Strong virus - Cannot run or install antivirus [Solved] - Geeks to Go Forums

Jump to content

Log in Register Register Malware removal guide How it works

Strong virus - Cannot run or install antivirus [Solved] This is seriously affecting my computer

#1 bebop10

  • Group: Member
  • Posts: 20
  • Joined: 29-June 09

  Posted 28 August 2009 - 08:56 PM

Hey everyone, I'm new here but it seems like this may be a great place to seek help.

Yesterday I got a virus that prevents me from downloading or installing or even RUNNING an anti virus program. It even prevents me from clicking on site links in google/yahoo search. To get to sites I have to copy+paste the link or manually type it. I've been experiencing serious problems with my pc do to this virus and I desperately need some assistance.

Thank you very much for your time and help if you choose to. :)

#2 Transience

  • Group: Retired Staff
  • Posts: 2,448
  • Joined: 11-July 07

Posted 29 August 2009 - 09:38 AM

Hello and welcome to Geeks to Go! I'm Dave and I'll be helping you out. Let's get started:

Please go to the GMER Rootkit Scanner Download Site.
  • Click on the Download EXE button.
  • The file you are downloading will have a random name in order to circumvent the attempts of malware to block it from running.
  • Take note of the name of the file (please don't change it), and then save it directly to your desktop.
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click on the file you downloaded (Vista users please right-click it and select Run as Administrator). The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure that the "Show all" box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity, don't worry.
  • Click Ok.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it to a location where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.

Then:

Please visit this webpage for download links and instructions for running ComboFix:

http://www.bleepingc...to-use-combofix

Download and save ComboFix.exe to your desktop from any of the download links provided in the above guide.

Once you have downloaded the file, return to the above link and continue with the instructions provided there for running ComboFix. Be sure that you read ALL of the instructions on that page very carefully and follow them exactly. It is particularly important to disable all your protection programs before running ComboFix. If you need further help figuring out how to disable a specific program look here. Installing the recovery console if you're running an XP machine is another critical step. By following the directions in that guide closely, you give ComboFix the best chance at a successful run and minimize the likelihood of having potentially serious problems occur after an attempted removal of malware.

Once the program has finished running its log should pop up automatically, or if for some reason you lose it it can found at C:\ComboFix.txt. Please post the log's contents in your next reply.

Cheers,
Dave

#3 bebop10

  • Group: Member
  • Posts: 20
  • Joined: 29-June 09

Posted 29 August 2009 - 01:32 PM

Hi Dave, and thanks for your time.

I followed the first half of your instructions and ran GMER. I made sure every box but "Show All" was checked and ran a scan. A few minutes into the scan my computer went to a Blue Screen and told me "An attempt was made to write read only memory", and I was forced to reboot.

I didn't follow the next half of the advice because I was not able to complete this step.

EDIT: The problem was caused by the file aujasnkj.sys

#4 Transience

  • Group: Retired Staff
  • Posts: 2,448
  • Joined: 11-July 07

Posted 29 August 2009 - 04:47 PM

It's a good sign that the scan started at least - it may be we just got unlucky there, could be that something cropped up at the wrong time, so please try the scan one more time as per the instructions above. If that doesn't work, try changing the name of your GMER program to svchost and try running it again. Let me know how that goes.

Cheers,
Dave

#5 bebop10

  • Group: Member
  • Posts: 20
  • Joined: 29-June 09

Posted 29 August 2009 - 06:19 PM

Hey Dave, I ran the scan fully - but before I could save the log my computer froze. Since then I have not been able to completely run the scan again, even after naming the exe file to svchost.

#6 Transience

  • Group: Retired Staff
  • Posts: 2,448
  • Joined: 11-July 07

Posted 29 August 2009 - 07:46 PM

Does the computer unfreeze afterwards, or are you unable to do anything and have to shut it down?

Try running the scan with only the Processes and Show all boxes checked, it should take only a very short time and will help me to get an idea of what is trying to stop the tools from running.

- Dave

#7 bebop10

  • Group: Member
  • Posts: 20
  • Joined: 29-June 09

Posted 30 August 2009 - 10:48 AM

Here is the log:

GMER 1.0.15.15077 [svchost.exe] - http://www.gmer.net
Rootkit scan 2009-08-30 12:47:55
Windows 5.1.2600 Service Pack 3


---- Processes - GMER 1.0.15 ----

Process System Idle 0
Process System 4
Process C:\WINDOWS\msb.exe 216
Process C:\WINDOWS\system32\spoolsv.exe (Spooler SubSystem App/Microsoft Corporation) 376
Process C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 548
Process C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe (Apple Mobile Device Service/Apple Inc.) 644
Process C:\WINDOWS\explorer.exe (Windows Explorer/Microsoft Corporation) 656
Process C:\Program Files\Bonjour\mDNSResponder.exe (Bonjour Service/Apple Inc.) 672
Process C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe (System Level Service Utility/Creative Labs) 716
Process C:\WINDOWS\system32\CTSVCCDA.EXE (Creative Service for CDROM Access/Creative Technology Ltd) 772
Process C:\Program Files\Unlocker\UnlockerAssistant.exe 880
Process C:\Program Files\Dell\QuickSet\quickset.exe (QuickSet/Dell Inc) 892
Process C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe (ZeroCfgSvc MFC Application/Intel Corporation) 896
Process C:\WINDOWS\system32\smss.exe (Windows NT Session Manager/Microsoft Corporation) 920
Process C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe (Intel Framework MFC Application/Intel Corporation) 940
Process C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (GrooveMonitor Utility/Microsoft Corporation) 948
Process C:\WINDOWS\system32\imapi.exe (Image Mastering API/Microsoft Corporation) 956
Process C:\Program Files\Dell Network Assistant\hnm_svc.exe (Advanced Networking Service/SingleClick Systems) 976
Process C:\WINDOWS\system32\csrss.exe (Client Server Runtime Process/Microsoft Corporation) 992
Process C:\WINDOWS\system32\winlogon.exe (Windows NT Logon Application/Microsoft Corporation) 1024
Process C:\WINDOWS\system32\services.exe (Services and Controller app/Microsoft Corporation) 1076
Process C:\WINDOWS\system32\savedump.exe (Windows NT Save Dump Utility/Microsoft Corporation) 1088
Process C:\WINDOWS\system32\lsass.exe (LSA Shell (Export Version)/Microsoft Corporation) 1096
Process C:\WINDOWS\system32\ati2evxx.exe (ATI External Event Utility EXE Module/ATI Technologies Inc.) 1296
Process C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 1316
Process C:\Program Files\iTunes\iTunesHelper.exe (iTunesHelper Module/Apple Inc.) 1428
Process C:\WINDOWS\system32\HPZipm12.exe (PML Driver/HP) 1432
Process C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 1488
Process C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 1540
Process C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 1584
Process C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe (Intel® PROSet/Wireless Registry Service/Intel Corporation) 1664
Process C:\Program Files\Intel\Wireless\Bin\EvtEng.exe (Intel® PROSet/Wireless Event Log/Intel Corporation) 1696
Process C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks Scheduler/RealNetworks, Inc.) 1712
Process C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe (Wireless Management Service/Intel Corporation ) 1752
Process C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe (WLANKEEPER/Intel® Corporation) 1808
Process C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe (Intel 802.1x Server/Intel Corporation) 1864
Process C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe (Virtual CloneDrive Daemon/Elaborate Bytes AG) 1876
Process C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics TouchPad Enhancements/Synaptics, Inc.) 1888
Process C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 1892
Process C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 1932
Process C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 1952
Process C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) 2008
Process C:\WINDOWS\system32\wbem\wmiprvse.exe (WMI/Microsoft Corporation) 2024
Process C:\WINDOWS\ehome\mcrdsvc.exe (MCRD Device Service/Microsoft Corporation) 2092
Process C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe (Java™ Platform SE binary/Sun Microsystems, Inc.) 2304
Process C:\WINDOWS\stsystra.exe (Sigmatel Audio system tray application/SigmaTel, Inc.) 2332
Process C:\WINDOWS\system32\rundll32.exe (Run a DLL as an App/Microsoft Corporation) 2356
Process C:\WINDOWS\system32\ctfmon.exe (CTF Loader/Microsoft Corporation) 2784
Process C:\Documents and Settings\Jed\Desktop\svchost.exe 3520
Process C:\WINDOWS\system32\ati2evxx.exe (ATI External Event Utility EXE Module/ATI Technologies Inc.) 3892
Process C:\Program Files\iPod\bin\iPodService.exe (iPodService Module/Apple Inc.) 4024
Process C:\DOCUME~1\Jed\LOCALS~1\temp\a.exe 4040

---- EOF - GMER 1.0.15 ----

#8 Transience

  • Group: Retired Staff
  • Posts: 2,448
  • Joined: 11-July 07

Posted 30 August 2009 - 11:33 AM

Alright try this for me:

1. ComboFix

Please visit this webpage for download links and instructions for running ComboFix:

http://www.bleepingc...to-use-combofix

Click on any of the links at that website to download ComboFix. At the window that appears, please change the name of the file from ComboFix to svchost. This name is important and must be exactly as I have given it to you here. Once you have changed the name, save the renamed file directly to your desktop.

Return to the above link and continue with the instructions provided there for running ComboFix. Be sure that you read ALL of the instructions on that page very carefully and follow them exactly. It is particularly important to disable all your protection programs before running ComboFix. If you need further help figuring out how to disable a specific program look here. Installing the recovery console if you're running an XP machine is another critical step. By following the directions in that guide closely, you give ComboFix the best chance at a successful run and minimmize the likelihood of having potentially serious problems occur after an attempted removal of malware.

Once the program has finished running its log should pop up automatically, or if for some reason you lose it it can found at C:\ComboFix.txt. Please post the log's contents in your next reply.

Cheers,
Dave

#9 bebop10

  • Group: Member
  • Posts: 20
  • Joined: 29-June 09

Posted 30 August 2009 - 11:46 AM

ComboFix did not run - I saved it as svchost.exe when downloading, then ran the program with no other programs on. The program loaded and a blue dialogue box opened but was closed quickly. The file was changed from svchost.exe to ComboFix.exe automatically and it became a read-only file.

#10 Transience

  • Group: Retired Staff
  • Posts: 2,448
  • Joined: 11-July 07

Posted 30 August 2009 - 12:28 PM

Okay please delete your current copy of ComboFix and download and rename a fresh one just like you did with this one. Then boot into safe mode and try running it from there.

#11 bebop10

  • Group: Member
  • Posts: 20
  • Joined: 29-June 09

Posted 30 August 2009 - 12:55 PM

The same thing happened as before. Now I am infected with false antivirus programs. Whenever I click a program such as firefox they tell me it is "infected" and I cannot access the program. I also cannot run task manager or search for the programs on my harddrive using the search function. I am running my pc in safe mode with networking right now. If it helps I have had the windows recovery console installed on my pc for some months now.

Edit: I was able to run a near full GMER scan in safe mode, it did encounter a problem and exit eventually, but I took screenshots of items it had found that were highlighted in red.

#12 Transience

  • Group: Retired Staff
  • Posts: 2,448
  • Joined: 11-July 07

Posted 31 August 2009 - 06:59 AM

Does the GMER scan stall for you at the same point each time? Try running it again and see if there's a common point that it stops at each time, what is it scanning when it encounters problems and exits?

I know you're probably tired of trying to run ComboFix by this point, but believe it or not there's still at least one more variation we can try. Please delete all copies of ComboFix on your PC, as well as the folders C:\ComboFix and C:\Qoobox if they exist. Then try these instructions, first in normal mode if you can access it and then if normal mode fails in safe mode or safe mode with networking.

Please visit this webpage for download links and instructions for running ComboFix:

http://www.bleepingc...to-use-combofix

Click on any of the links at that website to download ComboFix. At the window that appears, please change the name of the file from ComboFix to svchost.com. This name is important and must be exactly as I have given it to you here, including the .com file extension. After changing the name, click on the drop down menu for the box labeled Save as type: and change it to All files. Once you made these changes, save the file directly to your desktop.

Return to the above link and continue with the instructions provided there for running ComboFix. Be sure that you read ALL of the instructions on that page carefully and follow them exactly. It is particularly important to disable all your protection programs before running ComboFix. If you need further help figuring out how to disable a specific program look here for instructions. Installing the recovery console if you're running an XP machine is another critical step. Although these prelimiary steps may seem unnecessary, by following the directions in that guide closely you give ComboFix the best possible chance at a successful run and minimize the likelihood of having serious problems occur after an attempted removal of malware.

Once the program has finished running its log should pop up automatically, or if for some reason you lose it it can found at C:\ComboFix.txt. Please post the log's contents in your next reply.

So let me know how that goes, if you can get me those GMER screenshots you mentioned (upload to any photo-sharing site) that might be of help.

- Dave

#13 bebop10

  • Group: Member
  • Posts: 20
  • Joined: 29-June 09

Posted 31 August 2009 - 02:57 PM

Hot [bleep]! ComboFix worked!
Here's the log:

ComboFix 09-08-31.03 - Jed 08/31/2009 16:25.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.703 [GMT -4:00]
Running from: c:\documents and settings\Jed\Desktop\svchost.com.exe
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\98036706.ini
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\fyblb.exe
c:\program files\Windows Antivirus Pro
c:\program files\Windows Antivirus Pro\ANTI_files.exe
c:\windows\braviax.exe
c:\windows\cru629.dat
c:\windows\Installer\2064737.msi
c:\windows\msa.exe
c:\windows\msb.exe
c:\windows\run.log
c:\windows\system32\_scui.cpl
c:\windows\system32\braviax.exe
c:\windows\system32\cru629.dat
c:\windows\system32\Data
c:\windows\system32\dllcache\beep.sys
c:\windows\system32\drivers\kbiwkmkowxrdlt.sys
c:\windows\system32\drivers\UACtbbodsvxqw.sys
c:\windows\system32\kbiwkmeipxuruj.dll
c:\windows\system32\kbiwkmmrguvpir.dll
c:\windows\system32\kbiwkmnssrpdwk.dat
c:\windows\system32\kbiwkmrwabwuxf.dat
c:\windows\system32\kedisuzo.exe
c:\windows\system32\minix32.exe
c:\windows\system32\net.net
c:\windows\system32\samadehi.dll
c:\windows\system32\sorujome.dll
c:\windows\system32\tajf83ikdmf.dll
c:\windows\system32\tatunulo.dll
c:\windows\system32\UACamlxfpbrvs.db
c:\windows\system32\UACbutpwgipmy.dat
c:\windows\system32\UACerrfwortam.log
c:\windows\system32\uacinit.dll
c:\windows\system32\UACjxaqpimhxw.dll
c:\windows\system32\UACntaovlwipl.dll
c:\windows\system32\UACpsydadvuiq.dll
c:\windows\system32\UACvvwqvaoywt.dll
c:\windows\system32\wisdstr.exe

----- BITS: Possible infected sites -----

hxxp://193.33.61.160
hxxp://82.98.231.96
Infected copy of c:\windows\system32\drivers\beep.sys was found and disinfected
Restored copy from - c:\i386\beep.sys

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\logevent.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_kbiwkmqjwftyxv
-------\Legacy_kbiwkmqjwftyxv
-------\Service_UACd.sys
-------\Legacy_UACd.sys
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-31 )))))))))))))))))))))))))))))))
.

2009-08-30 01:06 . 2008-04-14 00:12 82432 ---h-tw- c:\windows\system32\60e5440.dll
2009-08-30 01:06 . 2008-04-14 00:12 82432 ---h-tw- c:\windows\system32\41ea83f.dll
2009-08-30 01:02 . 2009-08-30 01:02 -------- d-----w- c:\documents and settings\Jed\Local Settings\Application Data\Runscanner.net
2009-08-30 00:57 . 2009-08-30 01:02 -------- d-----w- C:\Runscanner
2009-08-29 23:33 . 2009-08-29 23:33 21504 ----a-w- C:\emxtqjit.exe
2009-08-29 23:33 . 2009-08-29 23:33 48640 ----a-w- C:\blyuwrjl.exe
2009-08-29 04:47 . 2009-08-29 04:48 -------- d-s---w- C:\go
2009-08-29 00:57 . 2009-08-29 00:57 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.459\mzvkbd3.dll
2009-08-29 00:57 . 2009-08-29 00:57 80400 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.459\mzvkbd.dll
2009-08-29 00:57 . 2009-08-29 00:57 264720 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\rollback\patch\AutoPatches\kav9exec\9.0.0.459\klwtbbho.dll
2009-08-29 00:57 . 2009-08-29 00:57 109072 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\mzvkbd3.dll
2009-08-29 00:57 . 2009-08-29 00:57 59920 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\mzvkbd.dll
2009-08-29 00:57 . 2009-08-29 00:57 264720 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab\AVP9\Data\Updater\Temporary Files\temporaryFolder\AutoPatches\kav9exec\9.0.0.459\klwtbbho.dll
2009-08-29 00:53 . 2009-08-29 00:53 94643 ----a-w- c:\windows\system32\drivers\klick.dat
2009-08-29 00:53 . 2009-08-29 00:53 105395 ----a-w- c:\windows\system32\drivers\klin.dat
2009-08-29 00:52 . 2009-08-29 00:52 -------- d-----w- c:\program files\Kaspersky Lab
2009-08-29 00:52 . 2009-08-29 00:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2009-08-28 19:06 . 2009-08-28 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-08-28 04:13 . 2009-08-28 04:13 97616 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-28 00:14 . 2009-08-28 03:08 -------- d-----w- c:\documents and settings\Jed\.housecall6.6
2009-08-27 23:31 . 2009-08-27 23:31 -------- d-----w- c:\program files\Alwil Software
2009-08-27 21:10 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-27 21:10 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-27 20:37 . 2009-08-27 20:41 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-27 19:55 . 2009-08-27 19:55 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-08-27 19:20 . 2009-08-27 19:20 -------- d-----w- C:\spoolerlogs
2009-08-26 05:32 . 2009-08-26 05:32 -------- d-----w- c:\documents and settings\All Users\Application Data\id Software
2009-08-26 02:00 . 2009-08-26 02:00 -------- d-sh--w- C:\found.000
2009-08-20 01:41 . 2009-06-25 08:25 54272 ------w- c:\windows\system32\dllcache\wdigest.dll
2009-08-20 01:41 . 2009-06-25 08:25 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-08-20 01:41 . 2009-06-24 11:18 92928 ------w- c:\windows\system32\dllcache\ksecdd.sys
2009-08-20 01:41 . 2009-06-25 08:25 301568 ------w- c:\windows\system32\dllcache\kerberos.dll
2009-08-13 02:44 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-06 03:55 . 2009-08-06 03:55 625728 ----a-w- c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-02 21:17 . 2009-08-02 21:17 -------- d-----w- c:\documents and settings\Jed\Local Settings\Application Data\Broad Intelligence
2009-08-02 21:14 . 2009-08-11 23:33 -------- d-----w- c:\documents and settings\Jed\Application Data\Broad Intelligence

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-31 20:20 . 2005-08-16 09:18 56320 ----a-w- c:\windows\system32\eventlog.dll
2009-08-30 20:02 . 2008-05-04 00:59 -------- d-----w- c:\documents and settings\Jed\Application Data\gtk-2.0
2009-08-30 17:44 . 2009-05-30 17:44 209408 --sha-w- c:\windows\system32\nijufagi.dll
2009-08-30 17:44 . 2009-05-30 17:44 209408 --sha-w- c:\windows\system32\zakanilu.dll
2009-08-30 17:24 . 2008-05-09 19:37 -------- d-----w- c:\program files\Steam
2009-08-29 04:14 . 2008-09-20 00:31 -------- d-----w- c:\documents and settings\Jed\Application Data\Skype
2009-08-29 04:04 . 2008-05-28 21:15 -------- d-----w- c:\documents and settings\Jed\Application Data\skypePM
2009-08-29 00:47 . 2009-04-11 21:58 -------- d-----w- c:\program files\Windows Defender
2009-08-28 02:41 . 2008-04-09 20:35 -------- d-----w- c:\documents and settings\Jed\Application Data\LimeWire
2009-08-27 21:00 . 2008-11-06 23:47 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-27 19:10 . 2009-08-27 19:10 889376 ----a-w- c:\windows\system32\xa.tmp
2009-08-27 03:47 . 2008-07-19 02:09 90112 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
2009-08-27 03:41 . 2008-07-19 02:09 393216 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
2009-08-27 03:41 . 2008-07-19 02:09 258352 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll
2009-08-27 03:41 . 2008-07-19 02:09 118784 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\nxgameus.dll
2009-08-27 03:41 . 2008-07-19 02:09 561152 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll
2009-08-27 03:41 . 2008-07-19 02:09 167936 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe
2009-08-27 02:37 . 2009-05-04 19:39 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2009-08-26 05:43 . 2009-07-03 15:14 355392 ----a-w- c:\documents and settings\Jed\Application Data\id Software\quakelive\home\baseq3\cgamex86.dll
2009-08-26 05:43 . 2009-07-03 15:14 179264 ----a-w- c:\documents and settings\Jed\Application Data\id Software\quakelive\home\baseq3\uix86.dll
2009-08-26 05:40 . 2009-07-03 15:06 138944 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-08-26 05:40 . 2009-07-03 15:06 189784 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-08-26 05:39 . 2009-07-03 15:14 874660 ----a-w- c:\documents and settings\Jed\Application Data\id Software\quakelive\home\pb\pbcl.dll
2009-08-26 05:39 . 2009-07-03 15:14 57344 ----a-w- c:\documents and settings\Jed\Application Data\id Software\quakelive\home\pb\pbag.dll
2009-08-26 05:39 . 2009-07-03 15:14 2661440 ----a-w- c:\documents and settings\Jed\Application Data\id Software\quakelive\home\baseq3\quakelive.dll
2009-08-26 05:32 . 2009-07-03 15:05 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-08-26 05:32 . 2009-07-03 15:05 2373712 ----a-w- c:\windows\system32\pbsvc.exe
2009-08-25 01:24 . 2008-09-20 01:40 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-21 08:30 . 2008-04-16 23:03 -------- d-----w- c:\program files\MediaCoder
2009-08-21 07:45 . 2009-03-18 22:08 -------- d-----w- c:\documents and settings\Jed\Application Data\uTorrent
2009-08-20 23:17 . 2008-05-14 19:46 -------- d-----w- c:\program files\Warcraft III
2009-08-15 00:24 . 2008-07-07 21:29 34 ----a-w- c:\documents and settings\Jed\jagex_runescape_preferences.dat
2009-08-12 01:45 . 2008-05-14 19:51 78272 ----a-w- c:\windows\War3Unin.dat
2009-08-05 09:01 . 2005-08-16 09:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 02:22 . 2009-08-01 04:57 -------- d-----w- c:\program files\Crayon Physics Deluxe
2009-08-04 02:13 . 2009-08-01 04:57 -------- d-----w- c:\documents and settings\Jed\Application Data\Crayon Physics Deluxe
2009-08-01 20:03 . 2009-08-01 20:03 -------- d-----w- c:\program files\[bleep] NFO Viewer
2009-07-24 09:33 . 2008-05-10 23:36 -------- d-----w- c:\program files\World of Warcraft
2009-07-17 19:01 . 2005-08-16 09:18 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2005-08-16 09:19 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-09 15:52 . 2009-07-09 15:52 59976 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Anti-Virus 2010 9.0.0.463\English\setup.exe
2009-07-06 18:01 . 2009-07-06 18:01 2373712 ----a-w- c:\documents and settings\All Users\Application Data\id Software\QuakeLive\pbsvc.exe
2009-07-03 19:48 . 2009-07-03 19:48 219664 ----a-w- c:\windows\system32\klogon.dll
2009-07-03 19:45 . 2009-07-03 19:45 27507 ----a-w- c:\windows\system32\drivers\klopp.dat
2009-07-03 15:30 . 2009-07-03 15:14 449600 ----a-w- c:\documents and settings\Jed\Application Data\id Software\quakelive\home\baseq3\qagamex86.dll
2009-07-03 15:28 . 2009-07-03 15:14 479232 ----a-w- c:\documents and settings\Jed\Application Data\id Software\quakelive\home\pb\pbsv.dll
2009-07-03 15:14 . 2009-07-03 15:14 57344 ----a-w- c:\documents and settings\Jed\Application Data\id Software\quakelive\home\pb\pbags.dll
2009-07-03 15:14 . 2009-07-03 15:14 874660 ----a-w- c:\documents and settings\Jed\Application Data\id Software\quakelive\home\pb\pbcls.dll
2009-07-03 15:11 . 2009-07-03 15:11 -------- d-----w- c:\documents and settings\Jed\Application Data\id Software
2009-07-03 15:08 . 2009-07-03 15:06 22328 ----a-w- c:\documents and settings\Jed\Application Data\PnkBstrK.sys
2009-07-03 15:08 . 2009-07-03 15:06 22328 ----a-w- c:\documents and settings\Jed\Application Data\PnkBstrK.sys
2009-06-29 16:12 . 2005-08-16 09:18 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2005-08-16 09:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2005-08-16 09:18 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-25 08:25 . 2005-08-16 09:18 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2005-08-16 09:18 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2005-08-16 09:18 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2005-08-16 09:18 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2005-08-16 09:18 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2005-08-16 09:18 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2005-08-16 09:18 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2005-08-16 09:18 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2005-08-16 09:18 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 18:01 . 2009-06-15 18:01 128016 ----a-w- c:\windows\system32\drivers\kl1.sys
2009-06-13 18:47 . 2008-04-19 20:56 97616 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-12 12:31 . 2005-08-16 09:18 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2005-08-16 09:18 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2005-08-16 09:18 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2005-08-16 09:37 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2005-08-16 09:18 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2005-08-16 09:18 1291264 ----a-w- c:\windows\system32\quartz.dll
2005-11-05 22:02 . 2008-10-26 03:28 53486 ----a-w- c:\program files\readme.txt
2005-06-10 02:15 . 2008-10-26 03:28 20339 ----a-w- c:\program files\mapadd.txt
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-05-31 09:44 . 2009-05-31 09:44 18432 --sha-w- c:\windows\system32\badaliyo.dll
2009-05-31 09:44 . 2009-05-31 09:44 9216 --sha-w- c:\windows\system32\badaliyo.exe
2009-05-31 09:44 . 2009-05-31 09:44 26624 --sha-w- c:\windows\system32\pihenedo.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\program files\AIM\aim.exe" [2006-08-01 67112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CPM673c03d1"="c:\windows\system32\zakanilu.dll" [2009-08-30 209408]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-27 434528]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "c:\windows\system32\zakanilu.dll" [2009-08-30 209408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\zakanilu.dll [2009-08-30 209408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-05-28 19:54 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jed^Start Menu^Programs^Startup^Axis & Allies Registration.lnk]
path=c:\documents and settings\Jed\Start Menu\Programs\Startup\Axis & Allies Registration.lnk
backup=c:\windows\pss\Axis & Allies Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jed^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Jed\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PnkBstrB"=2 (0x2)
"PnkBstrA"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Steam\\SteamApps\\xvortex_10\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\xvortex_10\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Steam\\SteamApps\\xvortex_10\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.4.3-to-3.0.2-enUS-Win-Final-downloader.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Yahoo!\\Companion\\Installs\\cpn\\ytbb.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
"3724:TCP"= 3724:TCP:Blizzard Downloader
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"57750:TCP"= 57750:TCP:Pando Media Booster
"57750:UDP"= 57750:UDP:Pando Media Booster
"57268:TCP"= 57268:TCP:Pando Media Booster
"57268:UDP"= 57268:UDP:Pando Media Booster

S0 nielprt;Nielsen Patch Service;c:\windows\system32\DRIVERS\nielprt.sys --> c:\windows\system32\DRIVERS\nielprt.sys [?]
S3 CrystalSysInfo;CrystalSysInfo;c:\program files\MediaCoder\SysInfo.sys [9/25/2007 10:59 AM 15152]
S3 NielGfx;Nielsen USB GFX;c:\windows\system32\drivers\nielgfx.sys --> c:\windows\system32\drivers\nielgfx.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-08-31 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 14:09]

2009-08-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{85f0466c-a2c6-487c-9120-c3814d3904ae} - c:\windows\system32\tatunulo.dll
HKLM-Run-ravibofibi - c:\windows\system32\sorujome.dll
HKLM-Run-PC Antispyware 2010 - c:\program files\PC_Antispyware2010\PC_Antispyware2010.exe
HKU-Default-Run-minix32 - c:\windows\system32\minix32.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
TCP: {4D73EC32-350A-4423-87DC-253717294F8D} = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Jed\Application Data\Mozilla\Firefox\Profiles\8w1wn5zk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - YouTube Video Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Jed\Application Data\Mozilla\Firefox\Profiles\8w1wn5zk.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll
FF - plugin: c:\documents and settings\Jed\Application Data\Mozilla\Firefox\Profiles\8w1wn5zk.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-31 16:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1052)
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(3932)
c:\windows\system32\WININET.dll
c:\windows\system32\zakanilu.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-08-31 16:54 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-31 20:54

Pre-Run: 47,814,643,712 bytes free
Post-Run: 49,227,087,872 bytes free

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
355 --- E O F --- 2009-08-28 14:46

#14 Transience

  • Group: Retired Staff
  • Posts: 2,448
  • Joined: 11-July 07

Posted 31 August 2009 - 03:23 PM

Hello -

Excellent that that ran, it sure took care of a lot. Quick heads-up for you before we continue:

I see you're using or have in the past used p2p software such as LimeWire and uTorrent. Although p2p programs are not usually malware in their own right, oftentimes malware is installed alongside them. Even if the program is clean, people often upload infected files to be shared using these programs, and it is very easy to end up compromising your PC. It's your decision about whether or not you use p2p programs, you don't have to remove them to be deemed clean and I'll still give you help if you want to keep them. It's just important that you're aware of the risks, which are serious and very real. If you want to continue using p2p programs that's your descision, all I ask is that you not download anything from them until you're clean so we aren't taking steps backwards here. To remove p2p programs if you wish to do so, uninstall them from the Add/Remove Programs (it's Programs and Features in Vista) menu of your Control Panel.

Some leftovers still to take care of:

1. Run a ComboFix script
  • Copy the entire contents of the code box below to notepad (Start > Programs > Accessories > Notepad).
  • Click on File > Save and name the file CFScript.txt. This name is important and must not be changed.
  • Change the Save as Type to All Files.
  • Save it directly on your desktop.

KillAll::

File::
c:\windows\system32\60e5440.dll
c:\windows\system32\41ea83f.dll
C:\emxtqjit.exe
C:\blyuwrjl.exe
c:\windows\system32\drivers\klick.dat
c:\windows\system32\nijufagi.dll
c:\windows\system32\zakanilu.dll
c:\windows\system32\xa.tmp
c:\windows\system32\badaliyo.dll
c:\windows\system32\badaliyo.exe
c:\windows\system32\pihenedo.dll

DirLook::
C:\go

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CPM673c03d1"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"=-

SysRst::

Note: If you are not the topic starter, DO NOT download or run this script as it could cause irreversible damage to your computer.

Please note that the same procedure applies to running ComboFix this time as before - disable your protection programs beforehand, close all other programs, don't interrupt it for any reason etc.

Posted Image

Once the script is saved, refering to the picture above, drag CFScript.txt into ComboFix.exe. This will cause ComboFix to start again. Allow it to complete running, following any prompts. Once the program has completed the log should appear automatically, if it doesn't it can be found at C:\ComboFix.txt. Please post the contents of that log in your next reply.

Cheers,
Dave

#15 bebop10

  • Group: Member
  • Posts: 20
  • Joined: 29-June 09

Posted 31 August 2009 - 04:06 PM

I hope it is fine but before your reply I ran a Quick MalwareBytes scan.. I've saved the log from it in case.
Here is the next log:

ComboFix 09-08-31.03 - Jed 08/31/2009 17:38.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.638 [GMT -4:00]
Running from: c:\documents and settings\Jed\Desktop\svchost.com.exe
Command switches used :: c:\documents and settings\Jed\Desktop\CFScript.txt
AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}

FILE ::
"C:\blyuwrjl.exe"
"C:\emxtqjit.exe"
"c:\windows\system32\41ea83f.dll"
"c:\windows\system32\60e5440.dll"
"c:\windows\system32\badaliyo.dll"
"c:\windows\system32\badaliyo.exe"
"c:\windows\system32\drivers\klick.dat"
"c:\windows\system32\nijufagi.dll"
"c:\windows\system32\pihenedo.dll"
"c:\windows\system32\xa.tmp"
"c:\windows\system32\zakanilu.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\blyuwrjl.exe
C:\emxtqjit.exe
c:\windows\system32\41ea83f.dll
c:\windows\system32\60e5440.dll
c:\windows\system32\badaliyo.exe
c:\windows\system32\xa.tmp

.
((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-31 )))))))))))))))))))))))))))))))
.

2009-08-30 01:02 . 2009-08-30 01:02 -------- d-----w- c:\documents and settings\Jed\Local Settings\Application Data\Runscanner.net
2009-08-30 00:57 . 2009-08-30 01:02 -------- d-----w- C:\Runscanner
2009-08-29 04:47 . 2009-08-29 04:48 -------- d-s---w- C:\go
2009-08-29 00:52 . 2009-08-29 00:52 -------- d-----w- c:\program files\Kaspersky Lab
2009-08-28 04:13 . 2009-08-28 04:13 97616 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-28 00:14 . 2009-08-28 03:08 -------- d-----w- c:\documents and settings\Jed\.housecall6.6
2009-08-27 23:31 . 2009-08-27 23:31 -------- d-----w- c:\program files\Alwil Software
2009-08-27 21:10 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-27 21:10 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-27 20:37 . 2009-08-27 20:41 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-27 19:55 . 2009-08-27 19:55 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-08-27 19:20 . 2009-08-27 19:20 -------- d-----w- C:\spoolerlogs
2009-08-26 05:32 . 2009-08-26 05:32 -------- d-----w- c:\documents and settings\All Users\Application Data\id Software
2009-08-26 02:00 . 2009-08-26 02:00 -------- d-sh--w- C:\found.000
2009-08-20 01:41 . 2009-06-25 08:25 54272 ------w- c:\windows\system32\dllcache\wdigest.dll
2009-08-20 01:41 . 2009-06-25 08:25 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-08-20 01:41 . 2009-06-24 11:18 92928 ------w- c:\windows\system32\dllcache\ksecdd.sys
2009-08-20 01:41 . 2009-06-25 08:25 301568 ------w- c:\windows\system32\dllcache\kerberos.dll
2009-08-13 02:44 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-06 03:55 . 2009-08-06 03:55 625728 ----a-w- c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-02 21:17 . 2009-08-02 21:17 -------- d-----w- c:\documents and settings\Jed\Local Settings\Application Data\Broad Intelligence
2009-08-02 21:14 . 2009-08-11 23:33 -------- d-----w- c:\documents and settings\Jed\Application Data\Broad Intelligence

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-31 20:20 . 2005-08-16 09:18 56320 ------w- c:\windows\system32\eventlog.dll
2009-08-30 20:02 . 2008-05-04 00:59 -------- d-----w- c:\documents and settings\Jed\Application Data\gtk-2.0
2009-08-30 17:24 . 2008-05-09 19:37 -------- d-----w- c:\program files\Steam
2009-08-29 04:14 . 2008-09-20 00:31 -------- d-----w- c:\documents and settings\Jed\Application Data\Skype
2009-08-29 04:04 . 2008-05-28 21:15 -------- d-----w- c:\documents and settings\Jed\Application Data\skypePM
2009-08-29 00:47 . 2009-04-11 21:58 -------- d-----w- c:\program files\Windows Defender
2009-08-28 02:41 . 2008-04-09 20:35 -------- d-----w- c:\documents and settings\Jed\Application Data\LimeWire
2009-08-27 21:00 . 2008-11-06 23:47 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-27 03:47 . 2008-07-19 02:09 90112 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
2009-08-27 03:41 . 2008-07-19 02:09 393216 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMResource.dll
2009-08-27 03:41 . 2008-07-19 02:09 258352 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\unicows.dll
2009-08-27 03:41 . 2008-07-19 02:09 118784 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\nxgameus.dll
2009-08-27 03:41 . 2008-07-19 02:09 561152 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGMDll.dll
2009-08-27 03:41 . 2008-07-19 02:09 167936 ----a-w- c:\documents and settings\All Users\Application Data\NexonUS\NGM\NGM.exe
2009-08-27 02:37 . 2009-05-04 19:39 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2009-08-26 05:43 . 2009-07-03 15:14 355392 ----a-w- c:\documents and settings\Jed\Application Data\id Software\quakelive\home\baseq3\cgamex86.dll
2009-08-26 05:43 . 2009-07-03 15:14 179264 ----a-w- c:\documents and settings\Jed\Application Data\id Software\quakelive\home\baseq3\uix86.dll
2009-08-26 05:40 . 2009-07-03 15:06 138944 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-08-26 05:40 . 2009-07-03 15:06 189784 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-08-26 05:39 . 2009-07-03 15:14 874660 ----a-w- c:\documents and settings\Jed\Application Data\id Software\quakelive\home\pb\pbcl.dll
2009-08-26 05:39 . 2009-07-03 15:14 57344 ----a-w- c:\documents and settings\Jed\Application Data\id Software\quakelive\home\pb\pbag.dll
2009-08-26 05:39 . 2009-07-03 15:14 2661440 ----a-w- c:\documents and settings\Jed\Application Data\id Software\quakelive\home\baseq3\quakelive.dll
2009-08-26 05:32 . 2009-07-03 15:05 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-08-26 05:32 . 2009-07-03 15:05 2373712 ----a-w- c:\windows\system32\pbsvc.exe
2009-08-25 01:24 . 2008-09-20 01:40 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-21 08:30 . 2008-04-16 23:03 -------- d-----w- c:\program files\MediaCoder
2009-08-21 07:45 . 2009-03-18 22:08 -------- d-----w- c:\documents and settings\Jed\Application Data\uTorrent
2009-08-20 23:17 . 2008-05-14 19:46 -------- d-----w- c:\program files\Warcraft III
2009-08-15 00:24 . 2008-07-07 21:29 34 ----a-w- c:\documents and settings\Jed\jagex_runescape_preferences.dat
2009-08-12 01:45 . 2008-05-14 19:51 78272 ----a-w- c:\windows\War3Unin.dat
2009-08-05 09:01 . 2005-08-16 09:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 02:22 . 2009-08-01 04:57 -------- d-----w- c:\program files\Crayon Physics Deluxe
2009-08-04 02:13 . 2009-08-01 04:57 -------- d-----w- c:\documents and settings\Jed\Application Data\Crayon Physics Deluxe
2009-08-01 20:03 . 2009-08-01 20:03 -------- d-----w- c:\program files\[bleep] NFO Viewer
2009-07-24 09:33 . 2008-05-10 23:36 -------- d-----w- c:\program files\World of Warcraft
2009-07-17 19:01 . 2005-08-16 09:18 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 03:43 . 2005-08-16 09:19 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-06 18:01 . 2009-07-06 18:01 2373712 ----a-w- c:\documents and settings\All Users\Application Data\id Software\QuakeLive\pbsvc.exe
2009-07-03 15:30 . 2009-07-03 15:14 449600 ----a-w- c:\documents and settings\Jed\Application Data\id Software\quakelive\home\baseq3\qagamex86.dll
2009-07-03 15:28 . 2009-07-03 15:14 479232 ----a-w- c:\documents and settings\Jed\Application Data\id Software\quakelive\home\pb\pbsv.dll
2009-07-03 15:14 . 2009-07-03 15:14 57344 ----a-w- c:\documents and settings\Jed\Application Data\id Software\quakelive\home\pb\pbags.dll
2009-07-03 15:14 . 2009-07-03 15:14 874660 ----a-w- c:\documents and settings\Jed\Application Data\id Software\quakelive\home\pb\pbcls.dll
2009-07-03 15:11 . 2009-07-03 15:11 -------- d-----w- c:\documents and settings\Jed\Application Data\id Software
2009-07-03 15:08 . 2009-07-03 15:06 22328 ----a-w- c:\documents and settings\Jed\Application Data\PnkBstrK.sys
2009-07-03 15:08 . 2009-07-03 15:06 22328 ----a-w- c:\documents and settings\Jed\Application Data\PnkBstrK.sys
2009-06-29 16:12 . 2005-08-16 09:18 827392 ------w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2005-08-16 09:18 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2005-08-16 09:18 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-25 08:25 . 2005-08-16 09:18 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2005-08-16 09:18 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2005-08-16 09:18 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2005-08-16 09:18 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2005-08-16 09:18 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2005-08-16 09:18 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2005-08-16 09:18 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2005-08-16 09:18 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2005-08-16 09:18 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-13 18:47 . 2008-04-19 20:56 97616 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-12 12:31 . 2005-08-16 09:18 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2005-08-16 09:18 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2005-08-16 09:18 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 13:19 . 2005-08-16 09:37 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2005-08-16 09:18 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:09 . 2005-08-16 09:18 1291264 ----a-w- c:\windows\system32\quartz.dll
2005-11-05 22:02 . 2008-10-26 03:28 53486 ----a-w- c:\program files\readme.txt
2005-06-10 02:15 . 2008-10-26 03:28 20339 ----a-w- c:\program files\mapadd.txt
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\go ----
<Accidentally DirLooked the ComboFix folder under a different name>


((((((((((((((((((((((((((((((((((((((( System Restore )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\blyuwrjl.exe
08/31/2009 05:38 PM 48640 \RP2\A0000028.exe

C:\emxtqjit.exe
08/31/2009 05:38 PM 21504 \RP2\A0000029.exe

c:\svchost.com\Auto-RC.cmd
07/29/2009 02:46 AM 3034 \RP2\A0000018.cmd

c:\svchost.com\AWF.cmd
04/29/2009 04:41 PM 629 \RP2\A0000128.cmd

c:\svchost.com\c.bat
09/01/2009 02:55 AM 48998 \RP2\A0000060.bat

08/31/2009 05:50 PM 91 c:\svchost.com\CCS.bat
08/31/2009 05:38 PM 91 \RP2\A0000058.bat

c:\svchost.com\CF-Script.cmd
08/12/2009 03:37 AM 25513 \RP2\A0000023.cmd

c:\svchost.com\Combobatch.bat
08/25/2009 03:17 AM 7590 \RP2\A0000036.bat
08/31/2009 05:47 PM 7705 \RP2\A0000059.bat

c:\svchost.com\Create.cmd
08/25/2009 03:17 AM 6723 \RP2\A0000065.cmd

c:\svchost.com\FD-SV.cmd
08/29/2009 04:21 AM 3067 \RP2\A0000126.cmd

c:\svchost.com\Install-RC.cmd
08/12/2009 03:44 AM 5645 \RP2\A0000019.cmd

c:\svchost.com\Kill-All.cmd
07/13/2009 07:31 AM 1588 \RP2\A0000024.cmd

08/31/2009 05:47 PM 194744 c:\svchost.com\Lang.bat
08/31/2009 01:11 AM 194486 \RP2\A0000035.bat

c:\svchost.com\List-B.bat
08/31/2009 05:00 PM 39051 \RP2\A0000026.bat

c:\svchost.com\List-C.bat
08/31/2009 05:49 PM 230907 \RP2\A0000033.bat

c:\svchost.com\List-D.bat
08/03/2009 06:28 PM 92837 \RP2\A0000021.bat

c:\svchost.com\List.bat
08/31/2009 06:04 AM 618384 \RP2\A0000022.bat

08/31/2009 05:37 PM 5066 c:\svchost.com\md5sum.pif
09/01/2009 02:55 AM 4794 \RP2\A0000020.pif

c:\svchost.com\restore_pt.vbs
05/01/2009 10:26 PM 587 \RP2\A0000025.vbs

c:\svchost.com\SnapShot.cmd
08/16/2009 01:39 PM 3351 \RP2\A0000127.cmd

c:\svchost.com\Update-CF.cmd
07/29/2009 03:01 AM 2722 \RP2\A0000005.cmd

c:\svchost.com\w_sock.dll
06/21/2009 02:45 PM 98948 \RP2\A0000034.dll

c:\svchost.com\w2k_sock.dll
06/21/2009 03:34 PM 90202 \RP2\A0000006.dll

c:\windows\LastGood.Tmp\system32\DRIVERS\klbg.sys
12/15/2008 08:41 PM 33808 \RP2\A0000054.sys

c:\windows\LastGood.Tmp\system32\DRIVERS\klif.sys
08/28/2009 08:52 PM 296976 \RP2\A0000055.sys

c:\windows\LastGood.Tmp\system32\DRIVERS\klmouflt.sys
05/16/2009 08:59 PM 19472 \RP2\A0000056.sys

c:\windows\system32\41ea83f.dll
08/31/2009 05:38 PM 82432 \RP2\A0000030.dll

c:\windows\system32\60e5440.dll
08/31/2009 05:38 PM 82432 \RP2\A0000031.dll

c:\windows\system32\badaliyo.exe
08/31/2009 05:38 PM 9216 \RP2\A0000032.exe

08/10/2004 06:00 AM 11648 c:\windows\system32\dllcache\cache\acpiec.sys
08/10/2004 06:00 AM 11648 \RP2\A0000097.sys

04/13/2008 12:39 PM 142592 c:\windows\system32\dllcache\cache\aec.sys
04/13/2008 12:39 PM 142592 \RP2\A0000124.sys

04/13/2008 08:11 PM 167936 c:\windows\system32\dllcache\cache\appmgmts.dll
04/13/2008 08:11 PM 167936 \RP2\A0000125.dll

04/13/2008 02:57 PM 14336 c:\windows\system32\dllcache\cache\asyncmac.sys
04/13/2008 02:57 PM 14336 \RP2\A0000103.sys

08/10/2004 06:00 AM 4224 c:\windows\system32\dllcache\cache\beep.sys
08/10/2004 06:00 AM 4224 \RP2\A0000091.sys

04/13/2008 08:11 PM 77824 c:\windows\system32\dllcache\cache\browser.dll
04/13/2008 08:11 PM 77824 \RP2\A0000108.dll

04/13/2008 08:11 PM 617472 c:\windows\system32\dllcache\cache\comctl32.dll
04/13/2008 08:11 PM 617472 \RP2\A0000096.dll

04/13/2008 08:11 PM 792064 c:\windows\system32\dllcache\cache\comres.dll
04/13/2008 08:11 PM 792064 \RP2\A0000089.dll

04/13/2008 08:11 PM 62464 c:\windows\system32\dllcache\cache\cryptsvc.dll
04/13/2008 08:11 PM 62464 \RP2\A0000107.dll

04/13/2008 08:12 PM 15360 c:\windows\system32\dllcache\cache\ctfmon.exe
04/13/2008 08:12 PM 15360 \RP2\A0000079.exe

07/07/2008 04:26 PM 253952 c:\windows\system32\dllcache\cache\es.dll
07/07/2008 04:26 PM 253952 \RP2\A0000112.dll

08/31/2009 04:20 PM 56320 c:\windows\system32\dllcache\cache\eventlog.dll
08/31/2009 04:20 PM 56320 \RP2\A0000102.dll

04/13/2008 08:12 PM 1033728 c:\windows\system32\dllcache\cache\explorer.exe
04/13/2008 08:12 PM 1033728 \RP2\A0000076.exe

04/13/2008 08:11 PM 110080 c:\windows\system32\dllcache\cache\imm32.dll
04/13/2008 08:11 PM 110080 \RP2\A0000086.dll

04/13/2008 02:53 PM 36608 c:\windows\system32\dllcache\cache\ip6fw.sys
04/13/2008 02:53 PM 36608 \RP2\A0000073.sys

04/13/2008 02:39 PM 24576 c:\windows\system32\dllcache\cache\kbdclass.sys
04/13/2008 02:39 PM 24576 \RP2\A0000088.sys

03/21/2009 10:06 AM 989696 c:\windows\system32\dllcache\cache\kernel32.dll
03/21/2009 10:06 AM 989696 \RP2\A0000084.dll

04/13/2008 08:11 PM 19968 c:\windows\system32\dllcache\cache\linkinfo.dll
04/13/2008 08:11 PM 19968 \RP2\A0000113.dll

04/13/2008 08:11 PM 22016 c:\windows\system32\dllcache\cache\lpk.dll
04/13/2008 08:11 PM 22016 \RP2\A0000090.dll

04/13/2008 08:12 PM 13312 c:\windows\system32\dllcache\cache\lsass.exe
04/13/2008 08:12 PM 13312 \RP2\A0000078.exe

04/13/2008 08:11 PM 927504 c:\windows\system32\dllcache\cache\mfc40u.dll
04/13/2008 08:11 PM 927504 \RP2\A0000093.dll

04/13/2008 08:11 PM 33792 c:\windows\system32\dllcache\cache\msgsvc.dll
04/13/2008 08:11 PM 33792 \RP2\A0000095.dll

07/19/2009 09:33 AM 3597824 c:\windows\system32\dllcache\cache\mshtml.dll
07/19/2009 09:33 AM 3597824 \RP2\A0000087.dll

10/18/2006 10:47 PM 27136 c:\windows\system32\dllcache\cache\mspmsnsv.dll
10/18/2006 10:47 PM 27136 \RP2\A0000105.dll

06/20/2008 01:46 PM 245248 c:\windows\system32\dllcache\cache\mswsock.dll
06/20/2008 01:46 PM 245248 \RP2\A0000110.dll

04/13/2008 03:20 PM 182656 c:\windows\system32\dllcache\cache\ndis.sys
04/13/2008 03:20 PM 182656 \RP2\A0000072.sys

04/13/2008 08:12 PM 407040 c:\windows\system32\dllcache\cache\netlogon.dll
04/13/2008 08:12 PM 407040 \RP2\A0000099.dll

04/13/2008 08:12 PM 198144 c:\windows\system32\dllcache\cache\netman.dll
04/13/2008 08:12 PM 198144 \RP2\A0000111.dll

04/13/2008 03:15 PM 574976 c:\windows\system32\dllcache\cache\ntfs.sys
04/13/2008 03:15 PM 574976 \RP2\A0000104.sys

02/06/2009 06:32 AM 2023936 c:\windows\system32\dllcache\cache\ntkrnlpa.exe
02/06/2009 06:32 AM 2023936 \RP2\A0000074.exe

04/13/2008 08:12 PM 435200 c:\windows\system32\dllcache\cache\ntmssvc.dll
04/13/2008 08:12 PM 435200 \RP2\A0000118.dll

02/06/2009 07:06 AM 2145280 c:\windows\system32\dllcache\cache\ntoskrnl.exe
02/06/2009 07:06 AM 2145280 \RP2\A0000075.exe

08/10/2004 06:00 AM 2944 c:\windows\system32\dllcache\cache\null.sys
08/10/2004 06:00 AM 2944 \RP2\A0000092.sys

04/13/2008 08:12 PM 17408 c:\windows\system32\dllcache\cache\powrprof.dll
04/13/2008 08:12 PM 17408 \RP2\A0000085.dll

04/13/2008 08:12 PM 409088 c:\windows\system32\dllcache\cache\qmgr.dll
04/13/2008 08:12 PM 409088 \RP2\A0000100.dll

04/13/2008 08:12 PM 88576 c:\windows\system32\dllcache\cache\rasauto.dll
04/13/2008 08:12 PM 88576 \RP2\A0000119.dll

04/13/2008 08:12 PM 59904 c:\windows\system32\dllcache\cache\regsvc.dll
04/13/2008 08:12 PM 59904 \RP2\A0000122.dll

02/09/2009 08:10 AM 401408 c:\windows\system32\dllcache\cache\rpcss.dll
02/09/2009 08:10 AM 401408 \RP2\A0000094.dll

04/13/2008 08:12 PM 181248 c:\windows\system32\dllcache\cache\scecli.dll
04/13/2008 08:12 PM 181248 \RP2\A0000101.dll

04/13/2008 08:12 PM 192512 c:\windows\system32\dllcache\cache\schedsvc.dll
04/13/2008 08:12 PM 192512 \RP2\A0000121.dll

02/06/2009 07:11 AM 110592 c:\windows\system32\dllcache\cache\services.exe
02/06/2009 07:11 AM 110592 \RP2\A0000077.exe

04/13/2008 08:12 PM 5120 c:\windows\system32\dllcache\cache\sfc.dll
04/13/2008 08:12 PM 5120 \RP2\A0000098.dll

04/13/2008 08:12 PM 1614848 c:\windows\system32\dllcache\cache\sfcfiles.dll
04/13/2008 08:12 PM 1614848 \RP2\A0000120.dll

04/13/2008 08:12 PM 135168 c:\windows\system32\dllcache\cache\shsvcs.dll
04/13/2008 08:12 PM 135168 \RP2\A0000123.dll

04/13/2008 08:12 PM 57856 c:\windows\system32\dllcache\cache\spoolsv.exe
04/13/2008 08:12 PM 57856 \RP2\A0000080.exe

04/13/2008 08:12 PM 171008 c:\windows\system32\dllcache\cache\srsvc.dll
04/13/2008 08:12 PM 171008 \RP2\A0000116.dll

04/13/2008 08:12 PM 71680 c:\windows\system32\dllcache\cache\ssdpsrv.dll
04/13/2008 08:12 PM 71680 \RP2\A0000114.dll

04/13/2008 08:12 PM 14336 c:\windows\system32\dllcache\cache\svchost.exe
04/13/2008 08:12 PM 14336 \RP2\A0000066.exe

04/13/2008 08:12 PM 249856 c:\windows\system32\dllcache\cache\tapisrv.dll
04/13/2008 08:12 PM 249856 \RP2\A0000109.dll

06/20/2008 07:51 AM 361600 c:\windows\system32\dllcache\cache\tcpip.sys
06/20/2008 07:51 AM 361600 \RP2\A0000070.sys

04/13/2008 08:12 PM 295424 c:\windows\system32\dllcache\cache\termsrv.dll
04/13/2008 08:12 PM 295424 \RP2\A0000083.dll

04/13/2008 08:12 PM 185856 c:\windows\system32\dllcache\cache\upnphost.dll
04/13/2008 08:12 PM 185856 \RP2\A0000115.dll

04/13/2008 08:12 PM 578560 c:\windows\system32\dllcache\cache\user32.dll
04/13/2008 08:12 PM 578560 \RP2\A0000067.dll

04/13/2008 08:12 PM 26112 c:\windows\system32\dllcache\cache\userinit.exe
04/13/2008 08:12 PM 26112 \RP2\A0000082.exe

06/29/2009 12:12 PM 827392 c:\windows\system32\dllcache\cache\wininet.dll
06/29/2009 12:12 PM 827392 \RP2\A0000069.dll

04/13/2008 08:12 PM 507904 c:\windows\system32\dllcache\cache\winlogon.exe
04/13/2008 08:12 PM 507904 \RP2\A0000071.exe

04/13/2008 08:12 PM 82432 c:\windows\system32\dllcache\cache\ws2_32.dll
04/13/2008 08:12 PM 82432 \RP2\A0000068.dll

04/13/2008 08:12 PM 13824 c:\windows\system32\dllcache\cache\wscntfy.exe
04/13/2008 08:12 PM 13824 \RP2\A0000117.exe

10/16/2008 03:09 PM 51224 c:\windows\system32\dllcache\cache\wuauclt.exe
10/16/2008 03:09 PM 51224 \RP2\A0000081.exe

04/13/2008 08:12 PM 129024 c:\windows\system32\dllcache\cache\xmlprov.dll
04/13/2008 08:12 PM 129024 \RP2\A0000106.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AIM"="c:\program files\AIM\aim.exe" [2006-08-01 67112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-27 434528]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-05-28 19:54 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jed^Start Menu^Programs^Startup^Axis & Allies Registration.lnk]
path=c:\documents and settings\Jed\Start Menu\Programs\Startup\Axis & Allies Registration.lnk
backup=c:\windows\pss\Axis & Allies Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Jed^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Jed\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PnkBstrB"=2 (0x2)
"PnkBstrA"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Dell Network Assistant\\ezi_hnm2.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\\Program Files\\Warcraft III\\Frozen Throne.exe"=
"c:\\Program Files\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Steam\\SteamApps\\xvortex_10\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\xvortex_10\\source sdk base\\hl2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Steam\\SteamApps\\xvortex_10\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\World of Warcraft\\WoW-2.4.3-to-3.0.2-enUS-Win-Final-downloader.exe"=
"c:\\Program Files\\Curse\\CurseClient.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Yahoo!\\Companion\\Installs\\cpn\\ytbb.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\system32\\drivers\\svchost.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"10421:UDP"= 10421:UDP:SingleClick Discovery Protocol
"10426:UDP"= 10426:UDP:SingleClick ICC
"3724:TCP"= 3724:TCP:Blizzard Downloader
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"57750:TCP"= 57750:TCP:Pando Media Booster
"57750:UDP"= 57750:UDP:Pando Media Booster
"57268:TCP"= 57268:TCP:Pando Media Booster
"57268:UDP"= 57268:UDP:Pando Media Booster

S0 avclq;avclq;c:\windows\system32\drivers\whtwdwx.sys --> c:\windows\system32\drivers\whtwdwx.sys [?]
S0 nielprt;Nielsen Patch Service;c:\windows\system32\DRIVERS\nielprt.sys --> c:\windows\system32\DRIVERS\nielprt.sys [?]
S3 CrystalSysInfo;CrystalSysInfo;c:\program files\MediaCoder\SysInfo.sys [9/25/2007 10:59 AM 15152]
S3 NielGfx;Nielsen USB GFX;c:\windows\system32\drivers\nielgfx.sys --> c:\windows\system32\drivers\nielgfx.sys [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2009-08-31 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 14:09]

2009-08-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
TCP: {4D73EC32-350A-4423-87DC-253717294F8D} = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Jed\Application Data\Mozilla\Firefox\Profiles\8w1wn5zk.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - YouTube Video Search
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\documents and settings\All Users\Application Data\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Jed\Application Data\Mozilla\Firefox\Profiles\8w1wn5zk.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll
FF - plugin: c:\documents and settings\Jed\Application Data\Mozilla\Firefox\Profiles\8w1wn5zk.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-31 17:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1020)
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(3756)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Dell Network Assistant\hnm_svc.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\ati2evxx.exe
.
**************************************************************************
.
Completion time: 2009-08-31 17:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-31 21:59
ComboFix2.txt 2009-08-31 20:54

Pre-Run: 49,294,729,216 bytes free
Post-Run: 49,248,542,720 bytes free

Current=5 Default=5 Failed=4 LastKnownGood=6 Sets=1,2,3,4,5,6
627 --- E O F --- 2009-08-28 14:46

Share this topic:


  • 2 Pages +
  • 1
  • 2