Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

jkxcnuoc.exe? [RESOLVED]

Started by k0rrupt , Jan 04 2008 07:01 PM

This topic is locked

#16
Rorschach112

Posted 07 January 2008 - 11:27 AM

Ralphie

Retired Staff
47,710 posts

Bit of work to do. Don't attach the ComboFix reports from now on

Go to this site:
http://www.virustotal.com/
On top you'll find 'Browse'
Click the browse button and browse to the file:

C:\Program Files\Common Files\System\$sys$explorer.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\ssqrr.dll
C:\WINDOWS\system32\miqavktt.dll
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\_MSRSTRT.EXE
C:\WINDOWS\system32\miqavktt.dll
C:\WINDOWS\system32\ssqrr.exe
C:\WINDOWS\system32\ssqrr.dll

Folder::
C:\WINDOWS\system32\mr9
C:\WINDOWS\system32\aj2
C:\WINDOWS\system32\ardCo01
C:\Temp\cEeer12

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

#17
k0rrupt

Posted 10 January 2008 - 12:20 PM

Member

Topic Starter
Member
23 posts

ComboFix 08-01-05.1 - Van 2008-01-10 10:24:38.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1366 [GMT -8:00]
Running from: C:\Documents and Settings\Van\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Van\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\_MSRSTRT.EXE
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\system32\miqavktt.dll
C:\WINDOWS\system32\ssqrr.dll
C:\WINDOWS\system32\ssqrr.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\AIM\aim.exe
C:\Program Files\Winamp\winamp .exe
C:\Temp\cEeer12
C:\Temp\cEeer12\skAt.log
C:\WINDOWS\_MSRSTRT.EXE
C:\WINDOWS\mrofinu572.exe.tmp
C:\WINDOWS\system32\aj2
C:\WINDOWS\system32\ardCo01
C:\WINDOWS\system32\ardCo01\ardCo011065.exe
C:\WINDOWS\system32\fqmrulap.dll
C:\WINDOWS\system32\mbvyxfjr.exe
C:\WINDOWS\system32\miqavktt.dll
C:\WINDOWS\system32\mr9
C:\WINDOWS\system32\nwiz .exe
C:\WINDOWS\system32\palurmqf.ini
C:\WINDOWS\system32\rrqss.ini
C:\WINDOWS\system32\rrqss.ini2
C:\WINDOWS\system32\ssqrr.dll
C:\WINDOWS\system32\ssqrr.exe
C:\WINDOWS\system32\tyoaqrlw.dll

<pre>
"C:\Program Files\AIM\aim .exe" replaces infected copy of "C:\Program Files\AIM\aim.exe"
"C:\Program Files\Winamp\winamp .exe" moved to QooBox
"C:\WINDOWS\system32\nwiz .exe" moved to QooBox
</pre>

.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-12-10 to 2008-01-10 )))))))))))))))))))))))))))))))
.

2008-01-10 10:28 . 2008-01-10 10:28 1,626,112 --a------ C:\WINDOWS\system32\nwiz .exe
2008-01-10 10:28 . 2008-01-10 10:28 344,576 --------- C:\WINDOWS\system32\ssqrr.dll
2008-01-09 00:03 . 2008-01-09 00:03 <DIR> d-------- C:\My Downloads
2008-01-09 00:02 . 2008-01-09 00:05 <DIR> d-------- C:\Program Files\BearShare
2008-01-08 19:44 . 2008-01-08 19:44 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-08 19:44 . 2008-01-08 19:44 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-05 16:25 . 2008-01-05 16:25 <DIR> d-------- C:\Deckard
2008-01-04 19:44 . 2008-01-04 23:13 1,043,809 --ahs---- C:\WINDOWS\system32\rhuexpsy.ini
2008-01-04 19:37 . 2008-01-04 19:37 <DIR> d-------- C:\Program Files\MemTurbo30
2008-01-04 19:32 . 2008-01-07 00:05 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-01-04 19:12 . 2008-01-04 19:13 391 --a------ C:\WINDOWS\system32\d-delA.dat
2008-01-04 19:12 . 2008-01-04 19:12 0 --a------ C:\WINDOWS\system32\V-FilesB.dat
2008-01-04 17:40 . 2008-01-04 17:40 661,159 --a------ C:\catchme2008-01-04_190812.04.zip
2008-01-04 17:35 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-02 22:10 . 2008-01-04 16:32 <DIR> d-------- C:\Program Files\Power MP3 WMA Converter
2008-01-02 04:17 . 2008-01-04 17:30 403 --a------ C:\WINDOWS\wininit.ini
2008-01-02 01:55 . 2008-01-10 10:26 <DIR> d-------- C:\Temp
2007-12-31 18:29 . 2007-12-31 18:29 1 --a------ C:\WINDOWS\system32\DJ Doboy - Trancequility Megamix Volume 31.cue
2007-12-31 03:37 . 2007-12-31 03:37 <DIR> dr-h----- C:\Documents and Settings\Van\Application Data\SecuROM
2007-12-31 03:37 . 2007-12-31 03:37 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-12-31 03:29 . 2007-12-31 03:29 <DIR> d-------- C:\Program Files\Flagship Studios
2007-12-31 02:42 . 2007-12-31 02:42 <DIR> d-------- C:\Documents and Settings\Van\Application Data\Syntrillium
2007-12-31 02:42 . 2001-10-19 14:40 1,683,792 --a------ C:\WINDOWS\system32\wmvcore2.dll
2007-12-31 02:42 . 2001-10-19 14:40 665,424 --a------ C:\WINDOWS\system32\wmv8dmoe.dll
2007-12-31 02:42 . 2001-10-19 14:39 572,752 --a------ C:\WINDOWS\system32\wmvdmoe.dll
2007-12-31 02:42 . 2001-10-19 14:40 438,608 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2007-12-31 02:42 . 2001-10-19 02:05 285,184 --a------ C:\WINDOWS\system32\wmidx2.ocx
2007-12-31 02:42 . 2007-12-31 02:42 156,910 --a------ C:\WINDOWS\WMSysPr8.prx
2007-12-31 02:41 . 2007-12-31 02:43 <DIR> d-------- C:\Program Files\coolpro2
2007-12-29 00:29 . 2007-12-29 00:29 <DIR> d-------- C:\Program Files\DivX
2007-12-28 01:46 . 2008-01-02 22:31 <DIR> d-------- C:\Documents and Settings\Van\Application Data\BearShare
2007-12-28 01:46 . 2006-11-12 11:39 483,328 --a------ C:\WINDOWS\system32\actskn45.ocx
2007-12-27 22:38 . 2007-12-27 22:38 <DIR> d-------- C:\Program Files\Sega
2007-12-27 22:30 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2007-12-27 22:30 . 2007-05-16 16:45 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2007-12-27 22:30 . 2007-05-16 16:45 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2007-12-27 22:30 . 2007-06-20 20:46 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2007-12-27 22:30 . 2007-06-20 20:45 18,280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll
2007-12-27 22:29 . 2007-12-27 22:29 <DIR> d-------- C:\WINDOWS\system32\xlive
2007-12-27 22:29 . 2007-03-12 16:42 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2007-12-27 22:29 . 2007-03-12 16:42 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2007-12-27 22:29 . 2007-03-15 16:57 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2007-12-27 22:29 . 2007-04-04 18:53 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-12-27 22:14 . 2008-01-04 19:32 <DIR> d-------- C:\Documents and Settings\Van\Application Data\DAEMON Tools
2007-12-27 22:12 . 2007-12-27 22:12 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-12-26 23:33 . 2007-12-26 23:33 <DIR> d-------- C:\nvram
2007-12-26 15:55 . 2007-12-26 15:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-12-26 14:44 . 2007-12-26 15:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-26 14:43 . 2007-12-26 14:43 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-26 14:43 . 2007-12-26 14:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-26 14:08 . 2007-12-26 14:08 <DIR> d-------- C:\Program Files\Bonjour
2007-12-26 14:03 . 2007-12-26 14:03 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-12-26 11:58 . 2007-12-26 11:58 <DIR> d-------- C:\Program Files\Stardock
2007-12-26 11:46 . 2007-12-26 11:47 81 --------- C:\WINDOWS\WB.ini
2007-12-26 11:25 . 2007-07-11 15:06 42,672 --a------ C:\WINDOWS\system32\wbsys.dll
2007-12-26 11:18 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2007-12-26 11:18 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2007-12-25 18:47 . 2007-12-25 18:47 <DIR> d-------- C:\Documents and Settings\Van\Application Data\Media Player Classic
2007-12-25 18:44 . 2007-12-25 18:44 <DIR> d-------- C:\Program Files\Real Alternative
2007-12-25 18:43 . 2007-12-25 18:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-25 18:43 . 2007-12-11 10:57 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-12-25 18:43 . 2007-12-11 10:57 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-12-25 18:42 . 2007-12-25 18:42 <DIR> d-------- C:\Program Files\Xvid
2007-12-25 18:42 . 2007-12-25 18:43 <DIR> d-------- C:\Program Files\QuickTime Alternative
2007-12-25 18:42 . 2007-06-28 18:55 77,824 --a------ C:\WINDOWS\system32\xvid.ax
2007-12-25 18:39 . 2007-12-25 18:39 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-12-25 15:37 . 2007-12-25 15:37 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-12-25 15:28 . 2008-01-10 10:24 <DIR> d-------- C:\Program Files\World of Warcraft
2007-12-25 15:20 . 2007-12-25 15:21 <DIR> d-------- C:\Documents and Settings\Van\Application Data\Ventrilo
2007-12-25 15:16 . 2007-12-26 16:03 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-12-25 15:11 . 2007-12-25 15:11 <DIR> d-------- C:\Program Files\BitTornado
2007-12-25 15:11 . 2007-12-25 15:11 <DIR> d-------- C:\Documents and Settings\Van\Application Data\.BitTornado
2007-12-25 13:59 . 2007-12-25 14:00 <DIR> d-------- C:\WINDOWS\system32\MsDtc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-10 18:28 348,160 ----a-w C:\WINDOWS\system32\ssqrr.exe
2008-01-10 18:28 --------- d-----w C:\Program Files\AIM
2008-01-10 18:26 --------- d-----w C:\Program Files\Winamp
2008-01-07 08:03 2,101,248 ----a-w C:\WINDOWS\system32\nwiz.exe
2008-01-05 03:21 --------- d-----w C:\Program Files\AOD
2007-12-28 06:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-26 22:43 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-25 23:11 --------- d-----w C:\Documents and Settings\Van\Application Data\.BitTornado
2007-12-25 23:06 --------- d-----w C:\Documents and Settings\Van\Application Data\Winamp
2007-12-25 22:55 --------- d-----w C:\Program Files\Ventrilo
2007-12-25 22:52 315,392 ----a-w C:\WINDOWS\HideWin.exe
2007-12-25 22:52 --------- d-----w C:\Program Files\Realtek
2007-12-25 22:20 --------- d-----w C:\Program Files\AWS
2007-12-25 22:20 --------- d-----w C:\Documents and Settings\Van\Application Data\Aim
2007-12-25 22:19 --------- d-----w C:\Program Files\Viewpoint
2007-12-25 22:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-25 22:15 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-25 22:13 --------- d-----w C:\Program Files\Intel
2007-12-25 22:09 --------- d-----w C:\Program Files\Avant Browser
2007-12-25 22:09 --------- d-----w C:\Documents and Settings\Van\Application Data\Avant Profiles
2007-12-25 22:04 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-08 02:28 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2007-12-05 10:53 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2007-12-05 09:41 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-12-05 09:41 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-12-05 09:41 8,523,776 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-12-05 09:41 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-12-05 09:41 7,435,392 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-12-05 09:41 6,901,760 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-12-05 09:41 6,549,504 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-12-05 09:41 5,773,568 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-12-05 09:41 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-12-05 09:41 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-12-05 09:41 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-12-05 09:41 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-12-05 09:41 385,024 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-12-05 09:41 356,352 ----a-w C:\WINDOWS\system32\nvudisp.exe
2007-12-05 09:41 35,328 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-12-05 09:41 35,328 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-12-05 09:41 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-12-05 09:41 3,710,976 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-12-05 09:41 3,420,160 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-12-05 09:41 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-12-05 09:41 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-12-05 09:41 2,498,560 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-12-05 09:41 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-12-05 09:41 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-12-05 09:41 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-12-05 09:41 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-12-05 09:41 1,474,560 ----a-w C:\WINDOWS\system32\nview.dll
2007-12-05 09:41 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-12-05 09:41 1,228,800 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-12-05 09:41 1,089,536 ----a-w C:\WINDOWS\system32\nvcuda.dll
2007-12-05 09:41 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-12-04 10:33 682,496 ----a-w C:\WINDOWS\system32\divx.dll
2007-11-30 07:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-11-30 07:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-10-13 07:19 13,653,824 ----a-w C:\WINDOWS\system32\xlivefnt.dll
2007-10-13 07:19 10,155,840 ----a-w C:\WINDOWS\system32\xlive.dll
.

<pre>
----a-w		 1,626,112 2008-01-10 18:28:34  C:\WINDOWS\system32\nwiz .exe
</pre>

((((((((((((((((((((((((((((( snapshot@2008-01-07_ 0.09.14.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2001-08-17 22:55:56 6,144 -c--a-w C:\WINDOWS\system32\dllcache\kbd101b.dll
+ 2001-08-17 22:55:56 6,144 -c--a-w C:\WINDOWS\system32\dllcache\kbd101c.dll
+ 2001-08-17 22:55:56 5,632 -c--a-w C:\WINDOWS\system32\dllcache\kbd103.dll
+ 2001-08-17 22:55:56 6,144 -c--a-w C:\WINDOWS\system32\dllcache\kbd106.dll
+ 2001-08-18 06:36:18 8,704 -c--a-w C:\WINDOWS\system32\dllcache\kbdjpn.dll
+ 2001-08-18 06:36:18 8,192 -c--a-w C:\WINDOWS\system32\dllcache\kbdkor.dll
+ 2001-08-17 22:55:56 6,144 ----a-w C:\WINDOWS\system32\kbd101b.dll
+ 2001-08-17 22:55:56 6,144 ----a-w C:\WINDOWS\system32\kbd101c.dll
+ 2001-08-17 22:55:56 5,632 ----a-w C:\WINDOWS\system32\kbd103.dll
+ 2001-08-17 22:55:56 6,144 ----a-w C:\WINDOWS\system32\kbd106.dll
+ 2001-08-18 06:36:18 8,704 ----a-w C:\WINDOWS\system32\kbdjpn.dll
+ 2001-08-18 06:36:18 8,192 ----a-w C:\WINDOWS\system32\kbdkor.dll
+ 2004-08-04 12:00:00 708,096 ----a-w C:\WINDOWS\system32\ntdll.dll
+ 2004-08-04 12:00:00 708,096 ----a-w C:\WINDOWS\system32\ntdll.dll.vir
+ 2008-01-10 18:29:03 16,384 ----atw C:\WINDOWS\temp\Perflib_Perfdata_1f0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FF418698-13E0-4EDA-9DCC-BB6F49A4EC1B}]
2008-01-10 10:28 344576 --------- C:\WINDOWS\system32\ssqrr.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [ ]
"AIM"="C:\Program Files\AIM\aim.exe" [2008-01-10 10:28 436224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2008-01-07 00:03 2101248 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-02-26 15:03 16125440 C:\WINDOWS\RTHDCPL.exe]

C:\Documents and Settings\Van\Start Menu\Programs\Startup\
MemTurbo.lnk - C:\Program Files\MemTurbo30\MemTurbo.exe [2008-01-04 19:37:30]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2007-12-26 12:13 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\ssqrr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\ssqrr

S2 Explorer;Explorer;"C:\Program Files\Common Files\System\$sys$explorer.exe" [2007-12-26 11:40]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-10 10:29:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.2180]
-> C:\Program Files\Stardock\Object Desktop\WindowBlinds\tray.dll
-> C:\WINDOWS\system32\ssqrr.dll
-> C:\Program Files\MemTurbo30\cpurocket.dll
-> C:\Program Files\WinRAR\rarext.dll
.
Completion time: 2008-01-10 10:31:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-10 18:31:02
ComboFix2.txt 2008-01-07 08:09:40

http://www.virustota...65c50a82aa80568

Edited by k0rrupt, 10 January 2008 - 12:33 PM.

#18
Rorschach112

Posted 10 January 2008 - 01:04 PM

Ralphie

Retired Staff
47,710 posts

Hello

CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES

Please go here:
The Spy Killer Forum

Click on "New Topic"
Put your name, e-mail address, and this as the title: "C:\Program Files\Common Files\System\$sys$explorer.exe"
Put a link to this topic in the description box.
Then next to the file box, at the bottom, click the browse button, then navigate to this file:
- C:\Program Files\Common Files\System\$sys$explorer.exe
Click Open.
Click Post.

Thank you!

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

KillAll::

File::
C:\Program Files\Common Files\System\$sys$explorer.exe
C:\WINDOWS\system32\ssqrr.dll
C:\WINDOWS\system32\rhuexpsy.ini
C:\WINDOWS\system32\ssqrr.exe

RENV::
C:\WINDOWS\system32\nwiz .exe

Driver::
Explorer

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

#19
k0rrupt

Posted 10 January 2008 - 03:21 PM

Member

Topic Starter
Member
23 posts

ComboFix 08-01-05.1 - Van 2008-01-10 12:56:51.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1627 [GMT -8:00]
Running from: C:\Documents and Settings\Van\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Van\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\Program Files\Common Files\System\$sys$explorer.exe
C:\WINDOWS\system32\rhuexpsy.ini
C:\WINDOWS\system32\ssqrr.dll
C:\WINDOWS\system32\ssqrr.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\System\$sys$explorer.exe
C:\Program Files\Winamp\winamp .exe
C:\WINDOWS\system32\rhuexpsy.ini
C:\WINDOWS\system32\rrqss.ini
C:\WINDOWS\system32\rrqss.ini2
C:\WINDOWS\system32\ssqrr.dll
C:\WINDOWS\system32\ssqrr.exe

<pre>
"C:\Program Files\Winamp\winamp .exe" moved to QooBox
</pre>

.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_EXPLORER
-------\Explorer

((((((((((((((((((((((((( Files Created from 2007-12-10 to 2008-01-10 )))))))))))))))))))))))))))))))
.

2008-01-09 00:03 . 2008-01-09 00:03 <DIR> d-------- C:\My Downloads
2008-01-09 00:02 . 2008-01-09 00:05 <DIR> d-------- C:\Program Files\BearShare
2008-01-08 19:44 . 2008-01-08 19:44 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-08 19:44 . 2008-01-08 19:44 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-05 16:25 . 2008-01-05 16:25 <DIR> d-------- C:\Deckard
2008-01-04 19:37 . 2008-01-04 19:37 <DIR> d-------- C:\Program Files\MemTurbo30
2008-01-04 19:32 . 2008-01-07 00:05 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-01-04 19:12 . 2008-01-04 19:13 391 --a------ C:\WINDOWS\system32\d-delA.dat
2008-01-04 19:12 . 2008-01-04 19:12 0 --a------ C:\WINDOWS\system32\V-FilesB.dat
2008-01-04 17:40 . 2008-01-04 17:40 661,159 --a------ C:\catchme2008-01-04_190812.04.zip
2008-01-04 17:35 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-02 22:10 . 2008-01-04 16:32 <DIR> d-------- C:\Program Files\Power MP3 WMA Converter
2008-01-02 04:17 . 2008-01-04 17:30 403 --a------ C:\WINDOWS\wininit.ini
2008-01-02 01:55 . 2008-01-10 10:26 <DIR> d-------- C:\Temp
2007-12-31 18:29 . 2007-12-31 18:29 1 --a------ C:\WINDOWS\system32\DJ Doboy - Trancequility Megamix Volume 31.cue
2007-12-31 03:37 . 2007-12-31 03:37 <DIR> dr-h----- C:\Documents and Settings\Van\Application Data\SecuROM
2007-12-31 03:37 . 2007-12-31 03:37 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-12-31 03:29 . 2007-12-31 03:29 <DIR> d-------- C:\Program Files\Flagship Studios
2007-12-31 02:42 . 2007-12-31 02:42 <DIR> d-------- C:\Documents and Settings\Van\Application Data\Syntrillium
2007-12-31 02:42 . 2001-10-19 14:40 1,683,792 --a------ C:\WINDOWS\system32\wmvcore2.dll
2007-12-31 02:42 . 2001-10-19 14:40 665,424 --a------ C:\WINDOWS\system32\wmv8dmoe.dll
2007-12-31 02:42 . 2001-10-19 14:39 572,752 --a------ C:\WINDOWS\system32\wmvdmoe.dll
2007-12-31 02:42 . 2001-10-19 14:40 438,608 --a------ C:\WINDOWS\system32\wmv8dmod.dll
2007-12-31 02:42 . 2001-10-19 02:05 285,184 --a------ C:\WINDOWS\system32\wmidx2.ocx
2007-12-31 02:42 . 2007-12-31 02:42 156,910 --a------ C:\WINDOWS\WMSysPr8.prx
2007-12-31 02:41 . 2007-12-31 02:43 <DIR> d-------- C:\Program Files\coolpro2
2007-12-29 00:29 . 2007-12-29 00:29 <DIR> d-------- C:\Program Files\DivX
2007-12-28 01:46 . 2008-01-02 22:31 <DIR> d-------- C:\Documents and Settings\Van\Application Data\BearShare
2007-12-28 01:46 . 2006-11-12 11:39 483,328 --a------ C:\WINDOWS\system32\actskn45.ocx
2007-12-27 22:38 . 2007-12-27 22:38 <DIR> d-------- C:\Program Files\Sega
2007-12-27 22:30 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2007-12-27 22:30 . 2007-05-16 16:45 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2007-12-27 22:30 . 2007-05-16 16:45 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2007-12-27 22:30 . 2007-06-20 20:46 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2007-12-27 22:30 . 2007-06-20 20:45 18,280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll
2007-12-27 22:29 . 2007-12-27 22:29 <DIR> d-------- C:\WINDOWS\system32\xlive
2007-12-27 22:29 . 2007-03-12 16:42 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2007-12-27 22:29 . 2007-03-12 16:42 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2007-12-27 22:29 . 2007-03-15 16:57 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2007-12-27 22:29 . 2007-04-04 18:53 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-12-27 22:14 . 2008-01-04 19:32 <DIR> d-------- C:\Documents and Settings\Van\Application Data\DAEMON Tools
2007-12-27 22:12 . 2007-12-27 22:12 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-12-26 23:33 . 2007-12-26 23:33 <DIR> d-------- C:\nvram
2007-12-26 15:55 . 2007-12-26 15:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-12-26 14:44 . 2007-12-26 15:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-26 14:43 . 2007-12-26 14:43 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-26 14:43 . 2007-12-26 14:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-26 14:08 . 2007-12-26 14:08 <DIR> d-------- C:\Program Files\Bonjour
2007-12-26 14:03 . 2007-12-26 14:03 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-12-26 11:58 . 2007-12-26 11:58 <DIR> d-------- C:\Program Files\Stardock
2007-12-26 11:46 . 2007-12-26 11:47 81 --------- C:\WINDOWS\WB.ini
2007-12-26 11:25 . 2007-07-11 15:06 42,672 --a------ C:\WINDOWS\system32\wbsys.dll
2007-12-26 11:18 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2007-12-26 11:18 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2007-12-25 18:47 . 2007-12-25 18:47 <DIR> d-------- C:\Documents and Settings\Van\Application Data\Media Player Classic
2007-12-25 18:44 . 2007-12-25 18:44 <DIR> d-------- C:\Program Files\Real Alternative
2007-12-25 18:43 . 2007-12-25 18:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-25 18:43 . 2007-12-11 10:57 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-12-25 18:43 . 2007-12-11 10:57 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-12-25 18:42 . 2007-12-25 18:42 <DIR> d-------- C:\Program Files\Xvid
2007-12-25 18:42 . 2007-12-25 18:43 <DIR> d-------- C:\Program Files\QuickTime Alternative
2007-12-25 18:42 . 2007-06-28 18:55 77,824 --a------ C:\WINDOWS\system32\xvid.ax
2007-12-25 18:39 . 2007-12-25 18:39 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-12-25 15:37 . 2007-12-25 15:37 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-12-25 15:28 . 2008-01-10 10:24 <DIR> d-------- C:\Program Files\World of Warcraft
2007-12-25 15:20 . 2007-12-25 15:21 <DIR> d-------- C:\Documents and Settings\Van\Application Data\Ventrilo
2007-12-25 15:16 . 2007-12-26 16:03 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-12-25 15:11 . 2007-12-25 15:11 <DIR> d-------- C:\Program Files\BitTornado
2007-12-25 15:11 . 2007-12-25 15:11 <DIR> d-------- C:\Documents and Settings\Van\Application Data\.BitTornado
2007-12-25 13:59 . 2007-12-25 14:00 <DIR> d-------- C:\WINDOWS\system32\MsDtc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-10 20:58 --------- d-----w C:\Program Files\Winamp
2008-01-10 20:58 --------- d-----w C:\Program Files\AIM
2008-01-10 18:28 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2008-01-05 03:21 --------- d-----w C:\Program Files\AOD
2007-12-28 06:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-26 22:43 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-12-25 23:11 --------- d-----w C:\Documents and Settings\Van\Application Data\.BitTornado
2007-12-25 23:06 --------- d-----w C:\Documents and Settings\Van\Application Data\Winamp
2007-12-25 22:55 --------- d-----w C:\Program Files\Ventrilo
2007-12-25 22:52 315,392 ----a-w C:\WINDOWS\HideWin.exe
2007-12-25 22:52 --------- d-----w C:\Program Files\Realtek
2007-12-25 22:20 --------- d-----w C:\Program Files\AWS
2007-12-25 22:20 --------- d-----w C:\Documents and Settings\Van\Application Data\Aim
2007-12-25 22:19 --------- d-----w C:\Program Files\Viewpoint
2007-12-25 22:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-25 22:15 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-25 22:13 --------- d-----w C:\Program Files\Intel
2007-12-25 22:09 --------- d-----w C:\Program Files\Avant Browser
2007-12-25 22:09 --------- d-----w C:\Documents and Settings\Van\Application Data\Avant Profiles
2007-12-25 22:04 --------- d-----w C:\Program Files\microsoft frontpage
2007-12-08 02:28 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2007-12-05 10:53 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2007-12-05 09:41 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-12-05 09:41 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-12-05 09:41 8,523,776 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-12-05 09:41 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-12-05 09:41 7,435,392 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-12-05 09:41 6,901,760 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-12-05 09:41 6,549,504 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-12-05 09:41 5,773,568 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-12-05 09:41 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-12-05 09:41 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-12-05 09:41 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-12-05 09:41 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-12-05 09:41 385,024 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-12-05 09:41 356,352 ----a-w C:\WINDOWS\system32\nvudisp.exe
2007-12-05 09:41 35,328 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-12-05 09:41 35,328 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-12-05 09:41 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-12-05 09:41 3,710,976 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-12-05 09:41 3,420,160 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-12-05 09:41 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-12-05 09:41 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-12-05 09:41 2,498,560 ----a-w C:\WINDOWS\system32\nvwss.dll
2007-12-05 09:41 188,416 ----a-w C:\WINDOWS\system32\nvmccss.dll
2007-12-05 09:41 155,716 ----a-w C:\WINDOWS\system32\nvsvc32.exe
2007-12-05 09:41 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-12-05 09:41 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-12-05 09:41 1,474,560 ----a-w C:\WINDOWS\system32\nview.dll
2007-12-05 09:41 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-12-05 09:41 1,228,800 ----a-w C:\WINDOWS\system32\nvmobls.dll
2007-12-05 09:41 1,089,536 ----a-w C:\WINDOWS\system32\nvcuda.dll
2007-12-05 09:41 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-12-04 10:33 682,496 ----a-w C:\WINDOWS\system32\divx.dll
2007-11-30 07:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-11-30 07:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-11-29 22:30 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-11-29 22:30 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-10-13 07:19 13,653,824 ----a-w C:\WINDOWS\system32\xlivefnt.dll
2007-10-13 07:19 10,155,840 ----a-w C:\WINDOWS\system32\xlive.dll
.

((((((((((((((((((((((((((((( snapshot@2008-01-07_ 0.09.14.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2001-08-17 22:55:56 6,144 -c--a-w C:\WINDOWS\system32\dllcache\kbd101b.dll
+ 2001-08-17 22:55:56 6,144 -c--a-w C:\WINDOWS\system32\dllcache\kbd101c.dll
+ 2001-08-17 22:55:56 5,632 -c--a-w C:\WINDOWS\system32\dllcache\kbd103.dll
+ 2001-08-17 22:55:56 6,144 -c--a-w C:\WINDOWS\system32\dllcache\kbd106.dll
+ 2001-08-18 06:36:18 8,704 -c--a-w C:\WINDOWS\system32\dllcache\kbdjpn.dll
+ 2001-08-18 06:36:18 8,192 -c--a-w C:\WINDOWS\system32\dllcache\kbdkor.dll
+ 2001-08-17 22:55:56 6,144 ----a-w C:\WINDOWS\system32\kbd101b.dll
+ 2001-08-17 22:55:56 6,144 ----a-w C:\WINDOWS\system32\kbd101c.dll
+ 2001-08-17 22:55:56 5,632 ----a-w C:\WINDOWS\system32\kbd103.dll
+ 2001-08-17 22:55:56 6,144 ----a-w C:\WINDOWS\system32\kbd106.dll
+ 2001-08-18 06:36:18 8,704 ----a-w C:\WINDOWS\system32\kbdjpn.dll
+ 2001-08-18 06:36:18 8,192 ----a-w C:\WINDOWS\system32\kbdkor.dll
+ 2004-08-04 12:00:00 708,096 ----a-w C:\WINDOWS\system32\ntdll.dll
+ 2004-08-04 12:00:00 708,096 ----a-w C:\WINDOWS\system32\ntdll.dll.vir
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [ ]
"AIM"="C:\Program Files\AIM\aim.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"nwiz"="nwiz.exe" [2008-01-10 10:28 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"RTHDCPL"="RTHDCPL.EXE" [2007-02-26 15:03 16125440 C:\WINDOWS\RTHDCPL.exe]

C:\Documents and Settings\Van\Start Menu\Programs\Startup\
MemTurbo.lnk - C:\Program Files\MemTurbo30\MemTurbo.exe [2008-01-04 19:37:30]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbsrv.dll 2007-12-26 12:13 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-10 13:00:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.2180]
-> C:\Program Files\Stardock\Object Desktop\WindowBlinds\tray.dll
.
Completion time: 2008-01-10 13:01:09 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-10 21:01:07
ComboFix2.txt 2008-01-10 18:31:06
ComboFix3.txt 2008-01-07 08:09:40

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:21:07 PM, on 1/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\MemTurbo30\MemTurbo.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Avant Browser\avant.exe
C:\Documents and Settings\Van\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemon-search.com/startpage

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo30\MemTurbo.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1198621337000
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3320 bytes

#20
Rorschach112

Posted 10 January 2008 - 03:54 PM

Ralphie

Retired Staff
47,710 posts

Hello

Download and scan with SUPERAntiSpyware Free for Home Users

Double-click SUPERAntiSpyware.exe and use the default settings for installation.
An icon will be created on your desktop. Double-click that icon to launch the program.
If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
Under "Configuration and Preferences", click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Scan for tracking cookies.
- Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen.
Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
On the left, make sure you check C:\Fixed Drive.
On the right, under "Complete Scan", choose Perform Complete Scan.
Click "Next" to start the scan. Please be patient while it scans your computer.
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
Make sure everything has a checkmark next to it and click "Next".
A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
If asked if you want to reboot, click "Yes".
To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.

Also tell me how your PC is running

#21
k0rrupt

Posted 12 January 2008 - 04:37 PM

Member

Topic Starter
Member
23 posts

my PC is...running a bit strangely. Things will be disabled here and there, things won't launch here and there. sometimes a little tooltip at the bottom right says my memory is low and my PC will drop to a slug, even though my memory still shows over 1300 MB free.

Edited by k0rrupt, 12 January 2008 - 04:55 PM.

#22
Rorschach112

Posted 12 January 2008 - 04:43 PM

Ralphie

Retired Staff
47,710 posts

Go ahead and run the scan there

#23
k0rrupt

Posted 12 January 2008 - 05:05 PM

Member

Topic Starter
Member
23 posts

one of the "strange" things my comp does, cuz i can't think of anything else at the moment, i was trying to burn a .wav music CD with nero, and it would start scanning the songs that i wanted to burn, and then nero would just close. keeps doing it too.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/12/2008 at 02:58 PM

Application Version : 3.9.1008

Core Rules Database Version : 3379
Trace Rules Database Version: 1373

Scan type : Complete Scan
Total Scan Time : 00:20:28

Memory items scanned : 434
Memory threats detected : 4
Registry items scanned : 3597
Registry threats detected : 26
File items scanned : 23159
File threats detected : 196

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\SSQRR.DLL
C:\WINDOWS\SYSTEM32\SSQRR.DLL
HKLM\Software\Classes\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}\InprocServer32
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D7628295-1122-4E5B-BCA6-683C8725A0AA}
HKCR\CLSID\{D7628295-1122-4E5B-BCA6-683C8725A0AA}
HKCR\CLSID\{D7628295-1122-4E5B-BCA6-683C8725A0AA}\InprocServer32
HKCR\CLSID\{D7628295-1122-4E5B-BCA6-683C8725A0AA}\InprocServer32#ThreadingModel
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\VTURQRR.DLL.VIR

Adware.Vundo-Variant/Small-A
C:\WINDOWS\SYSTEM32\TMRIQQVW.DLL
C:\WINDOWS\SYSTEM32\TMRIQQVW.DLL
HKLM\Software\Classes\CLSID\{fb8284ee-4a76-43df-bae0-7fb974d6e2b7}
HKCR\CLSID\{FB8284EE-4A76-43DF-BAE0-7FB974D6E2B7}
HKCR\CLSID\{FB8284EE-4A76-43DF-BAE0-7FB974D6E2B7}\InprocServer32
HKCR\CLSID\{FB8284EE-4A76-43DF-BAE0-7FB974D6E2B7}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{fb8284ee-4a76-43df-bae0-7fb974d6e2b7}
C:\DOCUMENTS AND SETTINGS\VAN\DESKTOP\WINPFIND35U\MOVEDFILES\01052008_162525\WINDOWS\SYSTEM32\OPTWKFXG.DLL
C:\DOCUMENTS AND SETTINGS\VAN\DESKTOP\WINPFIND35U\MOVEDFILES\01052008_162525\WINDOWS\SYSTEM32\YSPXEUHR.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3E4A7519-4950-4A8E-8986-E62A396DB029}\RP34\A0007393.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3E4A7519-4950-4A8E-8986-E62A396DB029}\RP34\A0007394.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3E4A7519-4950-4A8E-8986-E62A396DB029}\RP34\A0007395.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3E4A7519-4950-4A8E-8986-E62A396DB029}\RP40\A0007521.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3E4A7519-4950-4A8E-8986-E62A396DB029}\RP40\A0007523.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3E4A7519-4950-4A8E-8986-E62A396DB029}\RP40\A0007530.DLL

Trojan.Downloader-NewJuan/VM
C:\WINDOWS\SYSTEM32\NIUCCKOB.DLL
C:\WINDOWS\SYSTEM32\NIUCCKOB.DLL

Adware.eZula
C:\WINDOWS\SYSTEM32\TUBHPHPU.EXE
C:\WINDOWS\SYSTEM32\TUBHPHPU.EXE
C:\WINDOWS\Prefetch\TUBHPHPU.EXE-30618C94.pf

Trojan.Downloader-Gen
[load] C:\WINDOWS\SYSTEM32\SSQRR.EXE
C:\WINDOWS\SYSTEM32\SSQRR.EXE
[load] C:\WINDOWS\SYSTEM32\SSQRR.EXE
[load] C:\WINDOWS\SYSTEM32\SSQRR.EXE
C:\DOCUMENTS AND SETTINGS\VAN\DESKTOP\WINPFIND35U\MOVEDFILES\01052008_162525\WINDOWS\SYSTEM32\SSQRR.EXE

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}\InprocServer32
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\QNHMHTTD.DLL

Trojan.Downloader-Gen/DDC
HKLM\System\ControlSet001\Services\DomainService
HKLM\System\ControlSet002\Services\DomainService
HKLM\System\CurrentControlSet\Services\DomainService
C:\DOCUMENTS AND SETTINGS\VAN\DESKTOP\WINPFIND35U\MOVEDFILES\01052008_162525\WINDOWS\SYSTEM32\KRUOJALL.EXE
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DYMVFCCU.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\MBVYXFJR.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\TAOWYEQO.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3E4A7519-4950-4A8E-8986-E62A396DB029}\RP34\A0007391.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3E4A7519-4950-4A8E-8986-E62A396DB029}\RP34\A0007392.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3E4A7519-4950-4A8E-8986-E62A396DB029}\RP40\A0007519.EXE

Adware.Tracking Cookie
C:\Documents and Settings\Van\Cookies\van@serving-sys[1].txt
C:\Documents and Settings\Van\Cookies\[email protected][2].txt
C:\Documents and Settings\Van\Cookies\van@tribalfusion[2].txt
C:\Documents and Settings\Van\Cookies\[email protected][1].txt
C:\Documents and Settings\Van\Cookies\[email protected][1].txt
C:\Documents and Settings\Van\Cookies\[email protected][2].txt
C:\Documents and Settings\Van\Cookies\[email protected][1].txt
C:\Documents and Settings\Van\Cookies\van@288_[1].txt
C:\Documents and Settings\Van\Cookies\van@mediaplex[1].txt
C:\Documents and Settings\Van\Cookies\[email protected][1].txt
C:\Documents and Settings\Van\Cookies\[email protected][2].txt
C:\Documents and Settings\Van\Cookies\van@advertising[1].txt
C:\Documents and Settings\Van\Cookies\van@smackinthecrack[2].txt
C:\Documents and Settings\Van\Cookies\van@realmedia[1].txt
C:\Documents and Settings\Van\Cookies\[email protected][1].txt
C:\Documents and Settings\Van\Cookies\van@doubleclick[1].txt
C:\Documents and Settings\Van\Cookies\[email protected][2].txt
C:\Documents and Settings\Van\Cookies\van@clicktorrent[2].txt
C:\Documents and Settings\Van\Cookies\van@tacoda[1].txt
C:\Documents and Settings\Van\Cookies\[email protected][2].txt
C:\Documents and Settings\Van\Cookies\[email protected][2].txt
C:\Documents and Settings\Van\Cookies\[email protected][1].txt
C:\Documents and Settings\Van\Cookies\[email protected][1].txt
C:\Documents and Settings\Van\Cookies\van@questionmarket[1].txt
C:\Documents and Settings\Van\Cookies\van@adbrite[2].txt
C:\Documents and Settings\Van\Cookies\[email protected][2].txt
C:\Documents and Settings\Van\Cookies\van@spyguardpro[1].txt
C:\Documents and Settings\Van\Cookies\[email protected][1].txt
C:\Documents and Settings\Van\Cookies\van@cgi-bin[2].txt
C:\Documents and Settings\Van\Cookies\van@valueclick[1].txt
C:\Documents and Settings\Van\Cookies\[email protected][1].txt
C:\Documents and Settings\Van\Cookies\[email protected][1].txt
C:\Documents and Settings\Van\Cookies\[email protected][2].txt
C:\Documents and Settings\Van\Cookies\van@adultfriendfinder[2].txt
C:\Documents and Settings\Van\Cookies\[email protected][2].txt
C:\Documents and Settings\Van\Cookies\van@webpower[2].txt
C:\Documents and Settings\Van\Cookies\van@yadro[2].txt
C:\Documents and Settings\Van\Cookies\[email protected][1].txt
C:\Documents and Settings\Van\Cookies\van@eyewonder[2].txt
C:\Documents and Settings\Van\Cookies\van@trafficmp[1].txt
C:\Documents and Settings\Van\Cookies\[email protected][2].txt
C:\Documents and Settings\Van\Cookies\van@collective-media[1].txt
C:\Documents and Settings\Van\Cookies\[email protected][1].txt
C:\Documents and Settings\Van\Cookies\van@atwola[2].txt
C:\Documents and Settings\Van\Cookies\[email protected][1].txt
C:\Documents and Settings\Van\Cookies\[email protected][4].txt
C:\Documents and Settings\Van\Cookies\[email protected][2].txt
C:\Documents and Settings\Van\Cookies\van@uclick[1].txt
C:\Documents and Settings\Van\Cookies\van@clicksor[2].txt
C:\Documents and Settings\Van\Cookies\van@xiti[1].txt
C:\Documents and Settings\Van\Cookies\[email protected][1].txt
C:\Documents and Settings\Van\Cookies\[email protected][1].txt
C:\Documents and Settings\Van\Cookies\van@cad-media[2].txt
C:\Documents and Settings\Van\Cookies\[email protected][1].txt
C:\Documents and Settings\Van\Cookies\van@specificclick[2].txt
C:\Documents and Settings\Van\Cookies\van@2o7[3].txt
C:\Documents and Settings\Van\Cookies\van@adultadworld[3].txt
C:\Documents and Settings\Van\Cookies\[email protected][1].txt
C:\Documents and Settings\Van\Cookies\van@hornymatches[1].txt
C:\Documents and Settings\Van\Cookies\van@revsci[1].txt
C:\Documents and Settings\Van\Cookies\van@adlegend[1].txt
C:\Documents and Settings\Van\Cookies\[email protected][1].txt
C:\Documents and Settings\Van\Cookies\[email protected][1].txt
C:\Documents and Settings\Van\Cookies\[email protected][2].txt
C:\Documents and Settings\Van\Cookies\van@288_[3].txt
C:\Documents and Settings\Van\Cookies\van@statcounter[1].txt
C:\Documents and Settings\Van\Cookies\van@atdmt[3].txt
C:\Documents and Settings\Van\Cookies\[email protected][2].txt
C:\Documents and Settings\Van\Cookies\[email protected][1].txt
C:\Documents and Settings\Van\Cookies\van@adinterax[1].txt
C:\Documents and Settings\Van\Cookies\[email protected][2].txt
C:\Documents and Settings\Van\Cookies\van@adtech[1].txt
C:\Documents and Settings\Van\Cookies\van@ig[2].txt
C:\Documents and Settings\Van\Cookies\[email protected][2].txt
C:\Documents and Settings\Van\Cookies\van@cracked[1].txt
C:\Documents and Settings\Van\Cookies\[email protected][2].txt
C:\Documents and Settings\Van\Cookies\van@stilemedia[2].txt
C:\Documents and Settings\Van\Cookies\[email protected][2].txt
C:\Documents and Settings\Van\Cookies\[email protected][2].txt
C:\Documents and Settings\Van\Cookies\[email protected][2].txt
C:\Documents and Settings\Van\Cookies\[email protected][1].txt
C:\Documents and Settings\Van\Cookies\van@clickbank[1].txt
C:\Documents and Settings\Van\Cookies\[email protected][2].txt
C:\Documents and Settings\Van\Cookies\van@linksynergy[1].txt
C:\Documents and Settings\Van\Cookies\van@adserver[1].txt
C:\Documents and Settings\Van\Cookies\van@review-adult-dating[2].txt
C:\Documents and Settings\Van\Cookies\[email protected][1].txt
C:\Documents and Settings\Van\Cookies\[email protected][2].txt
C:\Documents and Settings\Van\Cookies\van@cgi-bin[1].txt
C:\Documents and Settings\Van\Cookies\[email protected][1].txt
C:\Documents and Settings\Van\Cookies\[email protected][2].txt
C:\Documents and Settings\Van\Cookies\[email protected][1].txt
C:\Documents and Settings\Van\Cookies\[email protected][2].txt
C:\Documents and Settings\Van\Cookies\[email protected][1].txt
C:\Documents and Settings\Van\Cookies\[email protected][1].txt
C:\Documents and Settings\Van\Cookies\[email protected][2].txt
C:\Documents and Settings\Van\Cookies\van@apmebf[1].txt
C:\Documents and Settings\Van\Cookies\van@ads[1].txt
C:\Documents and Settings\Van\Cookies\van@adrevolver[1].txt
C:\Documents and Settings\Van\Cookies\[email protected][1].txt
C:\Documents and Settings\Van\Cookies\[email protected][3].txt
C:\Documents and Settings\Van\Cookies\[email protected][2].txt
C:\Documents and Settings\Van\Cookies\van@zedo[3].txt
C:\Documents and Settings\Van\Cookies\van@wowwebstats[1].txt
C:\Documents and Settings\Van\Cookies\van@adrevolver[3].txt
C:\Documents and Settings\Van\Cookies\[email protected][1].txt
C:\Documents and Settings\Van\Cookies\[email protected][2].txt
C:\Documents and Settings\Van\Cookies\[email protected][1].txt
C:\Documents and Settings\Van\Cookies\van@windowsmedia[1].txt
C:\Documents and Settings\Van\Cookies\van@azjmp[2].txt
C:\Documents and Settings\Van\Cookies\van@overture[1].txt
C:\Documents and Settings\Van\Cookies\[email protected][1].txt
C:\Documents and Settings\Van\Cookies\[email protected][1].txt
C:\Documents and Settings\Van\Cookies\van@fastclick[3].txt
C:\Documents and Settings\Van\Cookies\[email protected][1].txt
C:\Documents and Settings\Van\Cookies\[email protected][2].txt
C:\Documents and Settings\Van\Cookies\van@hitbox[3].txt
C:\Documents and Settings\Van\Cookies\[email protected][1].txt
C:\Documents and Settings\Van\Cookies\[email protected][1].txt
C:\Documents and Settings\Van\Cookies\van@interclick[2].txt
C:\Documents and Settings\Van\Cookies\van@2o7[2].txt
C:\Documents and Settings\Van\Cookies\[email protected][2].txt
C:\Documents and Settings\Van\Cookies\[email protected][1].txt
C:\Documents and Settings\Van\Cookies\[email protected][1].txt
C:\Documents and Settings\Van\Cookies\van@adecn[2].txt
C:\Documents and Settings\Van\Cookies\[email protected][1].txt
C:\Documents and Settings\Van\Cookies\[email protected][1].txt
C:\Documents and Settings\Van\Cookies\[email protected][2].txt
C:\Documents and Settings\Van\Cookies\[email protected][2].txt
C:\Documents and Settings\Van\Cookies\van@adultadworld[1].txt
C:\Documents and Settings\Van\Cookies\van@adultfriendfinder[1].txt
C:\Documents and Settings\Van\Cookies\van@advertising[2].txt
C:\Documents and Settings\Van\Cookies\[email protected][1].txt
C:\Documents and Settings\Van\Cookies\van@atdmt[2].txt
C:\Documents and Settings\Van\Cookies\van@banner[1].txt
C:\Documents and Settings\Van\Cookies\[email protected][1].txt
C:\Documents and Settings\Van\Cookies\[email protected][2].txt
C:\Documents and Settings\Van\Cookies\van@eyewonder[1].txt
C:\Documents and Settings\Van\Cookies\van@fastclick[2].txt
C:\Documents and Settings\Van\Cookies\van@hitbox[2].txt
C:\Documents and Settings\Van\Cookies\van@mediaonenetwork[1].txt
C:\Documents and Settings\Van\Cookies\[email protected][1].txt
C:\Documents and Settings\Van\Cookies\van@wowwebstats[2].txt
C:\Documents and Settings\Van\Cookies\van@zedo[2].txt

Adware.ClickSpring
C:\DECKARD\SYSTEM SCANNER\20080105213353\BACKUP\DOCUME~1\VAN\LOCALS~1\TEMP\!UPDATE.EXE
C:\DECKARD\SYSTEM SCANNER\20080105213353\BACKUP\DOCUME~1\VAN\LOCALS~1\TEMP\TMP8F.TMP
C:\QOOBOX\QUARANTINE\C\DOCUMENTS AND SETTINGS\VAN\MY DOCUMENTS\FNTS~1\WINWORD.EXE.VIR
C:\QooBox\Quarantine\C\Documents and Settings\Van\My Documents\YMANTE~1\JVAWEX~1.VIR

Trojan.Downloader-Gen/MROFIN
C:\DECKARD\SYSTEM SCANNER\20080105213353\BACKUP\DOCUME~1\VAN\LOCALS~1\TEMP\TMP98.TMP
C:\QOOBOX\QUARANTINE\C\WINDOWS\MROFINU572.EXE.TMP.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\MROFINU572.EXE.VIR

BearShare File Sharing Client
C:\PROGRAM FILES\BEARSHARE\BEARSHARE.EXE
C:\WINDOWS\Prefetch\BEARSHARE.EXE-2A0C795D.pf

Trojan.Vundo/Variant-Installer
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WINAMP\WINAMPA.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\SSQRR.EXE.VIR
C:\QOOBOX\QUARANTINE\~,1%~P1SSQRR.EXE.VIR
C:\QOOBOX\QUARANTINE\~,1%~P1WINAMPA.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3E4A7519-4950-4A8E-8986-E62A396DB029}\RP34\A0007390.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3E4A7519-4950-4A8E-8986-E62A396DB029}\RP39\A0007517.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3E4A7519-4950-4A8E-8986-E62A396DB029}\RP40\A0007520.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3E4A7519-4950-4A8E-8986-E62A396DB029}\RP41\A0007553.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3E4A7519-4950-4A8E-8986-E62A396DB029}\RP43\A0007633.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3E4A7519-4950-4A8E-8986-E62A396DB029}\RP44\A0007793.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3E4A7519-4950-4A8E-8986-E62A396DB029}\RP45\A0007812.EXE

Trojan.Downloader-Gen/BundleBase
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\ARDCO01\ARDCO011065.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3E4A7519-4950-4A8E-8986-E62A396DB029}\RP40\A0007528.EXE

Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WNSCPCC.EXE.VIR

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3E4A7519-4950-4A8E-8986-E62A396DB029}\RP34\A0007406.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3E4A7519-4950-4A8E-8986-E62A396DB029}\RP40\A0007522.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{3E4A7519-4950-4A8E-8986-E62A396DB029}\RP43\A0007634.DLL

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\RRQSS.INI

Trace.Known Threat Sources
C:\Documents and Settings\Van\Local Settings\Temporary Internet Files\Content.IE5\Q0189K9H\0228aeecb7[1].js

#24
Rorschach112

Posted 12 January 2008 - 05:35 PM

Ralphie

Retired Staff
47,710 posts

Your logs are clean ! We need to do a few things

Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure

Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.

#25
k0rrupt

Posted 12 January 2008 - 05:52 PM

Member

Topic Starter
Member
23 posts

is my explorer supposed to restart every once in a while?
it seems to kind of "refresh" itself once in a while. similar to performing an end task on explorer and reopening it.

know what would be the cause of this?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:53:21 PM, on 1/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\MemTurbo30\MemTurbo.exe
C:\Program Files\AIM\aim .exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Winamp\winamp .exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Avant Browser\avant.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Van\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blingo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F3 - REG:win.ini: load=C:\WINDOWS\system32\ssqrr.exe <-- ??
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [a8d84067] rundll32.exe "C:\WINDOWS\system32\tmriqqvw.dll",b <--- ??
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo30\MemTurbo.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim .exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1198621337000
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3512 bytes

Edited by k0rrupt, 12 January 2008 - 05:55 PM.

#26
Rorschach112

Posted 12 January 2008 - 06:03 PM

Ralphie

Retired Staff
47,710 posts

Well this log is quite infected

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

#27
k0rrupt

Posted 12 January 2008 - 08:43 PM

Member

Topic Starter
Member
23 posts

long one.

http://www.freewebs....rr/ComboFix.txt

though mostly deletions.

#28
Rorschach112

Posted 13 January 2008 - 10:48 AM

Ralphie

Retired Staff
47,710 posts

Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\wvqqirmt.ini

Save this as CFScript.txt, in the same location as ComboFix.exe

Posted Image

#29
k0rrupt

Posted 13 January 2008 - 06:52 PM

Member

Topic Starter
Member
23 posts

http://www.freewebs....rr/ComboFix.txt

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:53:14 PM, on 1/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\MemTurbo30\MemTurbo.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Winamp\winamp .exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Avant Browser\avant.exe
C:\Documents and Settings\Van\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blingo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F3 - REG:win.ini: load=C:\WINDOWS\system32\ssqrr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"
O4 - Startup: MemTurbo.lnk = C:\Program Files\MemTurbo30\MemTurbo.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1198621337000
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3567 bytes

Edited by k0rrupt, 13 January 2008 - 06:53 PM.

#30
Rorschach112

Posted 13 January 2008 - 07:24 PM

Ralphie

Retired Staff
47,710 posts

Hello

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.