application Data\mIRC 2008-06-18 00:03 --------- d-----w C:\Program Files\mIRC 2008-06-12 19:25 0 --sh--w C:\Program Files\desktoq.ini 2008-06-09 21:46 --------- d-----w C:\Program Files\zbattle.net 2008-06-09 03:07 --------- d-----w C:\Program Files\World of Warcraft 2008-06-08 16:22 --------- d-----w C:\Program Files\FrostWire 2008-05-23 00:37 --------- d-----w C:\Program Files\Rockstar Games 2008-05-22 21:46 --------- d-----w C:\Program Files\SystemRequirementsLab 2008-05-22 21:46 --------- d-----w C:\Documents and Settings\Domebuddy\Application Data\SystemRequirementsLab 2008-05-09 23:21 --------- d-----w C:\Program Files\Atari 2008-05-09 23:20 --------- d-----w C:\Program Files\WarZone 2008-05-09 23:20 --------- d-----w C:\Program Files\Three Rings Design 2008-05-09 23:19 --------- d-----w C:\Documents and Settings\Domebuddy\Application Data\Lionhead Studios 2008-05-09 23:13 94,208 ----a-w C:\Documents and Settings\Domebuddy\Application Data\ezplay.sys 2008-05-09 23:13 47,360 ----a-w C:\Documents and Settings\Domebuddy\Application Data\pcouffin.sys 2008-05-09 23:13 --------- d-----w C:\Program Files\VSO 2008-05-09 23:13 --------- d-----w C:\Documents and Settings\Domebuddy\Application Data\Vso 2008-05-02 22:18 --------- d-----w C:\Program Files\WolfQuest 2008-05-02 20:26 --------- d-----w C:\Program Files\Realtek AC97 2008-05-02 20:22 315,392 ----a-w C:\WINDOWS\HideWin.exe 2008-05-01 20:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\TrackMania 2008-04-25 21:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! 2008-04-25 21:34 --------- d-----w C:\Program Files\Yahoo! 2008-01-25 23:04 32 ----a-r C:\Documents and Settings\All Users\hash.dat 2007-11-13 17:12 444 ----a-w C:\Program Files\Read-Me.txt 2007-11-07 16:34 2,732 ----a-w C:\Documents and Settings\Domebuddy\layout.bin 2007-11-07 16:25 372,736 ----a-w C:\Documents and Settings\Domebuddy\setup.exe 2007-10-25 03:13 20,962,344 -c--a-w C:\Program Files\Toribash-2.8.rar 2007-04-27 14:06 156,616 ----a-w C:\Documents and Settings\Domebuddy\_Setup.dll 2007-04-18 22:06 535,552 ----a-w C:\Documents and Settings\Domebuddy\ISSetup.dll 2000-02-02 00:01 36,864 --sh--r C:\WINDOWS\system32\soni32drv.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}] 2007-11-01 17:52 66912 --a------ C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 09:16 171464] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-03 09:40 68856] "Steam"="c:\program files\steam\steam.exe" [2008-03-28 11:49 1271032] "AlcoholAutomount"="C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" [2007-12-22 02:23 221568] "Aim6"="" [] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360] "Veoh"="C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" [2008-04-18 14:30 3628080] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-06-20 17:57 1506544] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 12:17 61440] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 21:16 286720] "WebcamMaxMoniter"="C:\Program Files\WebcamMax\wcmmon.exe" [2007-07-31 19:55 450048] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792] "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 22:32 208952] "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 22:31 59392] "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 22:32 455168] "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 22:32 455168] "NvMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe" [2004-03-03 14:30 131072] "SoundMan"="SOUNDMAN.EXE" [2006-03-01 16:22 577536 C:\WINDOWS\soundman.exe] "UDC Integration"="" [] "avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401] C:\Documents and Settings\Domebuddy\Start Menu\Programs\Startup\ Xfire.lnk - C:\Program Files\Xfire\xfire.exe [2008-06-02 19:56:46 3017040] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-02-03 09:40:08 125624] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{0014D502-D7A2-456A-AE04-EB9ABF822FE4}"= C:\WINDOWS\TEMP\2ow.dll [ ] "{E8606370-4F7A-4C2F-A39C-EDCDCC177924}"= C:\WINDOWS\system32\vcrxfileju.dll [2008-06-16 16:09 20192] "{0021C267-E883-4899-BD2E-1B6F926757E7}"= C:\DOCUME~1\DOMEBU~1\LOCALS~1\Temp\bulmfiles.dll [ ] "{C51C4AFB-2A3A-6C2E-BA41-C10F02760731}"= C:\DOCUME~1\DOMEBU~1\LOCALS~1\Temp\xptcisylgfile.dll [ ] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-06-20 17:57 77824] "{00177B18-5DF9-42C3-916E-5EE7D13D09DC}"= C:\DOCUME~1\DOMEBU~1\LOCALS~1\Temp\mssjfilejs.dll [ ] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-06-20 17:57 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "VIDC.JDCT"= jl_jdct.drv "VIDC.XFR1"= xfcodec.dll "vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Xfire\\xfire.exe"= "C:\\Program Files\\Steam\\Steam.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\Steam\\steamapps\\tuftoe\\source sdk base\\hl2.exe"= "C:\\Program Files\\Steam\\steamapps\\tuftoe\\source dedicated server\\srcds.exe"= "C:\\Program Files\\Mozilla Firefox\\firefox.exe"= "C:\\Program Files\\Sierra Online\\FreeStyle Street Basketball™\\FreeStyle.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\Program Files\\FrostWire\\FrostWire.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "C:\\Program Files\\YVD\\YGO Virtual Desktop V086.exe"= "C:\\Program Files\\Steam\\steamapps\\tuftoe\\garrysmod\\hl2.exe"= "C:\\Program Files\\Steam\\steamapps\\tuftoe\\team fortress classic\\hl.exe"= "C:\\Program Files\\Steam\\steamapps\\tuftoe\\counter-strike source\\hl2.exe"= "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= R2 CamthWDM;WebcamMax, WDM Video Capture;C:\WINDOWS\system32\DRIVERS\CamthWDM.sys [2007-01-11 00:39] R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 16:38] S3 cdrmkaun;cdrmkaun;C:\DOCUME~1\DOMEBU~1\LOCALS~1\Temp\cdrmkaun.sys [] S3 JL2005C;Dual Mode Camera;C:\WINDOWS\system32\Drivers\jl2005c.sys [2007-04-10 13:36] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b87df148-0cea-11dd-9ac5-806d6172696f}] \Shell\AutoRun\command - D:\Autorun.exe root.ini Newly Created Service - SSMDRV . Contents of the 'Scheduled Tasks' folder "2008-06-24 01:18:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-06-25 02:40:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job" - C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-24 22:01:04 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . ------------------------ Other Running Processes ------------------------ . C:\WINDOWS\system32\ati2evxx.exe C:\WINDOWS\system32\ati2evxx.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\WINDOWS\system32\PnkBstrA.exe C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe C:\WINDOWS\system32\wscntfy.exe . ************************************************************************ . Completion time: 2008-06-24 22:12:37 - machine was rebooted ComboFix-quarantined-files.txt 2008-06-25 03:12:30 Pre-Run: 3,918,180,352 bytes free Post-Run: 3,834,568,704 bytes free 234

Dome View Member Profile	Jun 25 2008, 10:21 PM Post #6
Member Posts: 21 OS: Windows XP	I just had an issue with vcrxfileju.dll My antivirus was constantly detecting it and every time i tried to quarantine, delete or deny its access it just popped up again, i pressed rename after tryin a bunch more times to quarantine it and it went away, i'm not exactly sure what rename does

Chopin View Member Profile	Jun 29 2008, 05:49 PM Post #7
In love with Chopin! Posts: 2,611 From: My piano? OS: Windows XP Professional SP2	Hello Dome, sorry about the delay Rename with AntiVir renders the file (usually) un-runnable, but leaves it still on your system. Do you know the program Hide Window Plus 4? If not, it's most likely installed by malware. Please read my entire post before commencing, and please follow my instructions in the order that they are given If you don't understand something, don't be afraid to ask! 1. Run OTMoveIt2 ------------------------------------------------ If you haven't already, please download the OTMoveIt2 by OldTimer. Save it to your desktop. Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator") Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy): QUOTE C:\QQ,�DOx��dD�I�,��I�x�x��.url C:\I��x��x��-E��1_�.url C:\WINDOWS\system32\vcrxfileju.* C:\Program Files\desktoq.ini Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste. Click the red Moveit! button. A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply. Close OTMoveIt2 If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. 2. Scan with Kaspersky WebScanner ------------------------------------------------ Please do an online scan with Kaspersky WebScanner Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have the latest JAVA version, follow the instrutions below under Upgrading Java, to download and install the latest vesion. Read through the requirements and privacy statement and click on Accept button. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run. When the downloads have finished, click on Settings. Make sure the following is checked. Spyware, Adware, Dialers, and other potentially dangerous programs Archives Mail databases Click on My Computer under Scan. Once the scan is complete, it will display the results. Click on View Scan Report. You will see a list of infected items there. Click on Save Report As.... Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Please post this log in your next reply. In your next post ------------------------------------------------ OTMoveIt2 log Kaspersky WebScanner log

Chopin View Member Profile	Jul 8 2008, 07:06 PM Post #8
In love with Chopin! Posts: 2,611 From: My piano? OS: Windows XP Professional SP2	Due to lack of feedback, this topic has been closed. If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

« Next Oldest · Virus, Spyware and Trojan Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Topic Title	Replies / Views	Topic Information
Virus, Spyware and Trojan Removal possible keylogger! ; ; hjt log [CLOSED]	4 / 197	1st July 2006 - 02:51 PM Syztem started - last by greyknight17
Virus, Spyware and Trojan Removal Possible Keylogger? [CLOSED]	2 / 451	17th January 2008 - 12:30 PM jack768 started - last by Essexboy
Virus, Spyware and Trojan Removal Concerned about possible keylogger? [CLOSED]	6 / 470	27th July 2008 - 03:14 AM Magneto started - last by sage5
Virus, Spyware and Trojan Removal Possible Keylogger [Closed]	3 / 209	10th August 2009 - 05:38 PM Baggaviagra started - last by emeraldnzl