Need Help Cleaning My System Really Really Bad!

makaveli3004 · 04-26-2008, 05:13 PM

Ive had virus's and trojans for months now and its getting worse I need to clean my system to get them to stop. Basically when i leave my computer on and I wake up I will always have 49 popups of all different pages. Also my mom on her username has this AWOLA spyware searcher that she didnt download and pops up every 2 seconds.

Logfile of HijackThis v1.99.1
Scan saved at 12:24:49 PM, on 4/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\mdm.exe
C:\Program Files\Orb Networks\Orb\bin\Orb.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Adobe\Adobe Photoshop CS3\Photoshop.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Microsoft Office\Office12\POWERPNT.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {27EB87B7-2C51-4337-9BBA-794CFC4CB694} - C:\Program Files\Common Files\home83122.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [watelkj] C:\WINDOWS\system32\watelkj.exe
O4 - HKLM\..\Run: [o] C:\WINDOWS\system32\o.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Amok Eggs Four Web] C:\Documents and Settings\All Users\Application Data\part dead amok eggs\long upload.exe
O4 - HKLM\..\Run: [MODE FREE BIRD SURF] C:\Documents and Settings\All Users\Application Data\beep axis mode free\Grim third.exe
O4 - HKLM\..\Run: [ec731d21] rundll32.exe "C:\WINDOWS\system32\xffamony.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BMef402ebd] Rundll32.exe "C:\WINDOWS\system32\ycdeixoo.dll",s
O4 - HKLM\..\RunServices: [watelkj] C:\WINDOWS\system32\watelkj.exe
O4 - HKLM\..\RunServices: [o] C:\WINDOWS\system32\o.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [logo link] C:\DOCUME~1\VALUED~1\APPLIC~1\FINDOK~1\Hold Log.exe
O4 - HKCU\..\Run: [Drmupgds] C:\Program Files\Drmupgds\Drmupgds.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [mdm] C:\WINDOWS\mdm.exe
O4 - Global Startup: ASUS WiFi-AP Solo.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/...lMgr_v01_5.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players...stallAsst2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6CE3FB5E-A75E-430E-8347-262B2620F726}: NameServer = 192.9.9.3
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DL L
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: iifeefd - iifeefd.dll (file missing)
O20 - Winlogon Notify: iqdblysv - iqdblysv.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

makaveli3004 · 04-26-2008, 05:37 PM

"Valued Customer" - 2008-04-26 12:26:47 Service Pack 2
ComboFix 07-05.21.6.V - Running from: "C:\Documents and Settings\Valued Customer\Desktop\"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Temp\tn3
C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\Program Files\YSTEM~1
C:\qoobox\purity\C\Program Files\Common Files\SMANTE~1
C:\qoobox\purity\C\Program Files\Common Files\STEM32~1
C:\qoobox\purity\C\WINDOWS\YSTEM3~1
C:\qoobox\purity\C\WINDOWS\system32\RACLE~1

((((((((((((((((((((((((((((((( Files Created from 2008-03-04 to 2008-04-26 ))))))))))))))))))))))))))))))))))

2008-04-26 12:32 <DIR> d-------- C:\temp\tn3
2008-04-22 19:24 0 --ahs---- C:\DOCUME~1\Mom\APPLIC~1\00480e735bb240c3461019295 b35d243c30c3294c4.dat
2008-04-22 19:23 485,888 --a------ C:\DOCUME~1\Mom\installer.exe
2008-04-22 19:23 <DIR> d-------- C:\DOCUME~1\Mom\APPLIC~1\Awola6
2008-04-22 18:02 13,824 --a------ C:\DOCUME~1\Mom\APPLIC~1\jlius.exe
2008-04-10 19:14 3,648 --a------ C:\WINDOWS\system32\xxqgrsjg.dll
2008-04-10 19:13 309,682 --ahs---- C:\WINDOWS\system32\mprCdMoq.ini2
2008-04-10 19:08 50,176 ----s---- C:\WINDOWS\mdm.exe
2008-04-07 17:09 <DIR> d-------- C:\Program Files\iPod
2008-04-01 22:00 <DIR> d-------- C:\DOCUME~1\VALUED~1\APPLIC~1\Ahead

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))

2008-04-26 16:29:39 -------- d-----w C:\DOCUME~1\VALUED~1\APPLIC~1\DNA
2008-04-20 15:27:41 -------- d-----w C:\DOCUME~1\VALUED~1\APPLIC~1\BitTorrent
2008-04-07 21:09:49 -------- d-----w C:\Program Files\iTunes
2008-04-07 21:08:48 -------- d-----w C:\Program Files\QuickTime
2008-04-05 17:36:21 664 ----a-w C:\WINDOWS\system32\d3d9caps.dat
2008-03-24 23:15:03 -------- d-----w C:\Program Files\mIRC
2008-03-19 09:47:00 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-14 18:55:37 -------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-12 02:19:02 -------- d-----w C:\Program Files\Bonjour
2008-03-12 02:07:53 -------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-03-12 02:01:37 486,108,144 ----a-w C:\ADBEPHSPCS3_WWE.exe
2008-03-01 00:49:58 -------- d-----w C:\DOCUME~1\VALUED~1\APPLIC~1\dvdcss
2008-02-29 00:10:58 -------- d-----w C:\Program Files\BitTorrent
2008-02-29 00:10:57 -------- d-----w C:\Program Files\DNA
2008-02-23 18:43:16 -------- d-----w C:\Program Files\Movkit
2008-02-22 06:09:05 -------- d-----w C:\DOCUME~1\VALUED~1\APPLIC~1\vlc
2008-02-22 06:06:56 -------- d-----w C:\Program Files\VideoLAN
2008-02-20 21:15:46 -------- d-----w C:\Program Files\Norton AntiVirus
2008-02-20 21:15:46 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-20 20:52:04 -------- d-----w C:\Program Files\Symantec
2008-02-20 06:51:05 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32:43 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-06 05:40:50 -------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-05 00:23:36 86,016 ----a-w C:\WINDOWS\system32\drivers\ipfltdrvv.sys
2008-01-29 16:02:30 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects]
{27EB87B7-2C51-4337-9BBA-794CFC4CB694}=C:\Program Files\Common Files\home83122.dll []
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll [2006-12-15 03:23]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 16:22]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 22:22]
"watelkj"="C:\WINDOWS\system32\watelkj.exe" []
"o"="C:\WINDOWS\system32\o.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51]
"Amok Eggs Four Web"="C:\Documents and Settings\All Users\Application Data\part dead amok eggs\long upload.exe" []
"MODE FREE BIRD SURF"="C:\Documents and Settings\All Users\Application Data\beep axis mode free\Grim third.exe" [2008-04-21 08:30]
"ec731d21"="C:\WINDOWS\system32\xffamony.dll" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36]
"BMef402ebd"="C:\WINDOWS\system32\ycdeixoo.dll " []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 19:35]
"Orb"="C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" [2007-12-17 21:02]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 08:00]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-03-04 03:11]
"logo link"="C:\DOCUME~1\VALUED~1\APPLIC~1\FINDOK~1\Hold Log.exe" []
"Drmupgds"="C:\Program Files\Drmupgds\Drmupgds.exe" []
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-04-11 01:55]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 23:06]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 23:25]
"mdm"="C:\WINDOWS\mdm.exe" [2008-04-10 19:08]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\runservices]
"watelkj"=C:\WINDOWS\system32\watelkj.exe
"o"=C:\WINDOWS\system32\o.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"DisableRegedit"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
C:\Program Files\Internet Explorer\prohdyxe.html

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
C:\Program Files\ComPlus Applications\prohdyxe.html

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 12:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifeefd]
iifeefd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iqdblysv]
iqdblysv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Authentication Packages msv1_0 C:\WINDOWS\system32\qoMdCrpm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.8.8\webbuying.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{2454c9f0-95b4-11db-8b11-0015af08fdcc}]
AutoRun\command- H:\Programs\nu2menu\nu2menu.exe

Contents of the 'Scheduled Tasks' folder
2008-04-21 15:48:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2008-04-26 05:51:00 C:\WINDOWS\tasks\MP Scheduled Scan.job

************************************************** ******************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-26 12:32:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ******************

Completion time: 2008-04-26 12:44:25 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2008-04-26 12:44
C:\ComboFix2.txt ... 2008-02-22 02:10
C:\ComboFix3.txt ... 2008-02-17 20:54

--- E O F ---

Punk · 04-26-2008, 06:13 PM

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Download Avenger, and unzip it to your desktop or somewhere you can find it.Â (Do not run it yet).

Note: This program is for use on Windows XP 32 bit systems only, and must be run from an Administrator account.

Open a Notepad file by clicking Start > RunÂ and typing Notepad.exe in the box, click OK.
Click Format, and ensure Word Wrap is unchecked.
Copy and Paste the text in the box below into Notepad.
Now save the file as RemoveFiles.txt in a location where you can find it.

Quote:

Drivers to unload:
ipfltdrvv.sys

Files to delete:
C:\WINDOWS\system32\drivers\ipfltdrvv.sys
C:\WINDOWS\system32\drivers\core.cache.dsk

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Start Avenger by double clicking on Avenger.exe.

Check Load script from file:
Click on the folder symbol below and to the right, and browse to RemoveFiles.txt.
Double click it to enter it into Avenger.
Click the green traffic light symbol.
You will be asked if you want to execute the script, answer Yes.
At this point you may get prompts from your protection systems, allow them please.
Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.
Answer Yes, and allow your computer to re-boot.
Upon re-boot a command window will briefly appear on screen (this is normal).
A Notepad text file will be created C:\avenger.txt.
Copy and Paste it into your next post please.

makaveli3004 · 04-27-2008, 06:18 PM

SDFix: Version 1.175
Run by Valued Customer on Sun 04/27/2008 at 12:56 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix\SDFix

Checking Services :

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\TASKKILL.EXE - Deleted
C:\PROGRA~1\INTERN~1\LAXUKI~1 - Deleted
C:\WINDOWS\default.htm - Deleted
C:\WINDOWS\Fonts\Crack.exe - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\system32\drivers\IPFLTD~1.sys - Deleted
C:\WINDOWS\Fonts\*.zip - 1 File(s) 637,937 bytes - Deleted

Folder C:\Temp\tn3 - Removed

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-27 13:13:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled

NA"
"C:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"="C:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe:*:Enabled:Orb Application"
"C:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe"="C:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe:*:Enabled:Orb"
"C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe:*:Enabled:AOL Instant Messenger"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :

File Backups: - C:\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 3 May 2006 163,328 A.SHR --- "C:\WINDOWS\system32\flvDX.dll"
Tue 26 Feb 2008 23,552 ..SH. --- "C:\WINDOWS\system32\iqdblysv.dllbox"
Mon 2 Apr 2007 118,784 A.SHR --- "C:\WINDOWS\system32\msgnmsger.exe"
Wed 3 Jan 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 2 Feb 2008 29,184 ...H. --- "C:\Documents and Settings\Valued Customer\My Documents\~WRL0001.tmp"
Wed 13 Feb 2008 31,232 ...H. --- "C:\Documents and Settings\Valued Customer\My Documents\~WRL0002.tmp"
Sat 24 Feb 2007 16,333 ...H. --- "C:\Documents and Settings\Valued Customer\My Documents\~WRL0003.tmp"
Mon 31 Mar 2008 38,400 ...H. --- "C:\Documents and Settings\Valued Customer\My Documents\~WRL0004.tmp"
Tue 15 Apr 2008 38,400 ...H. --- "C:\Documents and Settings\Valued Customer\My Documents\~WRL0005.tmp"
Sun 26 Jun 2005 616,448 ..SHR --- "C:\Program Files\eRightSoft\SUPER\cygwin1.dll"
Tue 21 Jun 2005 45,568 ..SHR --- "C:\Program Files\eRightSoft\SUPER\cygz.dll"
Sun 7 Jan 2007 72,704 ..SHR --- "C:\Program Files\eRightSoft\SUPER\Setup.exe"
Wed 27 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 4 Jun 2002 84,992 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\14_43260.dll"
Tue 4 Jun 2002 44,032 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\28_83260.dll"
Mon 9 Dec 2002 73,766 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\atrc3260.dll"
Mon 9 Dec 2002 65,575 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\cook3260.dll"
Sun 9 Jun 2002 36,864 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\ddnt3260.dll"
Tue 4 Jun 2002 20,480 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\dnet3260.dll"
Mon 9 Dec 2002 102,437 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv13260.dll"
Mon 9 Dec 2002 176,165 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv23260.dll"
Mon 9 Dec 2002 208,935 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv33260.dll"
Mon 9 Dec 2002 217,127 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv43260.dll"
Sun 9 Jun 2002 40,448 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\dspr3260.dll"
Sat 3 Nov 2001 225,280 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\ivvideo.dll"
Tue 10 Apr 2001 225,280 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\qtmlClient.dll"
Fri 20 Feb 2004 232,960 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\raac.dll"
Sun 9 Jun 2002 525,824 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rnco3260.dll"
Mon 9 Dec 2002 245,805 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rnlt3260.dll"
Mon 9 Dec 2002 45,093 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv103260.dll"
Mon 9 Dec 2002 98,341 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv203260.dll"
Mon 9 Dec 2002 94,247 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv303260.dll"
Mon 9 Dec 2002 90,151 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv403260.dll"
Mon 9 Dec 2002 102,439 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\sipr3260.dll"
Sun 9 Jun 2002 49,152 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\tokr3260.dll"
Wed 12 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0a67b6c4 06b1d7e0f5c1e6f6d44a3f6e\BITD4.tmp"
Wed 12 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\26924cbc 8132a10b438ce6e2b49d4652\BITD2.tmp"
Wed 12 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2769b111 678c52099a3b3123b12f2325\BITD6.tmp"
Wed 12 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b69c46c5 109d0f8b0dee9fab84906813\BITD5.tmp"
Sun 3 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\bc066f3f 60df1b38218903dd0d40ce98\BIT5.tmp"
Wed 12 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d77b9b5b 8fed23dd91f50d167cce60d3\BITD7.tmp"
Wed 12 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fa6c916b b150f8a929e7a4ffdfbc120f\BITD3.tmp"
Tue 23 Oct 2007 1,301 ...HR --- "C:\Documents and Settings\Valued Customer\Application Data\SecuROM\UserData\securom_v7_01.bak"

Finished!

makaveli3004 · 04-27-2008, 06:19 PM

Logfile of HijackThis v1.99.1
Scan saved at 1:30:48 PM, on 4/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\mdm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\Program Files\Orb Networks\Orb\bin\Orb.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {27EB87B7-2C51-4337-9BBA-794CFC4CB694} - C:\Program Files\Common Files\home83122.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [watelkj] C:\WINDOWS\system32\watelkj.exe
O4 - HKLM\..\Run: [o] C:\WINDOWS\system32\o.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Amok Eggs Four Web] C:\Documents and Settings\All Users\Application Data\part dead amok eggs\long upload.exe
O4 - HKLM\..\Run: [MODE FREE BIRD SURF] C:\Documents and Settings\All Users\Application Data\beep axis mode free\Grim third.exe
O4 - HKLM\..\Run: [ec731d21] rundll32.exe "C:\WINDOWS\system32\xffamony.dll",b
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BMef402ebd] Rundll32.exe "C:\WINDOWS\system32\ycdeixoo.dll",s
O4 - HKLM\..\RunServices: [watelkj] C:\WINDOWS\system32\watelkj.exe
O4 - HKLM\..\RunServices: [o] C:\WINDOWS\system32\o.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [logo link] C:\DOCUME~1\VALUED~1\APPLIC~1\FINDOK~1\Hold Log.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [mdm] C:\WINDOWS\mdm.exe
O4 - Global Startup: ASUS WiFi-AP Solo.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/...lMgr_v01_5.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players...stallAsst2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6CE3FB5E-A75E-430E-8347-262B2620F726}: NameServer = 192.9.9.3
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DL L
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: iifeefd - iifeefd.dll (file missing)
O20 - Winlogon Notify: iqdblysv - iqdblysv.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

makaveli3004 · 04-27-2008, 06:27 PM

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: registry key "\Registry\Machine\System\CurrentControlSet\Servic es\ipfltdrvv.sys" not found!
Deletion of driver "ipfltdrvv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\drivers\ipfltdrvv.sys" not found!
Deletion of file "C:\WINDOWS\system32\drivers\ipfltdrvv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\WINDOWS\system32\drivers\core.cache.dsk" not found!
Deletion of file "C:\WINDOWS\system32\drivers\core.cache.dsk" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

makaveli3004 · 04-27-2008, 06:28 PM

Im still having the CID popups.

Punk · 04-27-2008, 06:29 PM

Ok.

Please post a new combofix log.

makaveli3004 · 04-27-2008, 08:17 PM

alued Customer" - 2008-04-27 15:15:53 Service Pack 2
ComboFix 07-05.21.6.V - Running from: "C:\Documents and Settings\Valued Customer\Desktop\"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\Program Files\YSTEM~1
C:\qoobox\purity\C\Program Files\Common Files\SMANTE~1
C:\qoobox\purity\C\Program Files\Common Files\STEM32~1
C:\qoobox\purity\C\WINDOWS\YSTEM3~1
C:\qoobox\purity\C\WINDOWS\system32\RACLE~1

((((((((((((((((((((((((((((((( Files Created from 2008-03-04 to 2008-04-27 ))))))))))))))))))))))))))))))))))

2008-04-27 13:46 <DIR> d-------- C:\Program Files\MKVTOAVI
2008-04-27 13:35 <DIR> d-------- C:\Avenger
2008-04-27 12:49 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-22 19:24 0 --ahs---- C:\DOCUME~1\Mom\APPLIC~1\00480e735bb240c3461019295 b35d243c30c3294c4.dat
2008-04-22 19:23 485,888 --a------ C:\DOCUME~1\Mom\installer.exe
2008-04-22 18:02 13,824 --a------ C:\DOCUME~1\Mom\APPLIC~1\jlius.exe
2008-04-10 19:14 3,648 --a------ C:\WINDOWS\system32\xxqgrsjg.dll
2008-04-10 19:13 309,682 --ahs---- C:\WINDOWS\system32\mprCdMoq.ini2
2008-04-10 19:08 50,176 ----s---- C:\WINDOWS\mdm.exe
2008-04-07 17:09 <DIR> d-------- C:\Program Files\iPod
2008-04-01 22:00 <DIR> d-------- C:\DOCUME~1\VALUED~1\APPLIC~1\Ahead

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )))

2008-04-27 19:23:48 -------- d-----w C:\DOCUME~1\VALUED~1\APPLIC~1\BitTorrent
2008-04-27 19:16:09 -------- d-----w C:\DOCUME~1\VALUED~1\APPLIC~1\DNA
2008-04-07 21:09:49 -------- d-----w C:\Program Files\iTunes
2008-04-07 21:08:48 -------- d-----w C:\Program Files\QuickTime
2008-04-05 17:36:21 664 ----a-w C:\WINDOWS\system32\d3d9caps.dat
2008-03-24 23:15:03 -------- d-----w C:\Program Files\mIRC
2008-03-19 09:47:00 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-14 18:55:37 -------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-12 02:19:02 -------- d-----w C:\Program Files\Bonjour
2008-03-12 02:07:53 -------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-03-12 02:01:37 486,108,144 ----a-w C:\ADBEPHSPCS3_WWE.exe
2008-03-01 00:49:58 -------- d-----w C:\DOCUME~1\VALUED~1\APPLIC~1\dvdcss
2008-02-29 00:10:58 -------- d-----w C:\Program Files\BitTorrent
2008-02-29 00:10:57 -------- d-----w C:\Program Files\DNA
2008-02-23 18:43:16 -------- d-----w C:\Program Files\Movkit
2008-02-22 06:09:05 -------- d-----w C:\DOCUME~1\VALUED~1\APPLIC~1\vlc
2008-02-22 06:06:56 -------- d-----w C:\Program Files\VideoLAN
2008-02-20 21:15:46 -------- d-----w C:\Program Files\Norton AntiVirus
2008-02-20 21:15:46 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-20 20:52:04 -------- d-----w C:\Program Files\Symantec
2008-02-20 06:51:05 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32:43 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-06 05:40:50 -------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-29 16:02:30 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects]
{27EB87B7-2C51-4337-9BBA-794CFC4CB694}=C:\Program Files\Common Files\home83122.dll []
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll [2006-12-15 03:23]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 16:22]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 22:22]
"watelkj"="C:\WINDOWS\system32\watelkj.exe" []
"o"="C:\WINDOWS\system32\o.exe" []
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51]
"Amok Eggs Four Web"="C:\Documents and Settings\All Users\Application Data\part dead amok eggs\long upload.exe" []
"MODE FREE BIRD SURF"="C:\Documents and Settings\All Users\Application Data\beep axis mode free\Grim third.exe" [2008-04-27 14:54]
"ec731d21"="C:\WINDOWS\system32\xffamony.dll" []
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36]
"BMef402ebd"="C:\WINDOWS\system32\ycdeixoo.dll " []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 19:35]
"Orb"="C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" [2007-12-17 21:02]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 08:00]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-03-04 03:11]
"logo link"="C:\DOCUME~1\VALUED~1\APPLIC~1\FINDOK~1\Hold Log.exe" []
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-04-11 01:55]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 23:06]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 23:25]
"mdm"="C:\WINDOWS\mdm.exe" [2008-04-10 19:08]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\runservices]
"watelkj"=C:\WINDOWS\system32\watelkj.exe
"o"=C:\WINDOWS\system32\o.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"DisableRegedit"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
C:\Program Files\Internet Explorer\prohdyxe.html

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
C:\Program Files\ComPlus Applications\prohdyxe.html

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 12:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifeefd]
iifeefd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iqdblysv]
iqdblysv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
Authentication Packages msv1_0 C:\WINDOWS\system32\qoMdCrpm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
C:\Program Files\Web Buying\v1.8.8\webbuying.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{2454c9f0-95b4-11db-8b11-0015af08fdcc}]
AutoRun\command- H:\Programs\nu2menu\nu2menu.exe

*Newly Created Service* -SJYPKT

Contents of the 'Scheduled Tasks' folder
2008-04-21 15:48:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2008-04-27 17:38:53 C:\WINDOWS\tasks\MP Scheduled Scan.job

************************************************** ******************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-27 15:24:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ******************

Completion time: 2008-04-27 15:26:43
C:\ComboFix-quarantined-files.txt ... 2008-04-27 15:26
C:\ComboFix2.txt ... 2008-04-26 12:44
C:\ComboFix3.txt ... 2008-02-22 02:10

--- E O F ---

Punk · 04-28-2008, 12:53 PM

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

04-26-2008, 05:13 PM	#1 (permalink)
makaveli3004 Bronze Member Join Date: Nov 2006 Posts: 69	Need Help Cleaning My System Really Really Bad! Ive had virus's and trojans for months now and its getting worse I need to clean my system to get them to stop. Basically when i leave my computer on and I wake up I will always have 49 popups of all different pages. Also my mom on her username has this AWOLA spyware searcher that she didnt download and pops up every 2 seconds. Logfile of HijackThis v1.99.1 Scan saved at 12:24:49 PM, on 4/26/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\DNA\btdna.exe C:\WINDOWS\mdm.exe C:\Program Files\Orb Networks\Orb\bin\Orb.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe C:\Program Files\Microsoft Office\Office12\WINWORD.EXE C:\Program Files\iTunes\iTunes.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Adobe\Adobe Photoshop CS3\Photoshop.exe C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe C:\Program Files\Microsoft Office\Office12\POWERPNT.EXE C:\Program Files\Windows Media Player\wmplayer.exe C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe C:\Program Files\AIM\aim.exe C:\WINDOWS\system32\winlogon.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = .local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {27EB87B7-2C51-4337-9BBA-794CFC4CB694} - C:\Program Files\Common Files\home83122.dll (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe" O4 - HKLM\..\Run: [watelkj] C:\WINDOWS\system32\watelkj.exe O4 - HKLM\..\Run: [o] C:\WINDOWS\system32\o.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [Amok Eggs Four Web] C:\Documents and Settings\All Users\Application Data\part dead amok eggs\long upload.exe O4 - HKLM\..\Run: [MODE FREE BIRD SURF] C:\Documents and Settings\All Users\Application Data\beep axis mode free\Grim third.exe O4 - HKLM\..\Run: [ec731d21] rundll32.exe "C:\WINDOWS\system32\xffamony.dll",b O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [BMef402ebd] Rundll32.exe "C:\WINDOWS\system32\ycdeixoo.dll",s O4 - HKLM\..\RunServices: [watelkj] C:\WINDOWS\system32\watelkj.exe O4 - HKLM\..\RunServices: [o] C:\WINDOWS\system32\o.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [Orb] "C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [logo link] C:\DOCUME~1\VALUED~1\APPLIC~1\FINDOK~1\Hold Log.exe O4 - HKCU\..\Run: [Drmupgds] C:\Program Files\Drmupgds\Drmupgds.exe O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe" O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" O4 - HKCU\..\Run: [mdm] C:\WINDOWS\mdm.exe O4 - Global Startup: ASUS WiFi-AP Solo.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O11 - Options group: [INTERNATIONAL] International O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/...lMgr_v01_5.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players...stallAsst2.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{6CE3FB5E-A75E-430E-8347-262B2620F726}: NameServer = 192.9.9.3 O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DL L O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O20 - Winlogon Notify: iifeefd - iifeefd.dll (file missing) O20 - Winlogon Notify: iqdblysv - iqdblysv.dll (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

04-27-2008, 06:18 PM	#4 (permalink)
makaveli3004 Bronze Member Join Date: Nov 2006 Posts: 69	SDFix: Version 1.175 Run by Valued Customer on Sun 04/27/2008 at 12:56 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix\SDFix Checking Services : Restoring Windows Registry Values Restoring Windows Default Hosts File Rebooting Checking Files : Trojan Files Found: C:\WINDOWS\SYSTEM32\TASKKILL.EXE - Deleted C:\PROGRA~1\INTERN~1\LAXUKI~1 - Deleted C:\WINDOWS\default.htm - Deleted C:\WINDOWS\Fonts\Crack.exe - Deleted C:\WINDOWS\system32\pac.txt - Deleted C:\WINDOWS\system32\drivers\IPFLTD~1.sys - Deleted C:\WINDOWS\Fonts\.zip - 1 File(s) 637,937 bytes - Deleted Folder C:\Temp\tn3 - Removed Removing Temp Files ADS Check* : Final Check : catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-27 13:13:42 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... scanning hidden registry entries ... scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe::EnabledNA" "C:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"="C:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe::Enabled:Orb Application" "C:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe"="C:\\Program Files\\Orb Networks\\Orb\\bin\\OrbTray.exe::Enabled:Orb" "C:\\Program Files\\AIM\\aim.exe"="C:\\Program Files\\AIM\\aim.exe::Enabled:AOL Instant Messenger" [HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" Remaining Files : File Backups: - C:\SDFix\SDFix\backups\backups.zip Files with Hidden Attributes : Wed 3 May 2006 163,328 A.SHR --- "C:\WINDOWS\system32\flvDX.dll" Tue 26 Feb 2008 23,552 ..SH. --- "C:\WINDOWS\system32\iqdblysv.dllbox" Mon 2 Apr 2007 118,784 A.SHR --- "C:\WINDOWS\system32\msgnmsger.exe" Wed 3 Jan 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Sat 2 Feb 2008 29,184 ...H. --- "C:\Documents and Settings\Valued Customer\My Documents\~WRL0001.tmp" Wed 13 Feb 2008 31,232 ...H. --- "C:\Documents and Settings\Valued Customer\My Documents\~WRL0002.tmp" Sat 24 Feb 2007 16,333 ...H. --- "C:\Documents and Settings\Valued Customer\My Documents\~WRL0003.tmp" Mon 31 Mar 2008 38,400 ...H. --- "C:\Documents and Settings\Valued Customer\My Documents\~WRL0004.tmp" Tue 15 Apr 2008 38,400 ...H. --- "C:\Documents and Settings\Valued Customer\My Documents\~WRL0005.tmp" Sun 26 Jun 2005 616,448 ..SHR --- "C:\Program Files\eRightSoft\SUPER\cygwin1.dll" Tue 21 Jun 2005 45,568 ..SHR --- "C:\Program Files\eRightSoft\SUPER\cygz.dll" Sun 7 Jan 2007 72,704 ..SHR --- "C:\Program Files\eRightSoft\SUPER\Setup.exe" Wed 27 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp" Tue 4 Jun 2002 84,992 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\14_43260.dll" Tue 4 Jun 2002 44,032 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\28_83260.dll" Mon 9 Dec 2002 73,766 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\atrc3260.dll" Mon 9 Dec 2002 65,575 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\cook3260.dll" Sun 9 Jun 2002 36,864 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\ddnt3260.dll" Tue 4 Jun 2002 20,480 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\dnet3260.dll" Mon 9 Dec 2002 102,437 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv13260.dll" Mon 9 Dec 2002 176,165 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv23260.dll" Mon 9 Dec 2002 208,935 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv33260.dll" Mon 9 Dec 2002 217,127 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\drv43260.dll" Sun 9 Jun 2002 40,448 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\dspr3260.dll" Sat 3 Nov 2001 225,280 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\ivvideo.dll" Tue 10 Apr 2001 225,280 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\qtmlClient.dll" Fri 20 Feb 2004 232,960 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\raac.dll" Sun 9 Jun 2002 525,824 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rnco3260.dll" Mon 9 Dec 2002 245,805 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rnlt3260.dll" Mon 9 Dec 2002 45,093 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv103260.dll" Mon 9 Dec 2002 98,341 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv203260.dll" Mon 9 Dec 2002 94,247 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv303260.dll" Mon 9 Dec 2002 90,151 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\rv403260.dll" Mon 9 Dec 2002 102,439 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\sipr3260.dll" Sun 9 Jun 2002 49,152 ...HR --- "C:\Program Files\eRightSoft\SUPER\mencoder\tokr3260.dll" Wed 12 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0a67b6c4 06b1d7e0f5c1e6f6d44a3f6e\BITD4.tmp" Wed 12 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\26924cbc 8132a10b438ce6e2b49d4652\BITD2.tmp" Wed 12 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2769b111 678c52099a3b3123b12f2325\BITD6.tmp" Wed 12 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b69c46c5 109d0f8b0dee9fab84906813\BITD5.tmp" Sun 3 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\bc066f3f 60df1b38218903dd0d40ce98\BIT5.tmp" Wed 12 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d77b9b5b 8fed23dd91f50d167cce60d3\BITD7.tmp" Wed 12 Dec 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fa6c916b b150f8a929e7a4ffdfbc120f\BITD3.tmp" Tue 23 Oct 2007 1,301 ...HR --- "C:\Documents and Settings\Valued Customer\Application Data\SecuROM\UserData\securom_v7_01.bak" Finished!

04-27-2008, 06:29 PM	#8 (permalink)
Punk Diamond Member Join Date: Jan 2007 Location: France Age: 18 Posts: 4,494	Ok. Please post a new combofix log. __________________ Punk's anti-hackers website Punk's Website making and registering tutorial! Rise And Fall, Rage And Grace The Offspring! Huck it! I just want to be who I want to be guess that's hard for others to see

04-28-2008, 12:53 PM	#10 (permalink)
Punk Diamond Member Join Date: Jan 2007 Location: France Age: 18 Posts: 4,494	Please download VundoFix.exe to your desktop. Double-click VundoFix.exe to run it. Click the Scan for Vundo button. Once it's done scanning, click the Remove Vundo button. You will receive a prompt asking if you want to remove the files, click YES Once you click yes, your desktop will go blank as it starts removing Vundo. When completed, it will prompt that it will reboot your computer, click OK. Please post the contents of C:\vundofix.txt and a new HiJackThis log. Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot. __________________ Punk's anti-hackers website Punk's Website making and registering tutorial! Rise And Fall, Rage And Grace The Offspring! Huck it! I just want to be who I want to be guess that's hard for others to see

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

04-26-2008, 05:37 PM	#2 (permalink)
makaveli3004 Bronze Member Join Date: Nov 2006 Posts: 69	"Valued Customer" - 2008-04-26 12:26:47 Service Pack 2 ComboFix 07-05.21.6.V - Running from: "C:\Documents and Settings\Valued Customer\Desktop\" (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\Temp\tn3 C:\WINDOWS\system32\drivers\core.cache.dsk . . . . failed to delete ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Folders Quarantined: C:\qoobox\purity\C\Program Files\YSTEM~1 C:\qoobox\purity\C\Program Files\Common Files\SMANTE~1 C:\qoobox\purity\C\Program Files\Common Files\STEM32~1 C:\qoobox\purity\C\WINDOWS\YSTEM3~1 C:\qoobox\purity\C\WINDOWS\system32\RACLE~1 ((((((((((((((((((((((((((((((( Files Created from 2008-03-04 to 2008-04-26 )))))))))))))))))))))))))))))))))) 2008-04-26 12:32 <DIR> d-------- C:\temp\tn3 2008-04-22 19:24 0 --ahs---- C:\DOCUME~1\Mom\APPLIC~1\00480e735bb240c3461019295 b35d243c30c3294c4.dat 2008-04-22 19:23 485,888 --a------ C:\DOCUME~1\Mom\installer.exe 2008-04-22 19:23 <DIR> d-------- C:\DOCUME~1\Mom\APPLIC~1\Awola6 2008-04-22 18:02 13,824 --a------ C:\DOCUME~1\Mom\APPLIC~1\jlius.exe 2008-04-10 19:14 3,648 --a------ C:\WINDOWS\system32\xxqgrsjg.dll 2008-04-10 19:13 309,682 --ahs---- C:\WINDOWS\system32\mprCdMoq.ini2 2008-04-10 19:08 50,176 ----s---- C:\WINDOWS\mdm.exe 2008-04-07 17:09 <DIR> d-------- C:\Program Files\iPod 2008-04-01 22:00 <DIR> d-------- C:\DOCUME~1\VALUED~1\APPLIC~1\Ahead (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))) 2008-04-26 16:29:39 -------- d-----w C:\DOCUME~1\VALUED~1\APPLIC~1\DNA 2008-04-20 15:27:41 -------- d-----w C:\DOCUME~1\VALUED~1\APPLIC~1\BitTorrent 2008-04-07 21:09:49 -------- d-----w C:\Program Files\iTunes 2008-04-07 21:08:48 -------- d-----w C:\Program Files\QuickTime 2008-04-05 17:36:21 664 ----a-w C:\WINDOWS\system32\d3d9caps.dat 2008-03-24 23:15:03 -------- d-----w C:\Program Files\mIRC 2008-03-19 09:47:00 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys 2008-03-14 18:55:37 -------- d-----w C:\Program Files\SUPERAntiSpyware 2008-03-12 02:19:02 -------- d-----w C:\Program Files\Bonjour 2008-03-12 02:07:53 -------- d-----w C:\Program Files\Common Files\Macrovision Shared 2008-03-12 02:01:37 486,108,144 ----a-w C:\ADBEPHSPCS3_WWE.exe 2008-03-01 00:49:58 -------- d-----w C:\DOCUME~1\VALUED~1\APPLIC~1\dvdcss 2008-02-29 00:10:58 -------- d-----w C:\Program Files\BitTorrent 2008-02-29 00:10:57 -------- d-----w C:\Program Files\DNA 2008-02-23 18:43:16 -------- d-----w C:\Program Files\Movkit 2008-02-22 06:09:05 -------- d-----w C:\DOCUME~1\VALUED~1\APPLIC~1\vlc 2008-02-22 06:06:56 -------- d-----w C:\Program Files\VideoLAN 2008-02-20 21:15:46 -------- d-----w C:\Program Files\Norton AntiVirus 2008-02-20 21:15:46 -------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-02-20 20:52:04 -------- d-----w C:\Program Files\Symantec 2008-02-20 06:51:05 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll 2008-02-20 05:32:43 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll 2008-02-06 05:40:50 -------- d--h--w C:\Program Files\InstallShield Installation Information 2008-02-05 00:23:36 86,016 ----a-w C:\WINDOWS\system32\drivers\ipfltdrvv.sys 2008-01-29 16:02:30 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects] {27EB87B7-2C51-4337-9BBA-794CFC4CB694}=C:\Program Files\Common Files\home83122.dll [] {53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll [2006-12-15 03:23] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 16:22] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59] "osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 22:22] "watelkj"="C:\WINDOWS\system32\watelkj.exe" [] "o"="C:\WINDOWS\system32\o.exe" [] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51] "Amok Eggs Four Web"="C:\Documents and Settings\All Users\Application Data\part dead amok eggs\long upload.exe" [] "MODE FREE BIRD SURF"="C:\Documents and Settings\All Users\Application Data\beep axis mode free\Grim third.exe" [2008-04-21 08:30] "ec731d21"="C:\WINDOWS\system32\xffamony.dll" [] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36] "BMef402ebd"="C:\WINDOWS\system32\ycdeixoo.dll " [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 19:35] "Orb"="C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" [2007-12-17 21:02] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 08:00] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-03-04 03:11] "logo link"="C:\DOCUME~1\VALUED~1\APPLIC~1\FINDOK~1\Hold Log.exe" [] "Drmupgds"="C:\Program Files\Drmupgds\Drmupgds.exe" [] "BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-04-11 01:55] "AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 23:06] "NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 23:25] "mdm"="C:\WINDOWS\mdm.exe" [2008-04-10 19:08] [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\runservices] "watelkj"=C:\WINDOWS\system32\watelkj.exe "o"=C:\WINDOWS\system32\o.exe [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system] "DisableRegedit"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] C:\Program Files\Internet Explorer\prohdyxe.html [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1] C:\Program Files\ComPlus Applications\prohdyxe.html [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 12:55] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifeefd] iifeefd.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iqdblysv] iqdblysv.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa] Authentication Packages msv1_0 C:\WINDOWS\system32\qoMdCrpm [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying] C:\Program Files\Web Buying\v1.8.8\webbuying.exe [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{2454c9f0-95b4-11db-8b11-0015af08fdcc}] AutoRun\command- H:\Programs\nu2menu\nu2menu.exe Contents of the 'Scheduled Tasks' folder 2008-04-21 15:48:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job 2008-04-26 05:51:00 C:\WINDOWS\tasks\MP Scheduled Scan.job ************************************************ ************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-26 12:32:16 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************** **************** Completion time: 2008-04-26 12:44:25 - machine was rebooted C:\ComboFix-quarantined-files.txt ... 2008-04-26 12:44 C:\ComboFix2.txt ... 2008-02-22 02:10 C:\ComboFix3.txt ... 2008-02-17 20:54 --- E O F ---

04-27-2008, 06:19 PM	#5 (permalink)
makaveli3004 Bronze Member Join Date: Nov 2006 Posts: 69	Logfile of HijackThis v1.99.1 Scan saved at 1:30:48 PM, on 4/27/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16640) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\AIM\aim.exe C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\DNA\btdna.exe C:\WINDOWS\mdm.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe C:\Program Files\Orb Networks\Orb\bin\Orb.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = .local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {27EB87B7-2C51-4337-9BBA-794CFC4CB694} - C:\Program Files\Common Files\home83122.dll (file missing) O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe" O4 - HKLM\..\Run: [watelkj] C:\WINDOWS\system32\watelkj.exe O4 - HKLM\..\Run: [o] C:\WINDOWS\system32\o.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll" O4 - HKLM\..\Run: [Amok Eggs Four Web] C:\Documents and Settings\All Users\Application Data\part dead amok eggs\long upload.exe O4 - HKLM\..\Run: [MODE FREE BIRD SURF] C:\Documents and Settings\All Users\Application Data\beep axis mode free\Grim third.exe O4 - HKLM\..\Run: [ec731d21] rundll32.exe "C:\WINDOWS\system32\xffamony.dll",b O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [BMef402ebd] Rundll32.exe "C:\WINDOWS\system32\ycdeixoo.dll",s O4 - HKLM\..\RunServices: [watelkj] C:\WINDOWS\system32\watelkj.exe O4 - HKLM\..\RunServices: [o] C:\WINDOWS\system32\o.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [Orb] "C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [logo link] C:\DOCUME~1\VALUED~1\APPLIC~1\FINDOK~1\Hold Log.exe O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe" O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" O4 - HKCU\..\Run: [mdm] C:\WINDOWS\mdm.exe O4 - Global Startup: ASUS WiFi-AP Solo.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll O11 - Options group: [INTERNATIONAL] International O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab O16 - DPF: {4CCA4E80-9259-11D9-AC6E-444553544200} (FixController Control) - http://h30155.www3.hp.com/ediags/dd/...lMgr_v01_5.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {95D88B35-A521-472B-A182-BB1A98356421} (Pearson Installation Assistant 2) - http://asp.mathxl.com/books/_Players...stallAsst2.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {E6D23284-0E9B-417D-A782-03E4487FC947} (Pearson MathXL Player) - http://asp.mathxl.com/books/_Players/MathPlayer.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{6CE3FB5E-A75E-430E-8347-262B2620F726}: NameServer = 192.9.9.3 O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DL L O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O20 - Winlogon Notify: iifeefd - iifeefd.dll (file missing) O20 - Winlogon Notify: iqdblysv - iqdblysv.dll (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing) O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

04-27-2008, 06:27 PM	#6 (permalink)
makaveli3004 Bronze Member Join Date: Nov 2006 Posts: 69	Logfile of The Avenger Version 2.0, (c) by Swandog46 http://swandog46.geekstogo.com Platform: Windows XP ***************** Script file opened successfully. Script file read successfully. Backups directory opened successfully at C:\Avenger *************** Beginning to process script file: Rootkit scan active. No rootkits found! Error: registry key "\Registry\Machine\System\CurrentControlSet\Servic es\ipfltdrvv.sys" not found! Deletion of driver "ipfltdrvv.sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\WINDOWS\system32\drivers\ipfltdrvv.sys" not found! Deletion of file "C:\WINDOWS\system32\drivers\ipfltdrvv.sys" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Error: file "C:\WINDOWS\system32\drivers\core.cache.dsk" not found! Deletion of file "C:\WINDOWS\system32\drivers\core.cache.dsk" failed! Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND) --> the object does not exist Completed script processing. ***************** Finished! Terminate.

04-27-2008, 06:28 PM	#7 (permalink)
makaveli3004 Bronze Member Join Date: Nov 2006 Posts: 69	Im still having the CID popups.

04-27-2008, 08:17 PM	#9 (permalink)
makaveli3004 Bronze Member Join Date: Nov 2006 Posts: 69	alued Customer" - 2008-04-27 15:15:53 Service Pack 2 ComboFix 07-05.21.6.V - Running from: "C:\Documents and Settings\Valued Customer\Desktop\" (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Folders Quarantined: C:\qoobox\purity\C\Program Files\YSTEM~1 C:\qoobox\purity\C\Program Files\Common Files\SMANTE~1 C:\qoobox\purity\C\Program Files\Common Files\STEM32~1 C:\qoobox\purity\C\WINDOWS\YSTEM3~1 C:\qoobox\purity\C\WINDOWS\system32\RACLE~1 ((((((((((((((((((((((((((((((( Files Created from 2008-03-04 to 2008-04-27 )))))))))))))))))))))))))))))))))) 2008-04-27 13:46 <DIR> d-------- C:\Program Files\MKVTOAVI 2008-04-27 13:35 <DIR> d-------- C:\Avenger 2008-04-27 12:49 <DIR> d-------- C:\WINDOWS\ERUNT 2008-04-22 19:24 0 --ahs---- C:\DOCUME~1\Mom\APPLIC~1\00480e735bb240c3461019295 b35d243c30c3294c4.dat 2008-04-22 19:23 485,888 --a------ C:\DOCUME~1\Mom\installer.exe 2008-04-22 18:02 13,824 --a------ C:\DOCUME~1\Mom\APPLIC~1\jlius.exe 2008-04-10 19:14 3,648 --a------ C:\WINDOWS\system32\xxqgrsjg.dll 2008-04-10 19:13 309,682 --ahs---- C:\WINDOWS\system32\mprCdMoq.ini2 2008-04-10 19:08 50,176 ----s---- C:\WINDOWS\mdm.exe 2008-04-07 17:09 <DIR> d-------- C:\Program Files\iPod 2008-04-01 22:00 <DIR> d-------- C:\DOCUME~1\VALUED~1\APPLIC~1\Ahead (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))) 2008-04-27 19:23:48 -------- d-----w C:\DOCUME~1\VALUED~1\APPLIC~1\BitTorrent 2008-04-27 19:16:09 -------- d-----w C:\DOCUME~1\VALUED~1\APPLIC~1\DNA 2008-04-07 21:09:49 -------- d-----w C:\Program Files\iTunes 2008-04-07 21:08:48 -------- d-----w C:\Program Files\QuickTime 2008-04-05 17:36:21 664 ----a-w C:\WINDOWS\system32\d3d9caps.dat 2008-03-24 23:15:03 -------- d-----w C:\Program Files\mIRC 2008-03-19 09:47:00 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys 2008-03-14 18:55:37 -------- d-----w C:\Program Files\SUPERAntiSpyware 2008-03-12 02:19:02 -------- d-----w C:\Program Files\Bonjour 2008-03-12 02:07:53 -------- d-----w C:\Program Files\Common Files\Macrovision Shared 2008-03-12 02:01:37 486,108,144 ----a-w C:\ADBEPHSPCS3_WWE.exe 2008-03-01 00:49:58 -------- d-----w C:\DOCUME~1\VALUED~1\APPLIC~1\dvdcss 2008-02-29 00:10:58 -------- d-----w C:\Program Files\BitTorrent 2008-02-29 00:10:57 -------- d-----w C:\Program Files\DNA 2008-02-23 18:43:16 -------- d-----w C:\Program Files\Movkit 2008-02-22 06:09:05 -------- d-----w C:\DOCUME~1\VALUED~1\APPLIC~1\vlc 2008-02-22 06:06:56 -------- d-----w C:\Program Files\VideoLAN 2008-02-20 21:15:46 -------- d-----w C:\Program Files\Norton AntiVirus 2008-02-20 21:15:46 -------- d-----w C:\Program Files\Common Files\Symantec Shared 2008-02-20 20:52:04 -------- d-----w C:\Program Files\Symantec 2008-02-20 06:51:05 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll 2008-02-20 05:32:43 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll 2008-02-06 05:40:50 -------- d--h--w C:\Program Files\InstallShield Installation Information 2008-01-29 16:02:30 107,368 ----a-w C:\WINDOWS\system32\GEARAspi.dll (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects] {27EB87B7-2C51-4337-9BBA-794CFC4CB694}=C:\Program Files\Common Files\home83122.dll [] {53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04] {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll [2006-12-15 03:23] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 16:22] "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 22:59] "osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-05 22:22] "watelkj"="C:\WINDOWS\system32\watelkj.exe" [] "o"="C:\WINDOWS\system32\o.exe" [] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51] "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51] "Amok Eggs Four Web"="C:\Documents and Settings\All Users\Application Data\part dead amok eggs\long upload.exe" [] "MODE FREE BIRD SURF"="C:\Documents and Settings\All Users\Application Data\beep axis mode free\Grim third.exe" [2008-04-27 14:54] "ec731d21"="C:\WINDOWS\system32\xffamony.dll" [] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36] "BMef402ebd"="C:\WINDOWS\system32\ycdeixoo.dll " [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 19:35] "Orb"="C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" [2007-12-17 21:02] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 08:00] "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-03-04 03:11] "logo link"="C:\DOCUME~1\VALUED~1\APPLIC~1\FINDOK~1\Hold Log.exe" [] "BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-04-11 01:55] "AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 23:06] "NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-10-11 23:25] "mdm"="C:\WINDOWS\mdm.exe" [2008-04-10 19:08] [HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\runservices] "watelkj"=C:\WINDOWS\system32\watelkj.exe "o"=C:\WINDOWS\system32\o.exe [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system] "DisableRegedit"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] C:\Program Files\Internet Explorer\prohdyxe.html [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1] C:\Program Files\ComPlus Applications\prohdyxe.html [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 12:55] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifeefd] iifeefd.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iqdblysv] iqdblysv.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa] Authentication Packages msv1_0 C:\WINDOWS\system32\qoMdCrpm [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying] C:\Program Files\Web Buying\v1.8.8\webbuying.exe [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{2454c9f0-95b4-11db-8b11-0015af08fdcc}] AutoRun\command- H:\Programs\nu2menu\nu2menu.exe Newly Created Service -SJYPKT Contents of the 'Scheduled Tasks' folder 2008-04-21 15:48:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job 2008-04-27 17:38:53 C:\WINDOWS\tasks\MP Scheduled Scan.job ************************************************ ************** catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net Rootkit scan 2008-04-27 15:24:17 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************** **************** Completion time: 2008-04-27 15:26:43 C:\ComboFix-quarantined-files.txt ... 2008-04-27 15:26 C:\ComboFix2.txt ... 2008-04-26 12:44 C:\ComboFix3.txt ... 2008-02-22 02:10 --- E O F ---

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
System Freezes! (HJT log attached)	RPT	Operating Systems	2	10-18-2006 05:20 PM
Operating system SCREWED UP BAD	Playa00	Operating Systems	5	09-24-2006 06:23 AM
duel boot ?	meanman	Operating Systems	13	09-19-2006 09:33 AM
Upgrading my system, need help	dragoon38900	Desktop Computers	14	04-03-2006 04:41 PM
Intel vs. AMD.... what do you prefer?	McG	CPUs and Overclocking	23	11-11-2004 01:38 PM