Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Win32/Adware.Virtumonde [RESOLVED]


  • This topic is locked This topic is locked

#1
Bhlue

Bhlue

    New Member

  • Member
  • Pip
  • 8 posts
Pardon me, but I have a problem.. Nod32 keeps popping up with these alert details:

Posted Image

It pops up the moment the desktop loads.. I've tried deleting it though it keeps telling me that it will delete it by the next restart.. Then it will pop up again after I click 'ok.' I've tried restarting it too, expecting it will be deleted as said.. But it popped again.. this has happened repeatedly..

Posted Image

I have no idea what caused this neither do I know how to get rid of it.. help?
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

for more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058. once you install the Recovery Console, when you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. that is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#3
Bhlue

Bhlue

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thank you for acknowledging.. ^^ I have acquired the log from combofix (and have attached it here).. I'm sorry, but what exactly is a HijackThis log..?

Attached Files


  • 0

#4
Bhlue

Bhlue

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Oh.. I've researched what it meant.. Correct me if I'm wrong, is this a HijackThis log..?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54:20 AM, on 4/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: (no name) - {26D2045D-50C8-4850-9285-035D79212D9B} - C:\WINDOWS\system32\urqOGAPf.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [RaidTool] "C:\Program Files\VIA\RAID\raid_tool.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 4068 bytes


  • 0

#5
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Can you post the ComboFix log here instead of attaching it

Also don't put logs in quote boxes
  • 0

#6
Bhlue

Bhlue

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Oh, okay.. sorry.. Here it is.. ^^

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54:20 AM, on 4/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: (no name) - {26D2045D-50C8-4850-9285-035D79212D9B} - C:\WINDOWS\system32\urqOGAPf.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [RaidTool] "C:\Program Files\VIA\RAID\raid_tool.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 4068 bytes


and here's the ComboFix log:


ComboFix 08-04-22.5 - Maryan 2008-04-25 10:21:53.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.248 [GMT 8:00]
Running from: C:\Documents and Settings\Maryan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Maryan\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\cbXQkiFx.dll
C:\WINDOWS\system32\fPAGOqru.ini
C:\WINDOWS\system32\fPAGOqru.ini2

.
((((((((((((((((((((((((( Files Created from 2008-03-25 to 2008-04-25 )))))))))))))))))))))))))))))))
.

2008-04-25 09:53 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll
2008-04-25 09:53 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-04-25 09:47 . 2008-04-25 09:47 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-04-25 09:33 . 2008-04-25 09:49 <DIR> d-------- C:\VundoFix Backups
2008-04-25 08:50 . 2008-04-25 08:50 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-04-25 08:50 . 2008-01-04 20:34 163,696 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-04-25 08:50 . 2008-01-04 20:34 23,920 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-04-25 08:50 . 2008-01-04 20:34 21,872 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-04-25 08:49 . 2008-04-25 08:49 <DIR> d-------- C:\Program Files\Webroot
2008-04-25 08:49 . 2008-04-25 08:49 <DIR> d-------- C:\Documents and Settings\Maryan\Application Data\Webroot
2008-04-25 08:49 . 2008-04-25 08:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-04-23 10:02 . 2008-04-24 17:34 1,504,986 --ahs---- C:\WINDOWS\system32\eeeursfb.ini
2008-04-23 09:59 . 2008-04-24 17:34 109,669 --a------ C:\WINDOWS\BM17bbacd7.xml
2008-04-22 21:57 . 2008-04-22 21:57 272,384 --a------ C:\WINDOWS\system32\urqOGAPf.dll
2008-04-22 21:55 . 2008-03-01 21:06 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-22 21:55 . 2007-04-17 17:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-22 21:55 . 2007-03-08 13:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-22 21:55 . 2008-03-01 21:06 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-22 21:55 . 2008-03-01 21:06 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-22 21:55 . 2008-03-01 21:06 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-22 21:55 . 2008-03-01 21:06 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-22 21:55 . 2008-03-01 21:06 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-22 21:55 . 2008-02-22 18:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-22 19:42 . 2008-04-22 19:43 <DIR> d-------- C:\Program Files\Neat Image
2008-04-22 18:48 . 2008-04-22 18:48 <DIR> d-------- C:\WINDOWS\system32\WTablet
2008-04-22 18:48 . 2008-04-22 18:48 <DIR> d-------- C:\Program Files\Tablet
2008-04-22 18:48 . 2005-06-18 03:18 1,444,870 --a------ C:\WINDOWS\system32\PenTablet.znc
2008-04-22 18:48 . 2005-06-18 04:01 1,265,664 --a------ C:\WINDOWS\system32\PenTablet.cpl
2008-04-22 18:48 . 2005-06-18 04:00 749,568 --a------ C:\WINDOWS\system32\Tablet.exe
2008-04-22 18:48 . 2005-06-18 04:34 102,400 --a------ C:\WINDOWS\system32\Wintab32.dll
2008-04-22 18:48 . 1999-05-08 00:12 15,744 --a------ C:\WINDOWS\system32\Wintab.dll
2008-04-22 18:48 . 2001-04-10 04:45 8,138 --------- C:\WINDOWS\system32\drivers\PenClass.sys
2008-04-22 18:48 . 2008-04-25 10:36 336 --a------ C:\WINDOWS\system32\tablet.dat
2008-04-22 18:46 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-04-22 18:46 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-04-22 18:46 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-04-22 18:46 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-04-21 20:55 . 2008-04-21 20:55 <DIR> d-------- C:\Program Files\DreamKana
2008-04-20 13:34 . 2008-04-20 13:34 <DIR> d-------- C:\Program Files\Macromedia
2008-04-20 13:32 . 2008-04-20 13:32 <DIR> d-------- C:\Shockwave
2008-04-20 13:20 . 2008-04-20 13:20 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-04-20 13:20 . 2008-04-20 13:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-04-20 13:19 . 2008-04-22 21:50 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-20 10:23 . 2008-04-20 10:25 <DIR> d-------- C:\Program Files\VIA
2008-04-20 10:20 . 2008-04-20 10:20 <DIR> d-------- C:\Program Files\uTorrent
2008-04-20 10:20 . 2008-04-22 23:45 <DIR> d-------- C:\Documents and Settings\Maryan\Application Data\uTorrent
2008-04-20 06:02 . 2008-04-20 06:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-04-19 20:51 . 2008-04-19 20:51 1,160 --a------ C:\WINDOWS\mozver.dat
2008-04-19 20:29 . 2008-04-19 20:29 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-04-19 20:23 . 2008-04-19 20:23 <DIR> d-------- C:\Program Files\Yahoo!
2008-04-19 20:18 . 2008-04-19 20:18 <DIR> d-------- C:\Documents and Settings\Maryan\Application Data\Talkback
2008-04-19 20:17 . 2008-04-19 20:17 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-19 20:15 . 2008-04-22 23:57 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-19 20:11 . 2008-04-19 20:11 <DIR> d---s---- C:\Documents and Settings\Maryan\UserData
2008-04-19 20:09 . 2008-04-19 20:09 3,932,214 --a------ C:\WINDOWS\AW_XenoMorph1280.bmp
2008-04-19 20:08 . 2008-04-19 20:08 <DIR> d-------- C:\Program Files\XP Codec Pack
2008-04-19 20:08 . 2008-04-19 20:08 <DIR> d-------- C:\Program Files\Common Files\Stardock
2008-04-19 20:08 . 2008-04-19 20:11 <DIR> d-------- C:\Program Files\AlienGUIse
2008-04-19 20:08 . 2003-02-26 22:27 36,864 --a------ C:\WINDOWS\system32\wbsys.dll
2008-04-19 20:08 . 2008-04-19 20:08 56 --a------ C:\WINDOWS\wb.ini
2008-04-19 20:05 . 2008-04-20 14:14 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-04-19 20:05 . 2008-04-19 20:05 <DIR> d-------- C:\Program Files\Analog Devices
2008-04-19 20:03 . 2008-04-20 13:34 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-04-19 20:02 . 2004-09-17 17:37 61,440 --a------ C:\WINDOWS\system32\vuins32.dll
2008-04-19 20:02 . 2004-12-16 13:36 42,496 --a------ C:\WINDOWS\system32\drivers\fetnd5bv.sys
2008-04-19 20:02 . 2008-04-20 10:21 16,546 --a------ C:\WINDOWS\Ascd_tmp.ini
2008-04-19 20:02 . 2003-07-17 16:10 7,040 -ra------ C:\WINDOWS\system32\ntsim.sys
2008-04-19 20:01 . 2004-04-27 15:26 5,824 --a------ C:\WINDOWS\system32\drivers\ASUSHWIO.SYS
2008-04-19 20:01 . 2004-08-13 10:56 5,810 -ra------ C:\WINDOWS\system32\drivers\ASACPI.sys
2008-04-19 20:00 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-24 09:38 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-19 22:07 --------- d-----w C:\Program Files\ESET
2008-04-19 12:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-19 11:59 --------- d-----w C:\Program Files\MSBuild
2008-04-19 11:59 --------- d-----w C:\Program Files\Microsoft Works
2008-04-19 11:57 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2008-04-19 11:57 298,104 ----a-w C:\WINDOWS\system32\imon.dll
2008-04-19 11:57 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys
2008-04-19 11:46 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26D2045D-50C8-4850-9285-035D79212D9B}]
2008-04-22 21:57 272384 --a------ C:\WINDOWS\system32\urqOGAPf.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-12-17 17:13 3810544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-04-19 19:57 949376]
"RegistryMechanic"="" []
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 15:21 61952 C:\WINDOWS\system32\HdAShCut.exe]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2005-07-26 09:54 716800]
"RaidTool"="C:\Program Files\VIA\RAID\raid_tool.exe" [2005-08-12 16:38 1056768]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2008-04-22 18:48:16 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\AlienGUIse\fastload.dll 2001-12-20 23:34 24576 C:\Program Files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax

[HKLM\~\startupfolder\C:^Documents and Settings^Maryan^Start Menu^Programs^Startup^Alienware Dock.lnk]
backup=C:\WINDOWS\pss\Alienware Dock.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=


.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-25 10:36:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\AlienGUIse\wbload.exe
C:\Program Files\ESET\nod32krn.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\ssu.exe
.
**************************************************************************
.
Completion time: 2008-04-25 10:40:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-25 02:40:10

Pre-Run: 73,886,773,248 bytes free
Post-Run: 73,967,919,104 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

172 --- E O F --- 2008-04-22 15:57:37
  • 0

#7
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\eeeursfb.ini
C:\WINDOWS\BM17bbacd7.xml
C:\WINDOWS\system32\urqOGAPf.dll

Folder::

Registry::

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Also post a new HijackThis log
  • 0

#8
Bhlue

Bhlue

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
ComboFix log:

ComboFix 08-04-22.5 - Maryan 2008-04-27 17:45:45.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.252 [GMT 8:00]
Running from: C:\AntiVirus FileS\ComboFix.exe
Command switches used :: C:\AntiVirus FileS\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\WINDOWS\BM17bbacd7.xml
C:\WINDOWS\system32\eeeursfb.ini
C:\WINDOWS\system32\urqOGAPf.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM17bbacd7.xml
C:\WINDOWS\system32\eeeursfb.ini

.
((((((((((((((((((((((((( Files Created from 2008-03-27 to 2008-04-27 )))))))))))))))))))))))))))))))
.

2008-04-25 19:50 . 2008-04-25 19:50 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-04-25 19:47 . 2008-04-25 19:47 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-04-25 19:47 . 2008-04-25 19:48 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-04-25 10:54 . 2008-04-25 10:54 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-25 10:50 . 2008-04-27 17:45 <DIR> d-------- C:\AntiVirus FileS
2008-04-25 09:53 . 2008-01-04 20:56 1,526,640 --a------ C:\WINDOWS\WRSetup.dll
2008-04-25 09:53 . 2008-01-04 20:34 20,336 --a------ C:\WINDOWS\system32\drivers\SSFS0BB9.sys
2008-04-25 09:47 . 2008-04-25 09:47 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-04-25 09:33 . 2008-04-25 09:49 <DIR> d-------- C:\VundoFix Backups
2008-04-25 08:50 . 2008-04-25 08:50 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-04-25 08:50 . 2008-01-04 20:34 163,696 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-04-25 08:50 . 2008-01-04 20:34 23,920 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-04-25 08:50 . 2008-01-04 20:34 21,872 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-04-25 08:49 . 2008-04-25 08:49 <DIR> d-------- C:\Program Files\Webroot
2008-04-25 08:49 . 2008-04-25 08:49 <DIR> d-------- C:\Documents and Settings\Maryan\Application Data\Webroot
2008-04-25 08:49 . 2008-04-25 08:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-04-22 21:55 . 2008-03-01 21:06 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-22 21:55 . 2007-04-17 17:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-22 21:55 . 2007-03-08 13:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-22 21:55 . 2008-03-01 21:06 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-22 21:55 . 2008-03-01 21:06 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-22 21:55 . 2008-03-01 21:06 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-22 21:55 . 2008-03-01 21:06 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-22 21:55 . 2008-03-01 21:06 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-22 21:55 . 2008-02-22 18:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-04-22 19:42 . 2008-04-22 19:43 <DIR> d-------- C:\Program Files\Neat Image
2008-04-22 18:48 . 2008-04-22 18:48 <DIR> d-------- C:\WINDOWS\system32\WTablet
2008-04-22 18:48 . 2008-04-22 18:48 <DIR> d-------- C:\Program Files\Tablet
2008-04-22 18:48 . 2005-06-18 03:18 1,444,870 --a------ C:\WINDOWS\system32\PenTablet.znc
2008-04-22 18:48 . 2005-06-18 04:01 1,265,664 --a------ C:\WINDOWS\system32\PenTablet.cpl
2008-04-22 18:48 . 2005-06-18 04:00 749,568 --a------ C:\WINDOWS\system32\Tablet.exe
2008-04-22 18:48 . 2005-06-18 04:34 102,400 --a------ C:\WINDOWS\system32\Wintab32.dll
2008-04-22 18:48 . 1999-05-08 00:12 15,744 --a------ C:\WINDOWS\system32\Wintab.dll
2008-04-22 18:48 . 2001-04-10 04:45 8,138 --------- C:\WINDOWS\system32\drivers\PenClass.sys
2008-04-22 18:48 . 2008-04-27 17:15 336 --a------ C:\WINDOWS\system32\tablet.dat
2008-04-22 18:46 . 2001-08-17 13:48 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-04-22 18:46 . 2001-08-17 13:48 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-04-22 18:46 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-04-22 18:46 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-04-21 20:55 . 2008-04-21 20:55 <DIR> d-------- C:\Program Files\DreamKana
2008-04-20 13:34 . 2008-04-20 13:34 <DIR> d-------- C:\Program Files\Macromedia
2008-04-20 13:32 . 2008-04-20 13:32 <DIR> d-------- C:\Shockwave
2008-04-20 13:20 . 2008-04-20 13:20 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-04-20 13:20 . 2008-04-20 13:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-04-20 13:19 . 2008-04-22 21:50 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-20 10:23 . 2008-04-20 10:25 <DIR> d-------- C:\Program Files\VIA
2008-04-20 10:20 . 2008-04-20 10:20 <DIR> d-------- C:\Program Files\uTorrent
2008-04-20 10:20 . 2008-04-22 23:45 <DIR> d-------- C:\Documents and Settings\Maryan\Application Data\uTorrent
2008-04-20 06:02 . 2008-04-20 06:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-04-19 20:51 . 2008-04-19 20:51 1,160 --a------ C:\WINDOWS\mozver.dat
2008-04-19 20:29 . 2008-04-19 20:29 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-04-19 20:23 . 2008-04-19 20:23 <DIR> d-------- C:\Program Files\Yahoo!
2008-04-19 20:18 . 2008-04-19 20:18 <DIR> d-------- C:\Documents and Settings\Maryan\Application Data\Talkback
2008-04-19 20:17 . 2008-04-19 20:17 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-19 20:15 . 2008-04-22 23:57 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-19 20:11 . 2008-04-19 20:11 <DIR> d---s---- C:\Documents and Settings\Maryan\UserData
2008-04-19 20:09 . 2008-04-19 20:09 3,932,214 --a------ C:\WINDOWS\AW_XenoMorph1280.bmp
2008-04-19 20:08 . 2008-04-19 20:08 <DIR> d-------- C:\Program Files\XP Codec Pack
2008-04-19 20:08 . 2008-04-19 20:08 <DIR> d-------- C:\Program Files\Common Files\Stardock
2008-04-19 20:08 . 2008-04-19 20:11 <DIR> d-------- C:\Program Files\AlienGUIse
2008-04-19 20:08 . 2003-02-26 22:27 36,864 --a------ C:\WINDOWS\system32\wbsys.dll
2008-04-19 20:08 . 2008-04-19 20:08 56 --a------ C:\WINDOWS\wb.ini
2008-04-19 20:05 . 2008-04-20 14:14 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-04-19 20:05 . 2008-04-19 20:05 <DIR> d-------- C:\Program Files\Analog Devices
2008-04-19 20:03 . 2008-04-20 13:34 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-04-19 20:02 . 2004-09-17 17:37 61,440 --a------ C:\WINDOWS\system32\vuins32.dll
2008-04-19 20:02 . 2004-12-16 13:36 42,496 --a------ C:\WINDOWS\system32\drivers\fetnd5bv.sys
2008-04-19 20:02 . 2008-04-20 10:21 16,546 --a------ C:\WINDOWS\Ascd_tmp.ini
2008-04-19 20:02 . 2003-07-17 16:10 7,040 -ra------ C:\WINDOWS\system32\ntsim.sys
2008-04-19 20:01 . 2004-04-27 15:26 5,824 --a------ C:\WINDOWS\system32\drivers\ASUSHWIO.SYS
2008-04-19 20:01 . 2004-08-13 10:56 5,810 -ra------ C:\WINDOWS\system32\drivers\ASACPI.sys
2008-04-19 20:00 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-25 10:52 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-25 10:27 --------- d-----w C:\Program Files\ESET
2008-04-19 12:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-19 11:59 --------- d-----w C:\Program Files\MSBuild
2008-04-19 11:59 --------- d-----w C:\Program Files\Microsoft Works
2008-04-19 11:57 512,096 ----a-w C:\WINDOWS\system32\drivers\amon.sys
2008-04-19 11:57 298,104 ----a-w C:\WINDOWS\system32\imon.dll
2008-04-19 11:57 15,424 ----a-w C:\WINDOWS\system32\drivers\nod32drv.sys
2008-04-19 11:46 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((( [email protected]_10.39.48.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-10-04 14:05:26 39,424 ------w C:\WINDOWS\AppPatch\acadproc.dll
- 2008-04-25 02:36:26 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-27 09:15:25 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2004-08-03 17:56:58 208,896 ----a-w C:\WINDOWS\inf\unregmp2.exe
+ 2007-06-26 14:10:26 317,440 ----a-w C:\WINDOWS\inf\unregmp2.exe
- 2004-08-03 17:56:00 8,192 ----a-w C:\WINDOWS\system32\asferror.dll
+ 2006-10-18 13:47:08 7,168 ----a-w C:\WINDOWS\system32\asferror.dll
+ 2006-10-18 13:47:08 276,992 ------w C:\WINDOWS\system32\audiodev.dll
- 2004-08-03 17:56:42 286,208 ----a-w C:\WINDOWS\system32\blackbox.dll
+ 2006-10-18 13:47:10 542,720 ----a-w C:\WINDOWS\system32\blackbox.dll
- 2004-08-03 17:56:42 159,232 ----a-w C:\WINDOWS\system32\cewmdm.dll
+ 2006-10-18 13:47:10 229,376 ----a-w C:\WINDOWS\system32\cewmdm.dll
- 2004-08-03 17:56:00 8,192 -c--a-w C:\WINDOWS\system32\dllcache\asferror.dll
+ 2006-10-18 13:47:08 7,168 -c--a-w C:\WINDOWS\system32\dllcache\asferror.dll
- 2004-08-03 17:56:42 286,208 -c--a-w C:\WINDOWS\system32\dllcache\blackbox.dll
+ 2006-10-18 13:47:10 542,720 -c--a-w C:\WINDOWS\system32\dllcache\blackbox.dll
- 2004-08-03 17:56:42 159,232 -c--a-w C:\WINDOWS\system32\dllcache\cewmdm.dll
+ 2006-10-18 13:47:10 229,376 -c--a-w C:\WINDOWS\system32\dllcache\cewmdm.dll
- 2004-08-03 17:57:04 695,296 -c--a-w C:\WINDOWS\system32\dllcache\drmv2clt.dll
+ 2006-10-18 13:47:10 991,744 -c--a-w C:\WINDOWS\system32\dllcache\drmv2clt.dll
- 2004-08-03 17:56:44 6,656 -c--a-w C:\WINDOWS\system32\dllcache\laprxy.dll
+ 2006-10-18 13:47:14 11,264 -c--a-w C:\WINDOWS\system32\dllcache\LAPRXY.dll
- 2004-08-03 17:56:52 103,936 -c--a-w C:\WINDOWS\system32\dllcache\logagent.exe
+ 2006-10-18 12:03:58 100,864 -c--a-w C:\WINDOWS\system32\dllcache\logagent.exe
- 2004-08-03 17:56:44 310,272 -c--a-w C:\WINDOWS\system32\dllcache\mp43dmod.dll
+ 2006-10-18 13:47:14 4,096 -c--a-w C:\WINDOWS\system32\dllcache\MP43DMOD.dll
- 2004-08-03 17:56:44 384,512 -c--a-w C:\WINDOWS\system32\dllcache\mp4sdmod.dll
+ 2006-10-18 13:47:14 4,096 -c--a-w C:\WINDOWS\system32\dllcache\MP4SDMOD.dll
- 2004-08-03 17:56:44 240,640 -c--a-w C:\WINDOWS\system32\dllcache\mpg4dmod.dll
+ 2006-10-18 13:47:14 4,096 -c--a-w C:\WINDOWS\system32\dllcache\MPG4DMOD.dll
- 2004-08-03 17:56:44 368,640 -c--a-w C:\WINDOWS\system32\dllcache\mpvis.dll
+ 2006-10-18 13:47:14 243,712 -c--a-w C:\WINDOWS\system32\dllcache\mpvis.dll
- 2004-08-03 17:57:02 259,072 -c--a-w C:\WINDOWS\system32\dllcache\msnetobj.dll
+ 2006-10-18 13:47:16 179,712 -c--a-w C:\WINDOWS\system32\dllcache\msnetobj.dll
- 2004-08-03 17:56:44 52,224 -c--a-w C:\WINDOWS\system32\dllcache\mspmsnsv.dll
+ 2006-10-18 13:47:16 27,136 -c--a-w C:\WINDOWS\system32\dllcache\mspmsnsv.dll
- 2004-08-03 17:56:44 201,728 -c--a-w C:\WINDOWS\system32\dllcache\mspmsp.dll
+ 2006-10-18 13:47:16 175,616 -c--a-w C:\WINDOWS\system32\dllcache\mspmsp.dll
- 2004-08-03 17:57:02 356,352 -c--a-w C:\WINDOWS\system32\dllcache\msscp.dll
+ 2006-12-04 08:21:50 414,720 -c--a-w C:\WINDOWS\system32\dllcache\msscp.dll
- 2004-08-03 17:56:46 245,760 -c--a-w C:\WINDOWS\system32\dllcache\mswmdm.dll
+ 2006-10-18 13:47:16 321,536 -c--a-w C:\WINDOWS\system32\dllcache\mswmdm.dll
- 2004-08-03 17:56:46 237,568 -c--a-w C:\WINDOWS\system32\dllcache\qasf.dll
+ 2006-10-18 13:47:18 211,456 -c--a-w C:\WINDOWS\system32\dllcache\qasf.dll
- 2004-08-03 17:56:58 774,144 -c--a-w C:\WINDOWS\system32\dllcache\setup_wm.exe
+ 2006-11-01 10:31:38 1,669,120 -c--a-w C:\WINDOWS\system32\dllcache\setup_wm.exe
- 2004-08-03 17:56:58 208,896 -c--a-w C:\WINDOWS\system32\dllcache\unregmp2.exe
+ 2007-06-26 14:10:26 317,440 -c--a-w C:\WINDOWS\system32\dllcache\unregmp2.exe
+ 2007-04-10 06:00:46 236,928 -c----w C:\WINDOWS\system32\dllcache\WgaLogon.dll
+ 2007-04-10 06:01:18 336,768 -c----w C:\WINDOWS\system32\dllcache\WgaTray.exe
- 2004-08-03 17:56:48 408,064 -c--a-w C:\WINDOWS\system32\dllcache\wmadmod.dll
+ 2006-10-18 13:47:18 757,248 -c--a-w C:\WINDOWS\system32\dllcache\WMADMOD.dll
- 2004-08-03 17:56:48 670,720 -c--a-w C:\WINDOWS\system32\dllcache\wmadmoe.dll
+ 2006-10-18 13:47:18 1,117,696 -c--a-w C:\WINDOWS\system32\dllcache\WMADMOE.dll
- 2007-10-27 09:39:20 230,912 -c--a-w C:\WINDOWS\system32\dllcache\wmasf.dll
+ 2007-10-27 09:40:30 222,720 -c--a-w C:\WINDOWS\system32\dllcache\wmasf.dll
- 2004-08-03 17:56:48 27,136 -c--a-w C:\WINDOWS\system32\dllcache\wmdmlog.dll
+ 2006-10-18 13:47:18 33,792 -c--a-w C:\WINDOWS\system32\dllcache\wmdmlog.dll
- 2004-08-03 17:56:48 23,552 -c--a-w C:\WINDOWS\system32\dllcache\wmdmps.dll
+ 2006-10-18 13:47:18 37,376 -c--a-w C:\WINDOWS\system32\dllcache\wmdmps.dll
- 2004-08-03 17:56:36 168,448 -c--a-w C:\WINDOWS\system32\dllcache\wmerror.dll
+ 2006-10-18 13:47:20 227,328 -c--a-w C:\WINDOWS\system32\dllcache\wmerror.dll
- 2004-08-03 17:56:48 151,552 -c--a-w C:\WINDOWS\system32\dllcache\wmidx.dll
+ 2006-10-18 13:47:20 157,184 -c--a-w C:\WINDOWS\system32\dllcache\wmidx.dll
- 2004-08-03 17:56:48 1,050,624 -c--a-w C:\WINDOWS\system32\dllcache\wmnetmgr.dll
+ 2006-10-18 13:47:20 937,984 -c--a-w C:\WINDOWS\system32\dllcache\WMNetMgr.dll
- 2007-04-29 18:22:16 4,734,976 -c--a-w C:\WINDOWS\system32\dllcache\wmp.dll
+ 2007-06-11 15:51:12 10,834,944 -c--a-w C:\WINDOWS\system32\dllcache\wmp.dll
- 2004-08-03 17:56:48 114,688 -c--a-w C:\WINDOWS\system32\dllcache\wmpasf.dll
+ 2006-10-18 13:47:20 242,688 -c--a-w C:\WINDOWS\system32\dllcache\wmpasf.dll
- 2004-08-03 17:56:48 98,304 -c--a-w C:\WINDOWS\system32\dllcache\wmpband.dll
+ 2006-10-18 13:47:20 96,256 -c--a-w C:\WINDOWS\system32\dllcache\wmpband.dll
- 2004-08-03 17:56:48 233,472 -c--a-w C:\WINDOWS\system32\dllcache\wmpdxm.dll
+ 2006-10-18 13:47:20 314,880 -c--a-w C:\WINDOWS\system32\dllcache\wmpdxm.dll
- 2004-08-03 17:56:58 73,728 -c--a-w C:\WINDOWS\system32\dllcache\wmplayer.exe
+ 2006-10-18 13:46:20 64,000 -c--a-w C:\WINDOWS\system32\dllcache\wmplayer.exe
- 2004-08-03 17:56:38 2,940,928 -c--a-w C:\WINDOWS\system32\dllcache\wmploc.dll
+ 2006-10-18 13:47:20 8,231,936 -c--a-w C:\WINDOWS\system32\dllcache\wmploc.dll
- 2004-08-03 17:56:48 102,400 -c--a-w C:\WINDOWS\system32\dllcache\wmpshell.dll
+ 2006-10-18 13:47:20 99,840 -c--a-w C:\WINDOWS\system32\dllcache\wmpshell.dll
- 2004-08-03 17:56:48 759,296 -c--a-w C:\WINDOWS\system32\dllcache\wmsdmod.dll
+ 2006-10-18 13:47:22 4,096 -c--a-w C:\WINDOWS\system32\dllcache\wmsdmod.dll
- 2004-08-03 17:56:48 1,119,744 -c--a-w C:\WINDOWS\system32\dllcache\wmsdmoe2.dll
+ 2006-10-18 13:47:22 4,096 -c--a-w C:\WINDOWS\system32\dllcache\wmsdmoe2.dll
- 2004-08-03 17:56:48 484,864 -c--a-w C:\WINDOWS\system32\dllcache\wmspdmod.dll
+ 2006-10-18 13:47:22 603,648 -c--a-w C:\WINDOWS\system32\dllcache\WMSPDMOD.dll
- 2004-08-03 17:56:48 896,512 -c--a-w C:\WINDOWS\system32\dllcache\wmspdmoe.dll
+ 2006-10-18 13:47:22 1,329,152 -c--a-w C:\WINDOWS\system32\dllcache\WMSPDMOE.dll
- 2007-10-27 09:37:38 2,109,440 -c--a-w C:\WINDOWS\system32\dllcache\wmvcore.dll
+ 2006-10-18 13:47:22 2,450,944 -c--a-w C:\WINDOWS\system32\dllcache\wmvcore.dll
- 2004-08-03 17:56:48 809,984 -c--a-w C:\WINDOWS\system32\dllcache\wmvdmod.dll
+ 2006-10-18 13:47:22 4,096 -c--a-w C:\WINDOWS\system32\dllcache\wmvdmod.dll
- 2004-08-03 17:56:48 1,001,472 -c--a-w C:\WINDOWS\system32\dllcache\wmvdmoe2.dll
+ 2006-10-18 13:47:22 4,096 -c--a-w C:\WINDOWS\system32\dllcache\wmvdmoe2.dll
+ 2006-10-18 13:47:22 671,232 ------w C:\WINDOWS\system32\drivers\UMDF\wpdmtpdr.dll
+ 2006-10-18 12:00:00 38,528 ------w C:\WINDOWS\system32\drivers\wpdusb.sys
+ 2006-09-28 10:55:50 77,568 ------w C:\WINDOWS\system32\drivers\WudfPf.sys
+ 2006-09-28 11:00:34 82,944 ------w C:\WINDOWS\system32\drivers\WudfRd.sys
+ 2006-10-18 12:00:46 249,856 ------w C:\WINDOWS\system32\drmupgds.exe
- 2004-08-03 17:57:04 695,296 ----a-w C:\WINDOWS\system32\drmv2clt.dll
+ 2006-10-18 13:47:10 991,744 ----a-w C:\WINDOWS\system32\drmv2clt.dll
- 2004-08-03 17:56:44 6,656 ----a-w C:\WINDOWS\system32\laprxy.dll
+ 2006-10-18 13:47:14 11,264 ----a-w C:\WINDOWS\system32\LAPRXY.dll
+ 2007-04-10 06:02:50 1,476,992 ------w C:\WINDOWS\system32\LegitCheckControl.dll
- 2004-08-03 17:56:52 103,936 ----a-w C:\WINDOWS\system32\logagent.exe
+ 2006-10-18 12:03:58 100,864 ----a-w C:\WINDOWS\system32\logagent.exe
+ 2006-10-18 13:47:14 212,992 ------w C:\WINDOWS\system32\MFPLAT.dll
+ 2006-10-18 13:47:14 259,072 ------w C:\WINDOWS\system32\MP43DECD.dll
- 2004-08-03 17:56:44 310,272 ----a-w C:\WINDOWS\system32\mp43dmod.dll
+ 2006-10-18 13:47:14 4,096 ----a-w C:\WINDOWS\system32\MP43DMOD.dll
+ 2006-10-18 13:47:14 317,440 ------w C:\WINDOWS\system32\MP4SDECD.dll
- 2004-08-03 17:56:44 384,512 ----a-w C:\WINDOWS\system32\mp4sdmod.dll
+ 2006-10-18 13:47:14 4,096 ----a-w C:\WINDOWS\system32\MP4SDMOD.dll
+ 2006-10-18 13:47:14 259,072 ------w C:\WINDOWS\system32\MPG4DECD.dll
- 2004-08-03 17:56:44 240,640 ----a-w C:\WINDOWS\system32\mpg4dmod.dll
+ 2006-10-18 13:47:14 4,096 ----a-w C:\WINDOWS\system32\MPG4DMOD.dll
+ 2008-04-05 14:56:22 19,836,024 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2006-10-02 07:28:42 312,128 ------w C:\WINDOWS\system32\msdelta.dll
- 2004-08-03 17:57:02 259,072 ----a-w C:\WINDOWS\system32\msnetobj.dll
+ 2006-10-18 13:47:16 179,712 ----a-w C:\WINDOWS\system32\msnetobj.dll
- 2004-08-03 17:56:44 52,224 ----a-w C:\WINDOWS\system32\mspmsnsv.dll
+ 2006-10-18 13:47:16 27,136 ----a-w C:\WINDOWS\system32\mspmsnsv.dll
- 2004-08-03 17:56:44 201,728 ----a-w C:\WINDOWS\system32\mspmsp.dll
+ 2006-10-18 13:47:16 175,616 ----a-w C:\WINDOWS\system32\mspmsp.dll
- 2004-08-03 17:57:02 356,352 ----a-w C:\WINDOWS\system32\msscp.dll
+ 2006-12-04 08:21:50 414,720 ----a-w C:\WINDOWS\system32\msscp.dll
- 2004-08-03 17:56:46 245,760 ----a-w C:\WINDOWS\system32\mswmdm.dll
+ 2006-10-18 13:47:16 321,536 ----a-w C:\WINDOWS\system32\mswmdm.dll
+ 2006-10-18 13:47:18 284,160 ------w C:\WINDOWS\system32\PortableDeviceApi.dll
+ 2006-10-18 13:47:18 101,888 ------w C:\WINDOWS\system32\PortableDeviceClassExtension.dll
+ 2006-10-18 13:47:18 166,912 ------w C:\WINDOWS\system32\PortableDeviceTypes.dll
+ 2006-10-18 13:47:18 132,096 ------w C:\WINDOWS\system32\PortableDeviceWiaCompat.dll
+ 2006-10-18 13:47:18 199,168 ------w C:\WINDOWS\system32\PortableDeviceWMDRM.dll
- 2004-08-03 17:56:46 237,568 ----a-w C:\WINDOWS\system32\qasf.dll
+ 2006-10-18 13:47:18 211,456 ----a-w C:\WINDOWS\system32\qasf.dll
- 2006-01-19 19:29:19 14,048 ----a-w C:\WINDOWS\system32\spmsg.dll
+ 2006-12-10 06:10:02 14,640 ------w C:\WINDOWS\system32\spmsg.dll
- 2005-06-28 02:21:34 22,752 ----a-w C:\WINDOWS\system32\spupdsvc.exe
+ 2006-09-25 09:58:48 23,856 ----a-w C:\WINDOWS\system32\spupdsvc.exe
+ 2006-10-18 13:58:00 8,704 ------w C:\WINDOWS\system32\uwdf.exe
+ 2006-10-18 13:47:18 4,096 ------w C:\WINDOWS\system32\wdfapi.dll
+ 2006-10-18 13:58:00 8,704 ------w C:\WINDOWS\system32\wdfmgr.exe
+ 2007-04-10 06:00:46 236,928 ------w C:\WINDOWS\system32\WgaLogon.dll
+ 2007-04-10 06:01:18 336,768 ------w C:\WINDOWS\system32\WgaTray.exe
- 2004-08-03 17:56:48 408,064 ----a-w C:\WINDOWS\system32\wmadmod.dll
+ 2006-10-18 13:47:18 757,248 ----a-w C:\WINDOWS\system32\WMADMOD.dll
- 2004-08-03 17:56:48 670,720 ----a-w C:\WINDOWS\system32\wmadmoe.dll
+ 2006-10-18 13:47:18 1,117,696 ----a-w C:\WINDOWS\system32\WMADMOE.dll
- 2007-10-27 09:39:20 230,912 ----a-w C:\WINDOWS\system32\wmasf.dll
+ 2007-10-27 09:40:30 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
- 2004-08-03 17:56:48 27,136 ----a-w C:\WINDOWS\system32\wmdmlog.dll
+ 2006-10-18 13:47:18 33,792 ----a-w C:\WINDOWS\system32\wmdmlog.dll
- 2004-08-03 17:56:48 23,552 ----a-w C:\WINDOWS\system32\wmdmps.dll
+ 2006-10-18 13:47:18 37,376 ----a-w C:\WINDOWS\system32\wmdmps.dll
+ 2006-10-18 13:47:18 429,056 ------w C:\WINDOWS\system32\wmdrmdev.dll
+ 2006-10-18 13:47:20 348,672 ------w C:\WINDOWS\system32\wmdrmnet.dll
+ 2006-10-18 13:47:20 535,040 ------w C:\WINDOWS\system32\wmdrmsdk.dll
- 2004-08-03 17:56:36 168,448 ----a-w C:\WINDOWS\system32\wmerror.dll
+ 2006-10-18 13:47:20 227,328 ----a-w C:\WINDOWS\system32\wmerror.dll
- 2004-08-03 17:56:48 151,552 ----a-w C:\WINDOWS\system32\wmidx.dll
+ 2006-10-18 13:47:20 157,184 ----a-w C:\WINDOWS\system32\wmidx.dll
- 2004-08-03 17:56:48 1,050,624 ----a-w C:\WINDOWS\system32\wmnetmgr.dll
+ 2006-10-18 13:47:20 937,984 ----a-w C:\WINDOWS\system32\WMNetMgr.dll
- 2007-04-29 18:22:16 4,734,976 ----a-w C:\WINDOWS\system32\wmp.dll
+ 2007-06-11 15:51:12 10,834,944 ----a-w C:\WINDOWS\system32\wmp.dll
- 2004-08-03 17:56:48 114,688 ----a-w C:\WINDOWS\system32\wmpasf.dll
+ 2006-10-18 13:47:20 242,688 ----a-w C:\WINDOWS\system32\wmpasf.dll
- 2004-08-03 17:56:48 233,472 ----a-w C:\WINDOWS\system32\wmpdxm.dll
+ 2006-10-18 13:47:20 314,880 ----a-w C:\WINDOWS\system32\wmpdxm.dll
+ 2006-10-18 13:47:20 295,936 ------w C:\WINDOWS\system32\wmpeffects.dll
+ 2006-10-18 13:47:20 1,661,440 ------w C:\WINDOWS\system32\wmpencen.dll
- 2004-08-03 17:56:38 2,940,928 ----a-w C:\WINDOWS\system32\wmploc.dll
+ 2006-10-18 13:47:20 8,231,936 ----a-w C:\WINDOWS\system32\wmploc.dll
+ 2006-10-18 13:47:20 613,376 ------w C:\WINDOWS\system32\wmpmde.dll
+ 2006-10-18 13:47:20 130,048 ------w C:\WINDOWS\system32\wmpps.dll
- 2004-08-03 17:56:48 102,400 ----a-w C:\WINDOWS\system32\wmpshell.dll
+ 2006-10-18 13:47:20 99,840 ----a-w C:\WINDOWS\system32\wmpshell.dll
+ 2006-10-18 13:47:20 204,288 ------w C:\WINDOWS\system32\wmpsrcwp.dll
- 2004-08-03 17:56:48 759,296 ----a-w C:\WINDOWS\system32\wmsdmod.dll
+ 2006-10-18 13:47:22 4,096 ----a-w C:\WINDOWS\system32\wmsdmod.dll
- 2004-08-03 17:56:48 1,119,744 ----a-w C:\WINDOWS\system32\wmsdmoe2.dll
+ 2006-10-18 13:47:22 4,096 ----a-w C:\WINDOWS\system32\wmsdmoe2.dll
- 2004-08-03 17:56:48 484,864 ----a-w C:\WINDOWS\system32\wmspdmod.dll
+ 2006-10-18 13:47:22 603,648 ----a-w C:\WINDOWS\system32\WMSPDMOD.dll
- 2004-08-03 17:56:48 896,512 ----a-w C:\WINDOWS\system32\wmspdmoe.dll
+ 2006-10-18 13:47:22 1,329,152 ----a-w C:\WINDOWS\system32\WMSPDMOE.dll
+ 2006-10-18 13:47:22 4,096 ------w C:\WINDOWS\system32\WMVADVD.dll
+ 2006-10-18 13:47:22 4,096 ------w C:\WINDOWS\system32\WMVADVE.DLL
- 2007-10-27 09:37:38 2,109,440 ----a-w C:\WINDOWS\system32\wmvcore.dll
+ 2006-10-18 13:47:22 2,450,944 ----a-w C:\WINDOWS\system32\wmvcore.dll
+ 2006-10-18 13:47:22 1,543,680 ------w C:\WINDOWS\system32\WMVDECOD.dll
- 2004-08-03 17:56:48 809,984 ----a-w C:\WINDOWS\system32\wmvdmod.dll
+ 2006-10-18 13:47:22 4,096 ----a-w C:\WINDOWS\system32\wmvdmod.dll
- 2004-08-03 17:56:48 1,001,472 ----a-w C:\WINDOWS\system32\wmvdmoe2.dll
+ 2006-10-18 13:47:22 4,096 ----a-w C:\WINDOWS\system32\wmvdmoe2.dll
+ 2006-10-18 13:47:22 1,574,912 ------w C:\WINDOWS\system32\WMVENCOD.dll
+ 2006-10-18 13:47:22 1,382,912 ------w C:\WINDOWS\system32\WMVSDECD.dll
+ 2006-10-18 13:47:22 767,488 ------w C:\WINDOWS\system32\WMVSENCD.dll
+ 2006-10-18 13:47:22 656,896 ------w C:\WINDOWS\system32\WMVXENCD.dll
+ 2006-10-18 13:47:22 629,760 ------w C:\WINDOWS\system32\wpd_ci.dll
+ 2006-10-18 13:47:22 35,840 ------w C:\WINDOWS\system32\wpdconns.dll
+ 2006-10-18 13:47:22 154,624 ------w C:\WINDOWS\system32\wpdmtp.dll
+ 2006-10-18 13:47:22 63,488 ------w C:\WINDOWS\system32\wpdmtpus.dll
+ 2006-10-18 13:47:22 2,603,008 ------w C:\WINDOWS\system32\WpdShext.dll
+ 2006-10-18 12:00:14 17,408 ------w C:\WINDOWS\system32\wpdshextautoplay.exe
+ 2006-10-18 13:47:22 38,400 ------w C:\WINDOWS\system32\wpdshextres.dll
+ 2006-10-18 13:47:22 133,632 ------w C:\WINDOWS\system32\WPDShServiceObj.dll
+ 2006-10-18 13:47:22 356,352 ------w C:\WINDOWS\system32\wpdsp.dll
+ 2006-09-28 12:13:26 95,344 ------w C:\WINDOWS\system32\WUDFCoinstaller.dll
+ 2006-09-28 10:56:38 146,432 ------w C:\WINDOWS\system32\WudfHost.exe
+ 2006-09-28 10:56:16 165,376 ------w C:\WINDOWS\system32\WudfPlatform.dll
+ 2006-09-28 10:56:14 55,808 ------w C:\WINDOWS\system32\WudfSvc.dll
+ 2006-09-28 10:56:38 316,416 ------w C:\WINDOWS\system32\WUDFx.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{26D2045D-50C8-4850-9285-035D79212D9B}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-12-17 17:13 3810544]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-04-19 19:57 949376]
"RegistryMechanic"="" []
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 15:21 61952 C:\WINDOWS\system32\HdAShCut.exe]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2005-07-26 09:54 716800]
"RaidTool"="C:\Program Files\VIA\RAID\raid_tool.exe" [2005-08-12 16:38 1056768]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
TabUserW.exe.lnk - C:\WINDOWS\system32\WTablet\TabUserW.exe [2008-04-22 18:48:16 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\Program Files\AlienGUIse\fastload.dll 2001-12-20 23:34 24576 C:\Program Files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax

[HKLM\~\startupfolder\C:^Documents and Settings^Maryan^Start Menu^Programs^Startup^Alienware Dock.lnk]
backup=C:\WINDOWS\pss\Alienware Dock.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=


*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-27 17:47:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-27 17:49:27
ComboFix-quarantined-files.txt 2008-04-27 09:48:52

Pre-Run: 73,721,667,584 bytes free
Post-Run: 73,714,917,376 bytes free

376 --- E O F --- 2008-04-26 04:58:06


HijackThis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:13:50 PM, on 4/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AlienGUIse\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: (no name) - {26D2045D-50C8-4850-9285-035D79212D9B} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [RaidTool] "C:\Program Files\VIA\RAID\raid_tool.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 3964 bytes
  • 0

#9
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O2 - BHO: (no name) - {26D2045D-50C8-4850-9285-035D79212D9B} - (no file)


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan. Check all the boxes and click Start Scan
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Reboot and tell me how your PC is running
  • 0

#10
Bhlue

Bhlue

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
^^ Here is the log I got..

Malwarebytes' Anti-Malware 1.11
Database version: 692

Scan type: Full Scan (A:\|C:\|D:\|E:\|)
Objects scanned: 74908
Time elapsed: 26 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\system32\cbXQkiFx.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6F78F92E-711B-47B1-A5A2-325C86D2FFBA}\RP23\A0002247.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{6F78F92E-711B-47B1-A5A2-325C86D2FFBA}\RP24\A0002299.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\VundoFix Backups\cbXQkiFx.dll.bad (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\VundoFix Backups\pmnmmLDw.dll.bad (Trojan.Vundo) -> Quarantined and deleted successfully.


I've rebooted and noticed the Nod32 popup doesn't appear anymore..
  • 0

#11
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean ! We need to do a few things

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image


Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#12
Bhlue

Bhlue

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thank you so very much for your help!! ^^ I am already using Firefox and I've noticed a long time ago that it is indeed better than IE.. I hope you keep this up!! And again, I appreciate your help so very much.. Have a nice day! ^^
  • 0

#13
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP