Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Win32\adware.virtumonde [RESOLVED]

Started by Veseli Francelj , Jul 10 2008 04:12 PM

  • This topic is locked This topic is locked

#1
Veseli Francelj
Posted 10 July 2008 - 04:12 PM

Veseli Francelj

    New Member

  • Member
  • Pip
  • 4 posts
Hello, today Nod32 detected Win32\adware.virtumonde on my computer. It seems that it started to create some .dll files in the System32 folder. well i ran spybot
search & destroy in safe mode and the program deleted the malware. But after the restart, malware returned even stronger. Now i can't even browse on google and on some websites.
It turned off Windows automatic update. Well AVG also deleted two trojan downloaders on the startup. That's a short description.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:39:27, on 10.7.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Steam\Steam.exe
C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Launchy\Launchy.exe
C:\Program Files\Orbitdownloader\orbitdm.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Tine a.k.a Pepc619\Desktop\VundoFix.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [d84bc3b0] rundll32.exe "C:\WINDOWS\system32\qbivuxnx.dll",b
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [BMdb78f02c] Rundll32.exe "C:\WINDOWS\system32\limfuycv.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1210286982120
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3B2EBC1E-A379-4A6E-9EB0-7E35F1DBCC60}: NameServer = 193.189.160.13 193.189.160.23
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--
End of file - 7305 bytes



ComboFix 08-07-09.5 - Tine a.k.a Pepc619 2008-07-10 20:10:08.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1250.1.1033.18.344 [GMT 2:00]
Running from: C:\Documents and Settings\Tine a.k.a Pepc619\Desktop\ComboFix.exe
 * Created a new restore point
 * Resident AV is active


[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\agsbhxbc.ini
C:\WINDOWS\system32\dapnsmtn.ini
C:\WINDOWS\system32\fhNXwyxx.ini
C:\WINDOWS\system32\fhNXwyxx.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\qnjfeudq.ini
C:\WINDOWS\system32\qqBJmnpo.ini
C:\WINDOWS\system32\qqBJmnpo.ini2

.
(((((((((((((((((((((((((   Files Created from 2008-06-10 to 2008-07-10  )))))))))))))))))))))))))))))))
.

2008-07-10 19:30 . 2008-07-10 19:30	<DIR>	d--------	C:\Program Files\Trend Micro
2008-07-10 15:45 . 2008-07-10 15:46	318,720	--a------	C:\WINDOWS\system32\opnmJBqq.dll
2008-07-09 20:11 . 2008-07-09 20:11	<DIR>	d--------	C:\Program Files\K-Lite Codec Pack
2008-07-09 20:11 . 2007-09-04 18:56	164,352	--a------	C:\WINDOWS\system32\unrar.dll
2008-07-09 12:11 . 2008-07-09 12:10	691,545	--a------	C:\WINDOWS\unins000.exe
2008-07-09 12:11 . 2008-07-09 12:11	2,555	--a------	C:\WINDOWS\unins000.dat
2008-07-09 12:07 . 2008-07-09 12:07	29,568	--a------	C:\WINDOWS\system32\urqQhFxY.dll
2008-07-09 12:04 . 2008-07-09 12:04	<DIR>	d--------	C:\Program Files\MagicISO
2008-07-09 12:04 . 2008-07-09 12:04	65,536	---hs----	C:\Documents and Settings\Tine a.k.a Pepc619\MediaTubeCodec_ver1.1463.2.exe
2008-07-09 05:01 . 2008-07-09 05:03	1,355	--a------	C:\WINDOWS\imsins.BAK
2008-07-07 20:37 . 2008-07-07 20:37	<DIR>	d--------	C:\Program Files\VirusTotalUploader
2008-07-06 17:11 . 2008-07-06 17:23	<DIR>	d--------	C:\Program Files\Moyea
2008-07-06 16:36 . 2008-07-07 16:27	<DIR>	d--------	C:\Documents and Settings\Tine a.k.a Pepc619\Application Data\Moyea
2008-07-06 14:21 . 2008-07-06 14:22	<DIR>	d--------	C:\Program Files\Magic Video Converter
2008-07-06 14:21 . 2004-05-26 21:37	719,872	--a------	C:\WINDOWS\system32\devil.dll
2008-07-06 14:21 . 2003-03-19 11:03	544,768	--a------	C:\WINDOWS\system32\msvcr71d.dll
2008-07-06 14:21 . 2006-09-16 19:44	314,368	--a------	C:\WINDOWS\system32\avisynth.dll
2008-07-06 14:06 . 2008-07-06 14:07	<DIR>	d--------	C:\Documents and Settings\Tine a.k.a Pepc619\dwhelper
2008-07-06 12:52 . 2008-07-06 12:52	<DIR>	d--------	C:\Program Files\FLV Player
2008-07-06 12:45 . 2008-07-06 12:45	<DIR>	d--------	C:\Program Files\Orbitdownloader
2008-07-06 12:45 . 2008-07-06 12:45	<DIR>	d--------	C:\Downloads
2008-07-06 12:45 . 2008-07-10 20:27	<DIR>	d--------	C:\Documents and Settings\Tine a.k.a Pepc619\Application Data\Orbit
2008-07-06 12:15 . 2008-07-06 12:15	<DIR>	d--------	C:\Documents and Settings\Tine a.k.a Pepc619\Application Data\Apple Computer
2008-07-06 11:53 . 2008-07-06 11:55	<DIR>	d--------	C:\Program Files\QuickTime
2008-07-06 11:53 . 2008-07-06 11:53	<DIR>	d--------	C:\Program Files\Apple Software Update
2008-07-06 11:53 . 2008-07-06 11:53	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-06 11:53 . 2008-07-06 11:53	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Apple
2008-07-04 23:04 . 2004-01-08 11:38	208,896	--a------	C:\WINDOWS\system\lame_enc.dll
2008-07-03 16:08 . 2008-07-03 16:08	<DIR>	d--------	C:\Program Files\Common Files\Blizzard Entertainment
2008-07-03 06:41 . 2008-07-03 06:41	<DIR>	d--------	C:\Program Files\ONWIND
2008-07-03 00:57 . 2008-07-03 01:16	<DIR>	d--------	C:\Documents and Settings\Tine a.k.a Pepc619\Application Data\Launchy
2008-07-03 00:56 . 2008-07-03 01:14	<DIR>	d--------	C:\Program Files\Launchy
2008-07-02 11:53 . 2008-07-03 13:18	23	--a------	C:\Documents and Settings\Tine a.k.a Pepc619\jagex_runescape_preferences.dat
2008-06-30 23:37 . 2004-01-21 23:03	1,474,628	--a------	C:\WINDOWS\system\steamui.dll
2008-06-30 23:36 . 2004-01-21 23:03	3,461,120	-ra------	C:\WINDOWS\system\Steam.dll
2008-06-27 11:04 . 2008-06-27 13:29	<DIR>	d--------	C:\Program Files\CFToolbox
2008-06-27 10:42 . 2008-06-27 10:42	<DIR>	d--------	C:\Documents and Settings\NetworkService\Application Data\Xfire
2008-06-27 10:08 . 2008-07-01 00:20	<DIR>	d--------	C:\Documents and Settings\Tine a.k.a Pepc619\Application Data\Xfire
2008-06-27 10:07 . 2008-07-01 00:19	<DIR>	d--------	C:\Program Files\Xfire
2008-06-26 19:37 . 2008-06-26 19:37	<DIR>	d--------	C:\Documents and Settings\Tine a.k.a Pepc619\My Games
2008-06-26 19:37 . 2008-06-26 19:37	<DIR>	d--------	C:\Documents and Settings\All Users\Microsoft
2008-06-26 19:36 . 2006-10-30 20:25	2,414,360	--a------	C:\WINDOWS\system\d3dx9_31.dll
2008-06-26 05:02 . 2008-06-26 05:02	<DIR>	d--------	C:\Program Files\MSXML 4.0
2008-06-25 02:37 . 2008-06-25 02:37	<DIR>	d--------	C:\Documents and Settings\Tine a.k.a Pepc619\Application Data\Warsow
2008-06-24 13:56 . 2008-07-05 19:50	<DIR>	d--------	C:\Program Files\ANACONDA
2008-06-23 00:42 . 2008-06-23 00:42	249,856	---------	C:\WINDOWS\Setup1.exe
2008-06-23 00:42 . 2008-06-23 00:42	73,216	--a------	C:\WINDOWS\ST6UNST.EXE
2008-06-23 00:21 . 2008-06-23 00:41	<DIR>	d--------	C:\Program Files\AV Music Morpher Gold
2008-06-23 00:05 . 2008-06-23 00:05	98,304	--a------	C:\WINDOWS\system32\SoftAheadCert.dll
2008-06-22 23:43 . 2008-07-09 19:40	<DIR>	d--------	C:\Program Files\eMule
2008-06-22 23:32 . 2008-06-22 23:32	<DIR>	d--------	C:\Program Files\Audacity
2008-06-20 21:16 . 2008-06-20 21:16	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Uniblue
2008-06-20 19:46 . 2008-06-20 19:46	245,248	-----c---	C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 19:46 . 2008-06-20 19:46	147,968	-----c---	C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 14:55 . 2008-06-20 14:55	<DIR>	d--------	C:\Program Files\R-Studio
2008-06-20 14:34 . 2008-06-20 14:35	53,088	--a------	C:\WINDOWS\system32\drivers\Tetri5.sys
2008-06-20 14:21 . 2008-06-20 14:21	48,928	--a------	C:\WINDOWS\system32\drivers\Tetris.sys
2008-06-20 14:20 . 2008-06-20 14:20	137,344	--a------	C:\WINDOWS\system32\drivers\litsgt.sys
2008-06-20 14:20 . 2008-06-20 14:20	12,032	--a------	C:\WINDOWS\system32\drivers\tansgt.sys
2008-06-20 13:40 . 2008-06-20 13:40	138,496	-----c---	C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 13:08 . 2008-06-20 13:08	225,856	-----c---	C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-19 14:18 . 2008-06-19 14:18	<DIR>	d--------	C:\Program Files\Audio Phonics, Inc
2008-06-19 14:17 . 1998-02-06 22:37	299,520	--a------	C:\WINDOWS\uninst.exe
2008-06-19 02:38 . 2008-06-19 02:38	<DIR>	d--------	C:\Documents and Settings\Tine a.k.a Pepc619\Application Data\Ludia
2008-06-19 02:38 . 2008-06-19 02:38	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Ludia
2008-06-18 01:55 . 2007-02-21 02:11	68,888	--a------	C:\WINDOWS\system\xinput1_3.dll
2008-06-18 01:53 . 2007-07-19 18:14	3,727,720	--a------	C:\WINDOWS\system\d3dx9_35.dll
2008-06-16 17:43 . 2008-06-16 17:45	2,952,366	--a------	C:\spriźevalo.bmp
2008-06-16 13:17 . 2008-06-16 13:18	<DIR>	d--------	C:\WINDOWS\.file_store_32
2008-06-15 20:17 . 2008-06-15 20:17	<DIR>	d--------	C:\Program Files\Cool Beans NFO Creator
2008-06-15 15:07 . 2008-06-17 23:45	<DIR>	d--------	C:\Documents and Settings\Tine a.k.a Pepc619\Application Data\FileZilla
2008-06-15 15:06 . 2008-06-15 15:07	<DIR>	d--------	C:\Program Files\FileZilla FTP Client
2008-06-15 02:02 . 2008-03-12 02:37	107,864	--a------	C:\WINDOWS\system32\tsccvid.dll
2008-06-15 02:01 . 2008-06-15 02:01	<DIR>	d--------	C:\Program Files\TechSmith
2008-06-15 02:01 . 2008-06-15 02:01	<DIR>	d--------	C:\Program Files\Common Files\TechSmith Shared
2008-06-15 02:01 . 2008-06-15 02:01	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\TechSmith
2008-06-12 01:53 . 2008-06-12 01:53	41,296	--a------	C:\WINDOWS\system32\xfcodec.dll
2008-06-11 10:37 . 2008-06-13 13:05	272,128	-----c---	C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 10:37 . 2008-05-08 16:02	203,136	-----c---	C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-10 21:21 . 2008-06-20 13:51	361,600	--a--c---	C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-10 21:21 . 2008-06-10 21:21	361,344	--a------	C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2008-06-10 21:09 . 2008-06-10 21:25	<DIR>	d--------	C:\Program Files\PeerGuardian2
2008-06-10 18:19 . 2008-06-10 18:19	<DIR>	d--------	C:\Documents and Settings\Tine a.k.a Pepc619\Application Data\TotalRecorder
2008-06-10 18:17 . 2008-06-10 18:17	<DIR>	d--------	C:\Program Files\HighCriteria
2008-06-10 18:17 . 2008-04-17 01:34	120,472	--a------	C:\WINDOWS\system32\drivers\TotRec7.sys
2008-06-10 18:17 . 2008-04-12 12:29	106,496	--a------	C:\WINDOWS\system32\DrvTrNTl.dll
2008-06-10 18:17 . 2008-04-17 01:34	59,032	--a------	C:\WINDOWS\system32\DrvTrNTm.dll
2008-06-10 01:02 . 2008-06-10 01:02	<DIR>	d--------	C:\Program Files\IrfanView

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-10 18:26	---------	d-----w	C:\Program Files\Steam
2008-07-10 18:24	---------	d-----w	C:\Documents and Settings\Tine a.k.a Pepc619\Application Data\uTorrent
2008-07-09 10:08	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-09 03:03	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-06 15:06	---------	d---a-w	C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-03 04:41	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-07-02 23:23	---------	d-----w	C:\Program Files\Spyware Doctor
2008-06-22 21:58	---------	d-----w	C:\Documents and Settings\Tine a.k.a Pepc619\Application Data\LimeWire
2008-06-21 22:23	---------	d-----w	C:\Program Files\Microsoft Silverlight
2008-06-21 13:53	107,888	----a-w	C:\WINDOWS\system32\CmdLineExt.dll
2008-06-20 17:46	245,248	----a-w	C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:27	---------	d-----w	C:\Documents and Settings\Tine a.k.a Pepc619\Application Data\Uniblue
2008-06-20 17:21	---------	d-----w	C:\Program Files\Uniblue
2008-06-20 11:51	361,600	----a-w	C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40	138,496	----a-w	C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08	225,856	----a-w	C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 00:23	---------	d-----w	C:\Documents and Settings\Tine a.k.a Pepc619\Application Data\Nokia
2008-06-14 11:56	505,128	----a-w	C:\WINDOWS\system32\msvcp71.dll
2008-06-14 11:56	353,576	----a-w	C:\WINDOWS\system32\msvcr71.dll
2008-06-14 11:56	29,480	----a-w	C:\WINDOWS\system32\msxml3a.dll
2008-06-13 11:05	272,128	------w	C:\WINDOWS\system32\drivers\bthport.sys
2008-06-09 18:02	---------	d-----w	C:\Documents and Settings\All Users\Application Data\CyberLink
2008-06-09 18:01	---------	d-----w	C:\Documents and Settings\Tine a.k.a Pepc619\Application Data\CyberLink
2008-06-09 18:00	---------	d-----w	C:\Program Files\CyberLink
2008-06-09 18:00	---------	d-----w	C:\Program Files\Common Files\CyberLink
2008-06-09 00:08	---------	d-----w	C:\Documents and Settings\Tine a.k.a Pepc619\Application Data\PC Suite
2008-06-09 00:07	---------	d-----w	C:\Documents and Settings\All Users\Application Data\PC Suite
2008-06-07 22:45	---------	d-----w	C:\Program Files\LimeWire
2008-06-06 12:39	---------	d-----w	C:\Program Files\Octoshape Streaming Services
2008-06-06 12:37	---------	d-----w	C:\Program Files\Common Files\InstallShield
2008-06-02 22:53	---------	d-----w	C:\Documents and Settings\Tine a.k.a Pepc619\Application Data\Nero
2008-06-02 22:50	---------	d-----w	C:\Program Files\Common Files\Nero
2008-06-02 22:42	---------	d-----w	C:\Program Files\Nero
2008-06-02 22:42	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Nero
2008-06-01 20:26	---------	d-----w	C:\Documents and Settings\Tine a.k.a Pepc619\Application Data\Media Player Classic
2008-06-01 09:35	---------	d-----w	C:\Program Files\Power Tab Software
2008-05-31 22:21	---------	d-----w	C:\Program Files\Microsoft Bootvis
2008-05-31 03:04	---------	d-----w	C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-05-30 12:42	---------	d-----w	C:\Program Files\Microsoft Works
2008-05-30 12:41	---------	d-----w	C:\Program Files\MSBuild
2008-05-30 12:37	---------	d-----w	C:\Program Files\Microsoft.NET
2008-05-30 12:32	---------	d-----w	C:\Program Files\Microsoft Visual Studio 8
2008-05-25 21:34	---------	d-----w	C:\Program Files\SuperAudiotool
2008-05-22 21:32	---------	d-----w	C:\Program Files\HP
2008-05-22 21:03	---------	d-----w	C:\Program Files\Common Files\Adobe
2008-05-17 19:55	---------	d-----w	C:\Program Files\Unlocker
2008-05-17 19:15	---------	d-----w	C:\Program Files\San Andreas Mod Installer
2008-05-16 21:47	---------	d-----w	C:\Program Files\Rockstar Games
2008-05-16 14:52	---------	d-----w	C:\Program Files\DAEMON Tools Lite
2008-05-14 12:57	---------	d-----w	C:\Program Files\CCleaner
2008-05-14 12:53	---------	d-----w	C:\Documents and Settings\Tine a.k.a Pepc619\Application Data\Desktopicon
2008-05-13 22:36	---------	d-----w	C:\Program Files\Spybot - Search & Destroy
2008-05-12 20:56	---------	d-----w	C:\Program Files\Nokia
2008-05-12 20:56	---------	d-----w	C:\Program Files\Common Files\PCSuite
2008-05-12 20:56	---------	d-----w	C:\Program Files\Common Files\Nokia
2008-05-12 20:55	---------	d-----w	C:\Program Files\DIFX
2008-05-12 19:56	---------	d-----w	C:\Program Files\PC Connectivity Solution
2008-05-12 19:55	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Installations
2008-05-12 19:29	---------	d-----w	C:\Program Files\Toshiba
2008-05-10 23:17	---------	d-----w	C:\Program Files\SystemRequirementsLab
2008-05-10 23:17	---------	d-----w	C:\Documents and Settings\Tine a.k.a Pepc619\Application Data\SystemRequirementsLab
2008-05-10 23:16	---------	d-----w	C:\Program Files\Java
2008-05-10 23:13	---------	d-----w	C:\Program Files\Common Files\Java
2008-05-10 14:10	---------	d-----w	C:\Program Files\Common Files\INCA Shared
2008-05-10 14:02	---------	d--h--w	C:\Documents and Settings\Tine a.k.a Pepc619\Application Data\ijjigame
2008-05-10 13:39	---------	d-----w	C:\Documents and Settings\All Users\Application Data\IJJIGame
2008-05-09 10:53	90,112	----a-w	C:\WINDOWS\system32\wshext.dll
2008-05-09 10:53	430,080	----a-w	C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:53	180,224	----a-w	C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:53	172,032	----a-w	C:\WINDOWS\system32\scrrun.dll
2008-05-08 11:24	155,648	----a-w	C:\WINDOWS\system32\wscript.exe
2008-05-07 09:07	135,168	----a-w	C:\WINDOWS\system32\cscript.exe
2008-05-07 05:12	1,288,192	----a-w	C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16	826,368	----a-w	C:\WINDOWS\system32\wininet.dll
2008-04-22 09:25	167,936	----a-w	C:\WINDOWS\system32\TosAvdtAPI.dll
2008-04-18 16:38	286,720	----a-w	C:\WINDOWS\system32\LCWizard.dll
2008-04-14 03:42	985,088	----a-w	C:\WINDOWS\system32\setupapi.dll
2008-04-14 03:42	11,264	----a-w	C:\WINDOWS\system32\spnpinst.exe
2008-04-14 03:41	423,936	----a-w	C:\WINDOWS\system32\licdll.dll
2008-04-14 00:25	1,804	----a-w	C:\WINDOWS\system32\dcache.bin
2008-04-14 00:16	329,728	----a-w	C:\WINDOWS\system32\netsetup.exe
2008-04-14 00:13	92,424	----a-w	C:\WINDOWS\system32\rdpdd.dll
2008-04-14 00:13	87,176	----a-w	C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 00:13	299,520	----a-w	C:\WINDOWS\system32\drmclien.dll
2008-04-14 00:13	12,168	----a-w	C:\WINDOWS\system32\tsddd.dll
2008-04-14 00:11	997,376	----a-w	C:\WINDOWS\system32\msgina.dll
2008-04-14 00:10	53,279	----a-w	C:\WINDOWS\system32\odbcji32.dll
2008-04-14 00:10	4,126	----a-w	C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 00:10	3,584	----a-w	C:\WINDOWS\system32\msafd.dll
2008-04-14 00:10	102,912	----a-w	C:\WINDOWS\system32\dpcdll.dll
2008-04-13 19:30	1,845,632	----a-w	C:\WINDOWS\system32\win32k.sys
2008-04-13 19:27	2,188,928	----a-w	C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 18:44	17,664	----a-w	C:\WINDOWS\system32\watchdog.sys
2008-04-13 18:43	9,728	----a-w	C:\WINDOWS\system32\comsdupd.exe
2008-04-13 18:43	12,800	----a-w	C:\WINDOWS\system32\spiisupd.exe
2008-04-13 18:31	7,424	----a-w	C:\WINDOWS\system32\kd1394.dll
2008-04-13 18:31	2,065,792	----a-w	C:\WINDOWS\system32\ntkrnlpa.exe
2008-04-13 18:30	61,440	----a-w	C:\WINDOWS\system32\msvcrt40.dll
2008-04-13 18:14	76,800	----a-w	C:\WINDOWS\system32\msshavmsg.dll
2008-04-13 17:39	438,784	----a-w	C:\WINDOWS\system32\xpob2res.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3E6FAEEB-B59B-4E6B-9509-1F83A7D599AD}]
2008-07-10 20:31	281088	--a------	C:\WINDOWS\system32\yayyAsPi.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E1BC97A8-CE4A-4ACD-91F4-2B4A26463D22}]
2008-07-10 15:46	318720	--a------	C:\WINDOWS\system32\opnmJBqq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 02:12 15360]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2008-05-09 16:55 5724184]
"Steam"="C:\Program Files\Steam\Steam.exe" [2008-07-01 00:17 1271032]
"Uniblue SpyEraser"="C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" [2008-04-02 09:50 1424648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 11:06 1443072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2008-05-02 06:15 15872]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"BMdb78f02c"="C:\WINDOWS\system32\limfuycv.dll" [2008-07-10 20:35 105472]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 02:12 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - C:\Program Files\Launchy\Launchy.exe [2008-07-03 00:56:36 274432]
Orbit.lnk - C:\Program Files\Orbitdownloader\orbitdm.exe [2008-07-06 12:45:38 1690824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"= DrvTrNTm.dll
"wave"= DrvTrNTm.dll
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages	REG_MULTI_SZ   	msv1_0 C:\WINDOWS\system32\yayyAsPi

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]
--a------ 2008-05-19 15:24 91432 C:\Program Files\CyberLink\Shared Files\brs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2008-05-09 16:55 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVD8LanguageShortcut]
--------- 2007-12-14 11:36 50472 C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2]
--a------ 2007-08-16 09:02 1877272 C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\TmUnitedForever\\TmForever.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\ijji\\ENGLISH\\u_gunz.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\ijji\\ENGLISH\\Gunz\\Gunz.exe"=
"C:\\Documents and Settings\\Tine a.k.a Pepc619\\Desktop\\Game\\MP_shooter_v1.3 BASE.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\Common Files\\Nero\\Nero Web\\SetupX.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"C:\\Program Files\\Steam\\steamapps\\norhid\\Counter-Strike\\hl.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\Steam\\steamapps\\norhid\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\ONWIND\\ZU-ONLINE\\ZuOnline.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"62614:TCP"= 62614:TCP:89.142.3.191/255.255.255.255:Enabled:Tine a.k.a Pepc619

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2007-09-21 17:49]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-20 11:11]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};C:\Program Files\CyberLink\PowerDVD8\[u]0[/u]00.fcl [2008-05-15 12:07]
R2 litsgt;litsgt;C:\WINDOWS\system32\DRIVERS\litsgt.sys [2008-06-20 14:20]
R2 tansgt;tansgt;C:\WINDOWS\system32\DRIVERS\tansgt.sys [2008-06-20 14:20]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2008-02-26 05:54]
R3 Tetri5;Tetri5 driver;C:\WINDOWS\system32\Drivers\Tetri5.sys [2008-06-20 14:35]
R3 Tetris;Tetris driver;C:\WINDOWS\system32\Drivers\Tetris.sys [2008-06-20 14:21]
R3 TotRec7;Total Recorder WDM audio driver;C:\WINDOWS\system32\drivers\TotRec7.sys [2008-04-17 01:34]
S1 as6eio;as6eio;C:\WINDOWS\system32\drivers\as6eio.sys []
S2 NOD32FiXTemDono;Eset Nod32 Boot;C:\WINDOWS\system32\regedt32.exe [2001-08-23 16:00]

.
Contents of the 'Scheduled Tasks' folder
"2008-07-06 09:53:17 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-03 21:34:32 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-05-14 21:11:05 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-07-09 12:40:18 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{684BFE7F-F5B2-4AB3-A95E-EB5036A2D286} - (no file)
BHO-{937DF017-D474-4E8B-B2B5-852866C3AA51} - (no file)
ShellExecuteHooks-{684BFE7F-F5B2-4AB3-A95E-EB5036A2D286} - (no file)
Notify-urqQhFxY - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-10 20:26:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 


C:\WINDOWS\system32\yayyAsPi.dll 281088 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD8\[u]0[/u]00.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\Unlocker\UnlockerHook.dll
-> C:\WINDOWS\system32\limfuycv.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Orbitdownloader\orbitnet.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-07-10 20:39:12 - machine was rebooted
ComboFix-quarantined-files.txt  2008-07-10 18:38:36

Pre-Run: 12,258,025,472 bytes free
Post-Run: 12,227,067,904 bytes free

343	--- E O F ---	2008-07-09 03:03:28

  • 0

Advertisements

#2
miekiemoes
Posted 11 July 2008 - 12:03 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Please don't use the Code tags because it makes the logs harder to read...

First of all... not sure where you have read the instructions to use Combofix, but the first step required before you run it is to install the Recovery Console.
Read here how to do this with Combofix:

http://www.bleepingc...to-use-combofix

The reason why Recovery Console is recommended is because malware damages a lot and causes an instable system - and because of that, it may happen that your computer won't be able to boot anymore. With the Recovery Console installed, there are extra options present to repair whatever malware damaged. Also, even though you're not infected, the presence of the Recovery Console is a useful feature in case a computer won't boot anymore because of several other reasons. Read here what you can do with the Recovery Console.

Extra note: After you have installed the Recovery Console - if you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well.
Don't select to run the Recovery Console as we don't need it.
By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows.

Also, I see you are using a cracked version of NOD32.
If you visit cracksites, use cracks, you'll ALWAYS get infected. This not only because of the crack itself, but because one single click entering that site may already download and install a huge malware bundle.
You really have to change your surfing habits though, because these malware bundles may contain a keylogger, collecting all your passwords and installing other random malware, compromising your system including infecting other computers. And this all, because you visited some illegal sites.
Also, keep in mind, malware DAMAGES A LOT! And the damage can't always be repaired, so a format and reinstall is the only solution in such cases.
So is it really worth it? Get illegal software for "free", but compromise/break your computer instead.... :)
Better to avoid this instead and change your surfing habits. Then this wouldn't have happened.

And, I notice from your log that there's more than 1 Antivirus installed. Eset and AVG.
Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously!
The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time.
Also because more than one Antivirus and Firewall installed are not compatible with eachother, it can cause system performance problems and a serious system slowdown.

So you have to make a decision here and keep the Antivirus you prefer and uninstall the other one.
Then reboot after uninstalling.



Then, * Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\limfuycv.dll
C:\WINDOWS\system32\yayyAsPi.dll
C:\WINDOWS\system32\opnmJBqq.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3E6FAEEB-B59B-4E6B-9509-1F83A7D599AD}]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E1BC97A8-CE4A-4ACD-91F4-2B4A26463D22}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BMdb78f02c"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
  • 0

#3
Veseli Francelj
Posted 11 July 2008 - 08:26 AM

Veseli Francelj

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hello, I have deleted Nod32, because i found AVG much better antivirus. I also manually installed recovery console after the Combofix, because the ''drag recoveryconsoleinstallation to the combofix.exe'' didn't work.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:34:01, on 11.7.2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SACert Class - {740FE5FB-65F1-46C5-9E54-A19C8A8D7AC2} - C:\WINDOWS\system32\SoftAheadCert.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Launchy.lnk = C:\Program Files\Launchy\Launchy.exe
O4 - Global Startup: Orbit.lnk = C:\Program Files\Orbitdownloader\orbitdm.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1210286982120
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--
End of file - 7126 bytes








ComboFix 08-07-10.1 - Tine a.k.a Pepc619 2008-07-11 12:59:19.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1250.1.1033.18.399 [GMT 2:00]
Running from: C:\Documents and Settings\Tine a.k.a Pepc619\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tine a.k.a Pepc619\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\limfuycv.dll
C:\WINDOWS\system32\opnmJBqq.dll
C:\WINDOWS\system32\yayyAsPi.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\nyrkfing.ini
C:\WINDOWS\system32\opnmJBqq.dll
C:\WINDOWS\system32\qbivuxnx.dll
C:\WINDOWS\system32\qqBJmnpo.ini
C:\WINDOWS\system32\qqBJmnpo.ini2
C:\WINDOWS\system32\xnxuvibq.ini

.
((((((((((((((((((((((((( Files Created from 2008-06-11 to 2008-07-11 )))))))))))))))))))))))))))))))
.

2008-07-11 00:37 . 2008-07-11 00:38 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-07-10 23:26 . 2008-07-11 00:54 <DIR> d-------- C:\VundoFix Backups
2008-07-10 22:45 . 2008-07-11 12:08 <DIR> d--h----- C:\$AVG8.VAULT$
2008-07-10 22:21 . 2008-07-11 09:11 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-07-10 22:21 . 2008-07-10 22:21 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-07-10 22:21 . 2008-07-10 22:21 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-07-10 22:20 . 2008-07-10 22:20 <DIR> d-------- C:\Program Files\AVG
2008-07-10 22:20 . 2008-07-10 22:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-07-10 20:35 . 2008-07-11 00:50 110,447 --a------ C:\WINDOWS\BMdb78f02c.xml
2008-07-10 19:30 . 2008-07-10 19:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-09 12:11 . 2008-07-09 12:10 691,545 --a------ C:\WINDOWS\unins000.exe
2008-07-09 12:11 . 2008-07-09 12:11 2,555 --a------ C:\WINDOWS\unins000.dat
2008-07-09 12:04 . 2008-07-09 12:04 <DIR> d-------- C:\Program Files\MagicISO
2008-07-07 20:37 . 2008-07-07 20:37 <DIR> d-------- C:\Program Files\VirusTotalUploader
2008-07-06 17:11 . 2008-07-11 01:08 <DIR> d-------- C:\Program Files\Moyea
2008-07-06 16:36 . 2008-07-07 16:27 <DIR> d-------- C:\Documents and Settings\Tine a.k.a Pepc619\Application Data\Moyea
2008-07-06 14:21 . 2008-07-06 14:22 <DIR> d-------- C:\Program Files\Magic Video Converter
2008-07-06 14:21 . 2004-05-26 21:37 719,872 --a------ C:\WINDOWS\system32\devil.dll
2008-07-06 14:21 . 2003-03-19 11:03 544,768 --a------ C:\WINDOWS\system32\msvcr71d.dll
2008-07-06 14:21 . 2006-09-16 19:44 314,368 --a------ C:\WINDOWS\system32\avisynth.dll
2008-07-06 14:06 . 2008-07-06 14:07 <DIR> d-------- C:\Documents and Settings\Tine a.k.a Pepc619\dwhelper
2008-07-06 12:52 . 2008-07-06 12:52 <DIR> d-------- C:\Program Files\FLV Player
2008-07-06 12:45 . 2008-07-06 12:45 <DIR> d-------- C:\Program Files\Orbitdownloader
2008-07-06 12:45 . 2008-07-06 12:45 <DIR> d-------- C:\Downloads
2008-07-06 12:45 . 2008-07-11 12:43 <DIR> d-------- C:\Documents and Settings\Tine a.k.a Pepc619\Application Data\Orbit
2008-07-06 12:15 . 2008-07-06 12:15 <DIR> d-------- C:\Documents and Settings\Tine a.k.a Pepc619\Application Data\Apple Computer
2008-07-06 11:53 . 2008-07-06 11:55 <DIR> d-------- C:\Program Files\QuickTime
2008-07-06 11:53 . 2008-07-06 11:53 <DIR> d-------- C:\Program Files\Apple Software Update
2008-07-06 11:53 . 2008-07-06 11:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-06 11:53 . 2008-07-06 11:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-07-04 23:04 . 2004-01-08 11:38 208,896 --a------ C:\WINDOWS\system\lame_enc.dll
2008-07-03 16:08 . 2008-07-03 16:08 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-07-03 06:41 . 2008-07-03 06:41 <DIR> d-------- C:\Program Files\ONWIND
2008-07-03 00:57 . 2008-07-03 01:16 <DIR> d-------- C:\Documents and Settings\Tine a.k.a Pepc619\Application Data\Launchy
2008-07-03 00:56 . 2008-07-03 01:14 <DIR> d-------- C:\Program Files\Launchy
2008-07-02 11:53 . 2008-07-03 13:18 23 --a------ C:\Documents and Settings\Tine a.k.a Pepc619\jagex_runescape_preferences.dat
2008-06-30 23:37 . 2004-01-21 23:03 1,474,628 --a------ C:\WINDOWS\system\steamui.dll
2008-06-30 23:36 . 2004-01-21 23:03 3,461,120 -ra------ C:\WINDOWS\system\Steam.dll
2008-06-27 11:04 . 2008-06-27 13:29 <DIR> d-------- C:\Program Files\CFToolbox
2008-06-27 10:42 . 2008-06-27 10:42 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Xfire
2008-06-27 10:08 . 2008-07-01 00:20 <DIR> d-------- C:\Documents and Settings\Tine a.k.a Pepc619\Application Data\Xfire
2008-06-27 10:07 . 2008-07-01 00:19 <DIR> d-------- C:\Program Files\Xfire
2008-06-26 19:37 . 2008-06-26 19:37 <DIR> d-------- C:\Documents and Settings\Tine a.k.a Pepc619\My Games
2008-06-26 19:37 . 2008-06-26 19:37 <DIR> d-------- C:\Documents and Settings\All Users\Microsoft
2008-06-26 19:36 . 2006-10-30 20:25 2,414,360 --a------ C:\WINDOWS\system\d3dx9_31.dll
2008-06-26 05:02 . 2008-06-26 05:02 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-06-25 02:37 . 2008-06-25 02:37 <DIR> d-------- C:\Documents and Settings\Tine a.k.a Pepc619\Application Data\Warsow
2008-06-24 13:56 . 2008-07-05 19:50 <DIR> d-------- C:\Program Files\ANACONDA
2008-06-23 00:42 . 2008-06-23 00:42 249,856 --------- C:\WINDOWS\Setup1.exe
2008-06-23 00:42 . 2008-06-23 00:42 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2008-06-23 00:21 . 2008-06-23 00:41 <DIR> d-------- C:\Program Files\AV Music Morpher Gold
2008-06-23 00:05 . 2008-06-23 00:05 98,304 --a------ C:\WINDOWS\system32\SoftAheadCert.dll
2008-06-22 23:43 . 2008-07-09 19:40 <DIR> d-------- C:\Program Files\eMule
2008-06-22 23:32 . 2008-06-22 23:32 <DIR> d-------- C:\Program Files\Audacity
2008-06-20 21:16 . 2008-06-20 21:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2008-06-20 19:46 . 2008-06-20 19:46 245,248 -----c--- C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 19:46 . 2008-06-20 19:46 147,968 -----c--- C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 14:55 . 2008-06-20 14:55 <DIR> d-------- C:\Program Files\R-Studio
2008-06-20 14:34 . 2008-06-20 14:35 53,088 --a------ C:\WINDOWS\system32\drivers\Tetri5.sys
2008-06-20 14:21 . 2008-06-20 14:21 48,928 --a------ C:\WINDOWS\system32\drivers\Tetris.sys
2008-06-20 14:20 . 2008-06-20 14:20 137,344 --a------ C:\WINDOWS\system32\drivers\litsgt.sys
2008-06-20 14:20 . 2008-06-20 14:20 12,032 --a------ C:\WINDOWS\system32\drivers\tansgt.sys
2008-06-20 13:40 . 2008-06-20 13:40 138,496 -----c--- C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 13:08 . 2008-06-20 13:08 225,856 -----c--- C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-19 14:18 . 2008-06-19 14:18 <DIR> d-------- C:\Program Files\Audio Phonics, Inc
2008-06-19 14:17 . 1998-02-06 22:37 299,520 --a------ C:\WINDOWS\uninst.exe
2008-06-19 02:38 . 2008-06-19 02:38 <DIR> d-------- C:\Documents and Settings\Tine a.k.a Pepc619\Application Data\Ludia
2008-06-19 02:38 . 2008-06-19 02:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ludia
2008-06-18 01:55 . 2007-02-21 02:11 68,888 --a------ C:\WINDOWS\system\xinput1_3.dll
2008-06-18 01:53 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system\d3dx9_35.dll
2008-06-16 17:43 . 2008-06-16 17:45 2,952,366 --a------ C:\spriźevalo.bmp
2008-06-16 13:17 . 2008-06-16 13:18 <DIR> d-------- C:\WINDOWS\.file_store_32
2008-06-15 20:17 . 2008-06-15 20:17 <DIR> d-------- C:\Program Files\Cool Beans NFO Creator
2008-06-15 15:07 . 2008-06-17 23:45 <DIR> d-------- C:\Documents and Settings\Tine a.k.a Pepc619\Application Data\FileZilla
2008-06-15 15:06 . 2008-06-15 15:07 <DIR> d-------- C:\Program Files\FileZilla FTP Client
2008-06-15 02:02 . 2008-03-12 02:37 107,864 --a------ C:\WINDOWS\system32\tsccvid.dll
2008-06-15 02:01 . 2008-06-15 02:01 <DIR> d-------- C:\Program Files\TechSmith
2008-06-15 02:01 . 2008-06-15 02:01 <DIR> d-------- C:\Program Files\Common Files\TechSmith Shared
2008-06-15 02:01 . 2008-06-15 02:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TechSmith
2008-06-12 01:53 . 2008-06-12 01:53 41,296 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-06-11 10:37 . 2008-06-13 13:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-11 10:37 . 2008-05-08 16:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-11 11:12 --------- d-----w C:\Program Files\Steam
2008-07-11 10:44 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-10 23:09 --------- d-----w C:\Program Files\Uniblue
2008-07-10 20:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-10 18:24 --------- d-----w C:\Documents and Settings\Tine a.k.a Pepc619\Application Data\uTorrent
2008-07-09 03:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-03 04:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-02 23:23 --------- d-----w C:\Program Files\Spyware Doctor
2008-06-22 21:58 --------- d-----w C:\Documents and Settings\Tine a.k.a Pepc619\Application Data\LimeWire
2008-06-21 22:23 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-06-20 17:27 --------- d-----w C:\Documents and Settings\Tine a.k.a Pepc619\Application Data\Uniblue
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-19 00:23 --------- d-----w C:\Documents and Settings\Tine a.k.a Pepc619\Application Data\Nokia
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 19:25 --------- d-----w C:\Program Files\PeerGuardian2
2008-06-10 19:21 361,344 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2008-06-10 16:19 --------- d-----w C:\Documents and Settings\Tine a.k.a Pepc619\Application Data\TotalRecorder
2008-06-10 16:17 --------- d-----w C:\Program Files\HighCriteria
2008-06-09 23:02 --------- d-----w C:\Program Files\IrfanView
2008-06-09 18:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-06-09 18:01 --------- d-----w C:\Documents and Settings\Tine a.k.a Pepc619\Application Data\CyberLink
2008-06-09 18:00 --------- d-----w C:\Program Files\CyberLink
2008-06-09 18:00 --------- d-----w C:\Program Files\Common Files\CyberLink
2008-06-09 00:08 --------- d-----w C:\Documents and Settings\Tine a.k.a Pepc619\Application Data\PC Suite
2008-06-09 00:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2008-06-07 22:45 --------- d-----w C:\Program Files\LimeWire
2008-06-06 12:39 --------- d-----w C:\Program Files\Octoshape Streaming Services
2008-06-06 12:37 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-02 22:53 --------- d-----w C:\Documents and Settings\Tine a.k.a Pepc619\Application Data\Nero
2008-06-02 22:50 --------- d-----w C:\Program Files\Common Files\Nero
2008-06-02 22:42 --------- d-----w C:\Program Files\Nero
2008-06-02 22:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-06-01 20:26 --------- d-----w C:\Documents and Settings\Tine a.k.a Pepc619\Application Data\Media Player Classic
2008-06-01 09:35 --------- d-----w C:\Program Files\Power Tab Software
2008-05-31 22:21 --------- d-----w C:\Program Files\Microsoft Bootvis
2008-05-31 03:04 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-05-30 12:42 --------- d-----w C:\Program Files\Microsoft Works
2008-05-30 12:41 --------- d-----w C:\Program Files\MSBuild
2008-05-30 12:37 --------- d-----w C:\Program Files\Microsoft.NET
2008-05-30 12:32 --------- d-----w C:\Program Files\Microsoft Visual Studio 8
2008-05-25 21:34 --------- d-----w C:\Program Files\SuperAudiotool
2008-05-22 21:32 --------- d-----w C:\Program Files\HP
2008-05-22 21:03 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-17 19:55 --------- d-----w C:\Program Files\Unlocker
2008-05-17 19:15 --------- d-----w C:\Program Files\San Andreas Mod Installer
2008-05-16 21:47 --------- d-----w C:\Program Files\Rockstar Games
2008-05-16 14:52 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-05-14 12:57 --------- d-----w C:\Program Files\CCleaner
2008-05-14 12:53 --------- d-----w C:\Documents and Settings\Tine a.k.a Pepc619\Application Data\Desktopicon
2008-05-13 22:36 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-12 20:56 --------- d-----w C:\Program Files\Nokia
2008-05-12 20:56 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-05-12 20:56 --------- d-----w C:\Program Files\Common Files\Nokia
2008-05-12 20:55 --------- d-----w C:\Program Files\DIFX
2008-05-12 19:56 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-05-12 19:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-05-12 19:29 --------- d-----w C:\Program Files\Toshiba
2008-04-14 00:11 451,072 ----a-w C:\WINDOWS\AppPatch\aclayers.dll
2008-04-14 00:11 39,424 ------w C:\WINDOWS\AppPatch\acadproc.dll
2008-04-14 00:11 376,832 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\msinfo.dll
2008-04-14 00:11 245,248 ----a-w C:\WINDOWS\AppPatch\acspecfc.dll
2008-04-14 00:11 141,312 ----a-w C:\WINDOWS\AppPatch\aclua.dll
2008-04-14 00:11 116,224 ----a-w C:\WINDOWS\AppPatch\acxtrnal.dll
2008-04-14 00:11 1,852,928 ----a-w C:\WINDOWS\AppPatch\acgenral.dll
.

((((((((((((((((((((((((((((( snapshot@2008-07-10_20.35.58.67 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-07-10 18:25:54 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-11 11:07:56 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-07-10 20:21:30 26,824 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 02:12 15360]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2008-05-09 16:55 5724184]
"Steam"="C:\Program Files\Steam\Steam.exe" [2008-07-01 00:17 1271032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2008-05-02 06:15 15872]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-10 22:21 1232152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 02:12 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - C:\Program Files\Launchy\Launchy.exe [2008-07-03 00:56:36 274432]
Orbit.lnk - C:\Program Files\Orbitdownloader\orbitdm.exe [2008-07-06 12:45:38 1690824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer"= DrvTrNTm.dll
"wave"= DrvTrNTm.dll
"VIDC.XFR1"= xfcodec.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]
--a------ 2008-05-19 15:24 91432 C:\Program Files\CyberLink\Shared Files\brs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2008-05-09 16:55 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVD8LanguageShortcut]
--------- 2007-12-14 11:36 50472 C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\TmUnitedForever\\TmForever.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\ijji\\ENGLISH\\u_gunz.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\ijji\\ENGLISH\\Gunz\\Gunz.exe"=
"C:\\Documents and Settings\\Tine a.k.a Pepc619\\Desktop\\Game\\MP_shooter_v1.3 BASE.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\Common Files\\Nero\\Nero Web\\SetupX.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"C:\\Program Files\\Steam\\steamapps\\norhid\\Counter-Strike\\hl.exe"=
"C:\\Program Files\\Xfire\\xfire.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\Steam\\steamapps\\norhid\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\ONWIND\\ZU-ONLINE\\ZuOnline.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"62614:TCP"= 62614:TCP:89.142.3.191/255.255.255.255:Enabled:Tine a.k.a Pepc619

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2007-09-21 17:49]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-10 22:21]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};C:\Program Files\CyberLink\PowerDVD8\000.fcl [2008-05-15 12:07]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-07-10 22:21]
R2 litsgt;litsgt;C:\WINDOWS\system32\DRIVERS\litsgt.sys [2008-06-20 14:20]
R2 tansgt;tansgt;C:\WINDOWS\system32\DRIVERS\tansgt.sys [2008-06-20 14:20]
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2008-02-26 05:54]
R3 Tetri5;Tetri5 driver;C:\WINDOWS\system32\Drivers\Tetri5.sys [2008-06-20 14:35]
R3 Tetris;Tetris driver;C:\WINDOWS\system32\Drivers\Tetris.sys [2008-06-20 14:21]
R3 TotRec7;Total Recorder WDM audio driver;C:\WINDOWS\system32\drivers\TotRec7.sys [2008-04-17 01:34]
S1 as6eio;as6eio;C:\WINDOWS\system32\drivers\as6eio.sys []
S2 NOD32FiXTemDono;Eset Nod32 Boot;C:\WINDOWS\system32\regedt32.exe [2001-08-23 16:00]

.
Contents of the 'Scheduled Tasks' folder
"2008-07-06 09:53:17 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-03 21:34:32 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-05-14 21:11:05 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-07-09 12:40:18 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{BB5D6BA6-FDD8-439B-861A-3D41FABB9B8d} - C:\WINDOWS\system32\vnebjjqc.dll
MSConfigStartUp-egui - C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
MSConfigStartUp-Uniblue RegistryBooster 2 - C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-11 13:09:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD8\000.fcl"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-07-11 13:18:53 - machine was rebooted [Tine a.k.a Pepc619]
ComboFix-quarantined-files.txt 2008-07-11 11:18:44
ComboFix2.txt 2008-07-10 18:39:28

Pre-Run: 11,958,738,944 bytes free
Post-Run: 11,943,989,248 bytes free

296 --- E O F --- 2008-07-09 03:03:28
  • 0

#4
miekiemoes
Posted 11 July 2008 - 08:33 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

Navigate to and delete the following file:

C:\WINDOWS\BMdb78f02c.xml

Then,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against the following:

O2 - BHO: SACert Class - {740FE5FB-65F1-46C5-9E54-A19C8A8D7AC2} - C:\WINDOWS\system32\SoftAheadCert.dll <== this is no malware but not required. It's a Pay Per Install Software Marketing Program and bundled with software you've downloaden/installed from SoftAhead.

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 7".
  • Click the "Download" button to the right.
  • For Platform, select "Windows"
  • For language, select your language
  • Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.
* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
  • 0

#5
Veseli Francelj
Posted 11 July 2008 - 09:25 AM

Veseli Francelj

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Hello, my computer seems to be in a much better condition. Computer runs smooth now. That's how Java installation looks now:
Posted Image

I didn't have to uninstall any of the java updates, because there wasn't any.
For protection I also installed Spyware Blaster. If there is any other advice, please suggest.

Thanks a lot for the help.
  • 0

#6
miekiemoes
Posted 11 July 2008 - 09:33 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP

I didn't have to uninstall any of the java updates, because there wasn't any.

And what about Java™ 6 Update 5 as displayed in your screenshot? It was that one you had to uninstall. :)

Glad I could help. :)

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
  • 0

#7
Veseli Francelj
Posted 11 July 2008 - 09:44 AM

Veseli Francelj

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Oh I didn't delete it because in your post you said everything with Runtime Environment, That's why I didn't delete it. Well I will delete it now. =D
  • 0

#8
miekiemoes
Posted 11 July 2008 - 09:48 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Those were just examples :)
  • 0

#9
miekiemoes
Posted 13 July 2008 - 01:04 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP