Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Random pop-ups [Solved]

Started by oktane2006 , Apr 24 2009 03:47 PM

  • This topic is locked This topic is locked

#1
oktane2006
Posted 24 April 2009 - 03:47 PM

oktane2006

    New Member

  • Member
  • Pip
  • 6 posts
Hi. For the last couple weeks I have been getting random pop-ups whenever I'm on the internet. So far, to fix this I have tried using ad-aware, malware bytes, advanced system care, avg, sdfix and pandasecurity scan. None of these have worked.

The pop-ups are very random. They sometimes stop for a couple of minutes, but then eventually start back up. Also, whenever I restart my computer it seems to take 10-20 minutes of internet browsing before they come up.

The other day I restarted my computer and got 2 error messages saying windows can not run c:\windows\system32\zupima.dll and c:\windows\system32\kirigoru.dll. I tried to find information about them on the internet, but couldn't. I also tried looking for the files on my computer, but didn't. I don't know if this has anything to do with the pop-ups or not.

Any help in fixing this problem would be highly appreciated.



Here's a Hijack This log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:57:43 PM, on 4/24/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AVG\AVG8\avgscanx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?fr=fp-yie8
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: 82.98.231.89 url.adtrgt.com
O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {f53d1331-cced-42a3-a2eb-c8ed74210b08} - C:\WINDOWS\system32\kuwufopu.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [koyuviguhi] Rundll32.exe "C:\WINDOWS\system32\gosamafi.dll",s
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [58ab9781] rundll32.exe "C:\WINDOWS\system32\nuhatove.dll",b
O4 - HKLM\..\Run: [CPM5b98a41d] Rundll32.exe "c:\windows\system32\moyibini.dll",a
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKUS\S-1-5-19\..\Run: [koyuviguhi] Rundll32.exe "C:\WINDOWS\system32\gosamafi.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [koyuviguhi] Rundll32.exe "C:\WINDOWS\system32\gosamafi.dll",s (User 'NETWORK SERVICE')
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.ado...obat/nos/gp.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...ivex/RACtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{48F2A482-9555-495A-B50B-55FF7643F127}: NameServer = 68.94.156.1 68.94.157.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{48F2A482-9555-495A-B50B-55FF7643F127}: NameServer = 68.94.156.1 68.94.157.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\moyibini.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\moyibini.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Unknown owner - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 9997 bytes
  • 0

Advertisements

#2
BHowett
Posted 24 April 2009 - 04:28 PM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
Hello and welcome to Geeks To Go! My name is BHowett and I will be helping you to get sorted. If for any reason you do not understand any of the instructions, or are just unsure then please do not guess , simply post back with your question, and we will go through it again.


ComboFix

Please download ComboFix from Here or Here

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Do not mouse-click Combofix's window while it is running. That may cause it to stall.
  • 0

#3
oktane2006
Posted 24 April 2009 - 08:58 PM

oktane2006

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Okay. Here's the log from combofix.


ComboFix 09-04-25.03 - Owner 04/24/2009 22:46.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1215.791 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\afuvarul.ini
c:\windows\system32\alilepoy.ini
c:\windows\system32\asesofuv.ini
c:\windows\system32\difoyuro.dll
c:\windows\system32\donoheju.dll
c:\windows\system32\etuyihof.ini
c:\windows\system32\evotahun.ini
c:\windows\system32\gosamafi.dll
c:\windows\system32\harizepu.dll
c:\windows\system32\hewurogo.dll
c:\windows\system32\irirehap.ini
c:\windows\system32\jebimafo.dll
c:\windows\system32\kuwufopu.dll
c:\windows\system32\moyibini.dll
c:\windows\system32\nuhatove.dll
c:\windows\system32\odakebog.ini
c:\windows\system32\omoluhop.ini
c:\windows\system32\oruyofid.ini
c:\windows\system32\peyeduli.dll
c:\windows\system32\solesara.dll
c:\windows\system32\tiwihivu.dll
c:\windows\system32\tonokule.dll
c:\windows\system32\ukomuruj.ini
c:\windows\system32\urogivik.ini
c:\windows\system32\usebelaw.ini
c:\windows\system32\uvotoluf.ini
c:\windows\system32\wekafije.dll
c:\windows\system32\yozuyosa.dll
c:\windows\Tasks\zvzwzwvs.job
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-4-25 )))))))))))))))))))))))))))))))
.

2009-04-24 16:46 . 2009-04-24 16:46 2713 --sh--w c:\windows\system32\zavikoti.dll
2009-04-24 16:46 . 2009-04-24 16:46 2713 --sh--w c:\windows\system32\vezenija.exe
2009-04-24 16:46 . 2009-04-24 16:46 -------- d-sh--w c:\windows\system32\config\systemprofile\PrivacIE
2009-04-24 16:45 . 2009-04-24 16:45 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache
2009-04-24 16:45 . 2009-04-24 16:45 -------- d-----w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
2009-04-24 05:13 . 2009-04-24 05:13 54156 ---ha-w c:\windows\QTFont.qfn
2009-04-24 05:13 . 2009-04-24 05:13 1409 ----a-w c:\windows\QTFont.for
2009-04-24 01:27 . 2009-04-24 01:27 -------- d-----w c:\program files\Trend Micro
2009-04-23 09:39 . 2009-04-23 09:39 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-04-23 07:49 . 2009-04-23 07:49 -------- d-sh--w c:\documents and settings\Owner\IECompatCache
2009-04-23 07:48 . 2009-04-23 07:48 -------- d-sh--w c:\documents and settings\Owner\PrivacIE
2009-04-23 07:36 . 2009-04-23 07:36 -------- d-sh--w c:\documents and settings\Owner\IETldCache
2009-04-23 07:28 . 2009-04-23 07:31 -------- dc-h--w c:\windows\ie8
2009-04-23 07:27 . 2009-04-23 07:33 -------- d--h--w c:\windows\msdownld.tmp
2009-04-22 06:01 . 2008-06-19 20:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-04-22 06:00 . 2009-04-22 06:00 -------- d-----w c:\program files\Panda Security
2009-04-21 21:39 . 2009-04-21 21:39 -------- d-----w c:\windows\ERUNT
2009-04-21 21:30 . 2009-04-21 21:30 -------- d-----w C:\SDFix
2009-04-17 22:34 . 2009-04-17 23:00 -------- d-----w c:\documents and settings\Owner\Application Data\IObit
2009-04-17 22:34 . 2009-04-17 22:34 -------- d-----w c:\program files\IObit
2009-04-17 15:40 . 2009-03-09 19:06 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-17 04:23 . 2009-04-17 04:23 -------- dc----w c:\windows\system32\DRVSTORE
2009-04-17 04:23 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-17 04:20 . 2009-04-17 04:20 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-17 04:19 . 2009-04-17 04:23 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-17 04:19 . 2009-04-17 04:19 -------- d-----w c:\program files\Lavasoft
2009-04-16 02:24 . 2009-04-16 02:24 1440 --sh--w c:\windows\system32\zadeweve.exe
2009-04-07 03:15 . 2009-04-07 03:20 -------- d-----w c:\program files\MSECache
2009-04-01 02:28 . 2009-04-01 02:28 -------- d-----w c:\program files\Audacity
2009-04-01 02:24 . 2009-04-01 02:24 -------- d-----w c:\program files\Lame for Audacity
2009-04-01 01:45 . 2002-08-23 03:27 348160 ----a-w c:\windows\system32\FlatBtn6.ocx
2009-04-01 01:45 . 2001-12-12 15:35 348160 ----a-w c:\windows\system32\MEnc.ocx
2009-04-01 01:45 . 2009-04-01 01:45 -------- d-----w c:\program files\WAV to MP3 Encoder

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-25 02:41 . 2009-04-17 15:46 2684 ----a-w C:\aaw7boot.log
2009-04-25 02:13 . 2009-02-11 05:35 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-22 04:42 . 2009-01-22 04:42 47104 --sha-w c:\windows\system32\kotafeka.exe
2009-04-21 16:42 . 2009-01-21 16:42 47616 --sha-w c:\windows\system32\kiseluzo.exe
2009-04-19 05:53 . 2008-11-02 02:23 -------- d-----w c:\program files\XAimer
2009-04-19 05:53 . 2009-03-14 00:24 -------- d-----w c:\program files\WMA To MP3 Encoder
2009-04-19 05:52 . 2009-03-14 00:11 -------- d-----w c:\program files\NCH Swift Sound
2009-04-19 05:50 . 2008-05-12 09:16 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-17 16:39 . 2009-01-17 16:39 46592 --sha-w c:\windows\system32\vumehijo.exe
2009-04-17 15:43 . 2009-03-23 18:41 -------- d-----w c:\documents and settings\Owner\Application Data\StumbleUpon
2009-04-12 08:44 . 2008-11-03 00:52 -------- d-----w c:\documents and settings\Owner\Application Data\LimeWire
2009-04-09 20:10 . 2008-05-13 23:34 3366 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2009-04-09 12:51 . 2009-02-11 05:36 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-09 12:51 . 2009-02-11 05:36 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-09 12:51 . 2009-02-11 05:36 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-01 05:47 . 2009-02-11 09:47 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-26 20:49 . 2009-02-11 09:47 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 20:49 . 2009-02-11 09:47 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-20 18:39 . 2009-03-20 03:46 -------- d-----w c:\documents and settings\Owner\Application Data\Nvu
2009-03-20 03:42 . 2009-03-20 03:42 -------- d-----w c:\program files\Chami
2009-03-14 00:31 . 2009-03-14 00:11 -------- d-----w c:\documents and settings\Owner\Application Data\NCH Swift Sound
2009-03-14 00:14 . 2009-03-14 00:14 -------- d-----w c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-03-14 00:11 . 2009-03-14 00:11 -------- d-----w c:\program files\NCH Software
2009-03-08 21:38 . 2008-05-13 23:29 -------- d-----w c:\documents and settings\Owner\Application Data\AdobeUM
2009-03-08 08:34 . 2004-08-26 16:12 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2004-08-26 16:11 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 08:33 . 2004-08-26 16:11 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2004-08-26 16:12 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 08:32 . 2004-08-26 16:11 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2004-08-26 16:11 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 08:31 . 2004-08-26 16:11 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 08:31 . 2004-08-26 16:12 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 08:31 . 2004-08-26 16:12 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 08:22 . 2004-08-26 16:12 156160 ----a-w c:\windows\system32\msls31.dll
2008-12-24 17:10 . 2008-05-13 23:34 37656 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-07-12 4112384]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{F2A0229A-C4CA-4789-B606-973D24DCDD1C}"= "c:\program files\McAfee\McAfee AntiSpyware\MssShell.dll" [2004-10-19 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-09 12:51 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=c:\windows\pss\hp psc 2000 Series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk
backup=c:\windows\pss\officejet 6100.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^run_mfu_us.cmd]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\run_mfu_us.cmd
backup=c:\windows\pss\run_mfu_us.cmdCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^run_startmenu.cmd]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\run_startmenu.cmd
backup=c:\windows\pss\run_startmenu.cmdCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"22749:TCP"= 22749:TCP:BitComet 22749 TCP
"22749:UDP"= 22749:UDP:BitComet 22749 UDP

R3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-08-29 33752]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-09 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-09 108552]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-04-09 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-09 298264]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c2de808-f884-11dd-a041-0040ca24bd3f}]
\Shell\Auto\command - F:\Windows.scr
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Windows.scr

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{20e9e9cc-3a6c-11dd-a026-0040ca24bd3f}]
\Shell\Auto\command - F:\Windows.scr
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Windows.scr

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8eed59f2-15a1-11de-a045-0040ca24bd3f}]
\Shell\Auto\command - F:\Windows.scr
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Windows.scr

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-04-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]

2008-10-23 c:\windows\Tasks\FRU Task 2002-05-29 22:13ewlett-Packard2002-05-29 22:13p psc 2100 seriesABB26C96242AF9CD6C5FD8FF5E09BD081A04F657216791379.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-05-29 19:13]

2009-04-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3798786406-2515143057-1228553618-1003.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-15 20:51]

2009-04-25 c:\windows\Tasks\McAfee AntiSpyware.job
- c:\progra~1\McAfee\MCAFEE~1\McSpy.exe [2004-10-19 08:00]
.
- - - - ORPHANS REMOVED - - - -

BHO-{f53d1331-cced-42a3-a2eb-c8ed74210b08} - c:\windows\system32\kuwufopu.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Connection Wizard,ShellNext = iexplore
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
TCP: {48F2A482-9555-495A-B50B-55FF7643F127} = 68.94.156.1 68.94.157.1
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\cdw6v0a2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-24 22:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1944)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2009-04-25 22:52
ComboFix-quarantined-files.txt 2009-04-25 02:51

Pre-Run: 11,943,628,800 bytes free
Post-Run: 11,930,918,912 bytes free

243 --- E O F --- 2009-04-25 02:41
  • 0

#4
BHowett
Posted 25 April 2009 - 09:33 AM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
Hi oktane2006,

please do the following...

Combofix Script.txt

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\zavikoti.dll
c:\windows\system32\vezenija.exe
c:\windows\system32\kotafeka.exe
c:\windows\system32\kiseluzo.exe
c:\windows\system32\vumehijo.exe
Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c2de808-f884-11dd-a041-0040ca24bd3f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{20e9e9cc-3a6c-11dd-a026-0040ca24bd3f}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8eed59f2-15a1-11de-a045-0040ca24bd3f}]


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#5
oktane2006
Posted 25 April 2009 - 02:36 PM

oktane2006

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Okay.

Here's the Combofix Log:


ComboFix 09-04-25.A3 - Owner 04/25/2009 16:24.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1215.671 [GMT -4:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\kiseluzo.exe
c:\windows\system32\kotafeka.exe
c:\windows\system32\vezenija.exe
c:\windows\system32\vumehijo.exe
c:\windows\system32\zavikoti.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\kiseluzo.exe
c:\windows\system32\kotafeka.exe
c:\windows\system32\vezenija.exe
c:\windows\system32\vumehijo.exe
c:\windows\system32\zadeweve.exe
c:\windows\system32\zavikoti.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-25 to 2009-4-25 )))))))))))))))))))))))))))))))
.

2009-04-25 07:39 . 2009-04-25 07:39 -------- d-----w c:\windows\LastGood
2009-04-24 16:46 . 2009-04-24 16:46 -------- d-sh--w c:\windows\system32\config\systemprofile\PrivacIE
2009-04-24 16:45 . 2009-04-24 16:45 -------- d-sh--w c:\windows\system32\config\systemprofile\IETldCache
2009-04-24 16:45 . 2009-04-24 16:45 -------- d-----w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Google
2009-04-24 05:13 . 2009-04-24 05:13 54156 ---ha-w c:\windows\QTFont.qfn
2009-04-24 05:13 . 2009-04-24 05:13 1409 ----a-w c:\windows\QTFont.for
2009-04-24 01:27 . 2009-04-24 01:27 -------- d-----w c:\program files\Trend Micro
2009-04-23 09:39 . 2009-04-23 09:39 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-04-23 07:49 . 2009-04-23 07:49 -------- d-sh--w c:\documents and settings\Owner\IECompatCache
2009-04-23 07:48 . 2009-04-23 07:48 -------- d-sh--w c:\documents and settings\Owner\PrivacIE
2009-04-23 07:36 . 2009-04-23 07:36 -------- d-sh--w c:\documents and settings\Owner\IETldCache
2009-04-23 07:28 . 2009-04-23 07:31 -------- dc-h--w c:\windows\ie8
2009-04-23 07:27 . 2009-04-23 07:33 -------- d--h--w c:\windows\msdownld.tmp
2009-04-22 06:01 . 2008-06-19 20:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-04-22 06:00 . 2009-04-22 06:00 -------- d-----w c:\program files\Panda Security
2009-04-21 21:39 . 2009-04-21 21:39 -------- d-----w c:\windows\ERUNT
2009-04-21 21:30 . 2009-04-21 21:30 -------- d-----w C:\SDFix
2009-04-17 22:34 . 2009-04-17 23:00 -------- d-----w c:\documents and settings\Owner\Application Data\IObit
2009-04-17 22:34 . 2009-04-17 22:34 -------- d-----w c:\program files\IObit
2009-04-17 15:40 . 2009-03-09 19:06 15688 ----a-w c:\windows\system32\lsdelete.exe
2009-04-17 04:23 . 2009-04-17 04:23 -------- dc----w c:\windows\system32\DRVSTORE
2009-04-17 04:23 . 2009-03-09 19:06 64160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-04-17 04:20 . 2009-04-17 04:20 -------- dc-h--w c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-04-17 04:19 . 2009-04-17 04:23 -------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-04-17 04:19 . 2009-04-17 04:19 -------- d-----w c:\program files\Lavasoft
2009-04-07 03:15 . 2009-04-07 03:20 -------- d-----w c:\program files\MSECache
2009-04-01 02:28 . 2009-04-01 02:28 -------- d-----w c:\program files\Audacity
2009-04-01 02:24 . 2009-04-01 02:24 -------- d-----w c:\program files\Lame for Audacity
2009-04-01 01:45 . 2002-08-23 03:27 348160 ----a-w c:\windows\system32\FlatBtn6.ocx
2009-04-01 01:45 . 2001-12-12 15:35 348160 ----a-w c:\windows\system32\MEnc.ocx
2009-04-01 01:45 . 2009-04-01 01:45 -------- d-----w c:\program files\WAV to MP3 Encoder

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-25 02:41 . 2009-04-17 15:46 2684 ----a-w C:\aaw7boot.log
2009-04-25 02:13 . 2009-02-11 05:35 -------- d-----w c:\documents and settings\All Users\Application Data\avg8
2009-04-19 05:53 . 2008-11-02 02:23 -------- d-----w c:\program files\XAimer
2009-04-19 05:53 . 2009-03-14 00:24 -------- d-----w c:\program files\WMA To MP3 Encoder
2009-04-19 05:52 . 2009-03-14 00:11 -------- d-----w c:\program files\NCH Swift Sound
2009-04-19 05:50 . 2008-05-12 09:16 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-17 15:43 . 2009-03-23 18:41 -------- d-----w c:\documents and settings\Owner\Application Data\StumbleUpon
2009-04-12 08:44 . 2008-11-03 00:52 -------- d-----w c:\documents and settings\Owner\Application Data\LimeWire
2009-04-09 20:10 . 2008-05-13 23:34 3366 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2009-04-09 12:51 . 2009-02-11 05:36 10520 ----a-w c:\windows\system32\avgrsstx.dll
2009-04-09 12:51 . 2009-02-11 05:36 325640 ----a-w c:\windows\system32\drivers\avgldx86.sys
2009-04-09 12:51 . 2009-02-11 05:36 108552 ----a-w c:\windows\system32\drivers\avgtdix.sys
2009-04-01 05:47 . 2009-02-11 09:47 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-26 20:49 . 2009-02-11 09:47 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 20:49 . 2009-02-11 09:47 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-20 18:39 . 2009-03-20 03:46 -------- d-----w c:\documents and settings\Owner\Application Data\Nvu
2009-03-20 03:42 . 2009-03-20 03:42 -------- d-----w c:\program files\Chami
2009-03-14 00:31 . 2009-03-14 00:11 -------- d-----w c:\documents and settings\Owner\Application Data\NCH Swift Sound
2009-03-14 00:14 . 2009-03-14 00:14 -------- d-----w c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-03-14 00:11 . 2009-03-14 00:11 -------- d-----w c:\program files\NCH Software
2009-03-08 21:38 . 2008-05-13 23:29 -------- d-----w c:\documents and settings\Owner\Application Data\AdobeUM
2009-03-08 08:34 . 2004-08-26 16:12 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 08:34 . 2004-08-26 16:11 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 08:33 . 2004-08-26 16:11 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 08:33 . 2004-08-26 16:12 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 08:32 . 2004-08-26 16:11 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 08:32 . 2004-08-26 16:11 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 08:31 . 2004-08-26 16:11 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 08:31 . 2004-08-26 16:12 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 08:31 . 2004-08-26 16:12 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 08:22 . 2004-08-26 16:12 156160 ----a-w c:\windows\system32\msls31.dll
2008-12-24 17:10 . 2008-05-13 23:34 37656 ----a-w c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-04-25_02.49.23 )))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2004-07-12 4112384]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{F2A0229A-C4CA-4789-B606-973D24DCDD1C}"= "c:\program files\McAfee\McAfee AntiSpyware\MssShell.dll" [2004-10-19 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-09 12:51 10520 ----a-w c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BigFix.lnk
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=c:\windows\pss\hp psc 2000 Series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk
backup=c:\windows\pss\officejet 6100.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^run_mfu_us.cmd]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\run_mfu_us.cmd
backup=c:\windows\pss\run_mfu_us.cmdCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^run_startmenu.cmd]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\run_startmenu.cmd
backup=c:\windows\pss\run_startmenu.cmdCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"22749:TCP"= 22749:TCP:BitComet 22749 TCP
"22749:UDP"= 22749:UDP:BitComet 22749 UDP

R3 getPlus® Helper;getPlus® Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2008-08-29 33752]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-03-09 64160]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-09 325640]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-09 108552]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-04-09 908056]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-09 298264]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-09 951632]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-04-25 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]

2008-10-23 c:\windows\Tasks\FRU Task 2002-05-29 22:13ewlett-Packard2002-05-29 22:13p psc 2100 seriesABB26C96242AF9CD6C5FD8FF5E09BD081A04F657216791379.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2002-05-29 19:13]

2009-04-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3798786406-2515143057-1228553618-1003.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-15 20:51]

2009-04-25 c:\windows\Tasks\McAfee AntiSpyware.job
- c:\progra~1\McAfee\MCAFEE~1\McSpy.exe [2004-10-19 08:00]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/?fr=fp-yie8
uInternet Connection Wizard,ShellNext = iexplore
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
TCP: {48F2A482-9555-495A-B50B-55FF7643F127} = 68.94.156.1 68.94.157.1
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\cdw6v0a2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-msgr&p=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-25 16:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-25 16:30
ComboFix-quarantined-files.txt 2009-04-25 20:29
ComboFix2.txt 2009-04-25 02:52

Pre-Run: 11,739,648,000 bytes free
Post-Run: 11,781,738,496 bytes free

206 --- E O F --- 2009-04-25 02:41






Here's the Hijack This log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:30:39 PM, on 4/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.ado...obat/nos/gp.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...ivex/RACtrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{48F2A482-9555-495A-B50B-55FF7643F127}: NameServer = 68.94.156.1 68.94.157.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{48F2A482-9555-495A-B50B-55FF7643F127}: NameServer = 68.94.156.1 68.94.157.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{48F2A482-9555-495A-B50B-55FF7643F127}: NameServer = 68.94.156.1 68.94.157.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee AntiSpyware\Msssrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Unknown owner - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 8595 bytes
  • 0

#6
BHowett
Posted 25 April 2009 - 04:12 PM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
Hello again,

How are things running now? Please do the following...


ATF Cleaner

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

===============================================

Malwarebytes' Anti-Malware

I see you have Malwarebytes' Anti-Malware on your system already, lets update it and run it again.
.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
===============================================

Kaspersky WebScanner
please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.
===============================================

Please post the Malwarebytes log and the Kaspersky log in your next reply. Also let me know how things are running now :)
  • 0

#7
oktane2006
Posted 26 April 2009 - 12:55 AM

oktane2006

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi. So far things are running fine. I haven't had any pop-ups lately.

Here is the Malware-bytes log:


Malwarebytes' Anti-Malware 1.36
Database version: 2043
Windows 5.1.2600 Service Pack 2

4/26/2009 2:06:22 AM
mbam-log-2009-04-26 (02-06-22).txt

Scan type: Quick Scan
Objects scanned: 73062
Time elapsed: 4 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Here is the Kapersky log:


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, April 26, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, April 26, 2009 00:39:32
Records in database: 2079052
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 110098
Threat name: 5
Infected objects: 14
Suspicious objects: 0
Duration of the scan: 02:55:13


File name / Threat name / Threats count
C:\My Backup -- 12-05-08 0131\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-77e3633e.zip Infected: Exploit.Java.Gimsh.a 1
C:\My Backup -- 12-05-08 0131\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-6d49740a.zip Infected: Exploit.Java.Gimsh.b 1
C:\My Backup -- 12-05-08 0131\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\MP085L5F\checkin[1].htm Infected: Trojan-Downloader.VBS.Small.co 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\donoheju.dll.vir Infected: Trojan.Win32.Monder.bzdz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gosamafi.dll.vir Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\hewurogo.dll.vir Infected: Trojan.Win32.Monder.bzdz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\jebimafo.dll.vir Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kuwufopu.dll.vir Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\moyibini.dll.vir Infected: Trojan.Win32.Monder.bzdz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\peyeduli.dll.vir Infected: Trojan.Win32.Monder.bzdz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\solesara.dll.vir Infected: Trojan.Win32.Monder.bzdz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tiwihivu.dll.vir Infected: Trojan-Downloader.Win32.Agent.bqxc 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tonokule.dll.vir Infected: Trojan.Win32.Monder.bzdz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wekafije.dll.vir Infected: Trojan.Win32.Monder.bzdz 1

The selected area was scanned.
  • 0

#8
BHowett
Posted 26 April 2009 - 10:08 AM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
Hi oktane2006,

Looks like you have just a few older backed up exploits, everything else found is already in Quarantine and that will be taken care of in my final post with clean up instructions. Please do the following.

OTMoveIt3 by OldTimer

Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy everything inside the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    :Files
C:\My Backup -- 12-05-08 0131\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-77e3633e.zip
C:\My Backup -- 12-05-08 0131\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-6d49740a.zip 
C:\My Backup -- 12-05-08 0131\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\MP085L5F\checkin[1].htm
:Reg
:Commands
[purity]
[emptytemp]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
  • 0

#9
oktane2006
Posted 26 April 2009 - 11:28 AM

oktane2006

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Her's the OTMoveit3 log:


========== FILES ==========
C:\My Backup -- 12-05-08 0131\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-77e3633e.zip moved successfully.
C:\My Backup -- 12-05-08 0131\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-6d49740a.zip moved successfully.
C:\My Backup -- 12-05-08 0131\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\MP085L5F\checkin[1].htm moved successfully.
========== REGISTRY ==========
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF126C.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF12BF.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF26F2.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF270D.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF278F.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF279A.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF2872.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF287D.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF297E.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF2989.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF2E.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\TAUHQANC\iframe[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\TAUHQANC\md[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\TAUHQANC\Q1_TagCloud_728x90[1].html scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\TAUHQANC\showMessage[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\PPDRF896\aceUAC[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\6CO8PXF9\md[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\6CO8PXF9\Random-pop-ups-t236807[1].html scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2R9833P2\nc[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_5a4.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04262009_131730

Files moved on Reboot...
File C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF126C.tmp not found!
File C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF12BF.tmp not found!
File C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF26F2.tmp not found!
File C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF270D.tmp not found!
File C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF278F.tmp not found!
File C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF279A.tmp not found!
File C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF2872.tmp not found!
File C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF287D.tmp not found!
File C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF297E.tmp not found!
File C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF2989.tmp not found!
File C:\DOCUME~1\Owner\LOCALS~1\Temp\~DF2E.tmp not found!
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\TAUHQANC\iframe[1].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\TAUHQANC\md[1].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\TAUHQANC\Q1_TagCloud_728x90[1].html moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\TAUHQANC\showMessage[1].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\PPDRF896\aceUAC[1].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\6CO8PXF9\md[1].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\6CO8PXF9\Random-pop-ups-t236807[1].html moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\2R9833P2\nc[1].htm moved successfully.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\2CEDBFBC-DBA8-43AA-B1FD-CC8E6316E3E2.dat moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_5a4.dat not found!
  • 0

#10
BHowett
Posted 26 April 2009 - 11:47 AM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
Hi oktane2006,

Well done, your log appears clean :)

Now lets uninstall Combofix:
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the /u, it needs to be there.
    Posted Image

===============================================

Click Here to download OTCleanIt
Double-click OTCleanIt.exe to run it.
Click the Clean up button
Click Yes to the reboot.

Now delete any logs that you have left over on your desktop.

===============================================

For some useful tips on staying clean, along with links to some freeware to help, have a look at this page.

To find out more information about how you got infected in the first place, you can read this article.

===============================================

Follow this list and your potential for being infected again will reduce dramatically.

Thanks for letting us help you!
  • 0

#11
oktane2006
Posted 26 April 2009 - 06:33 PM

oktane2006

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I'm not getting anymore pop-ups now. Thanks for the help. I'll be sure to check out those links.
  • 0

#12
BHowett
Posted 26 April 2009 - 06:53 PM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
your welcome :)
  • 0

#13
BHowett
Posted 26 April 2009 - 06:53 PM

BHowett

    OT Moderator

  • Moderator
  • 4,649 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP