Please help, hijack and mal log

J

JamesJimmy

New Member
Numerous windows open up while I am on the internet, with ads for anti spyware etc

Malwarebytes' Anti-Malware 1.30
Database version: 1401
Windows 5.1.2600 Service Pack 2

20/11/2008 1:01:00 AM
mbam-log-2008-11-20 (01-01-00).txt

Scan type: Full Scan (C:\|)
Objects scanned: 184674
Time elapsed: 53 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 11
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\wurubawu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\34o213VE.dll (Adware.Agent) -> Delete on reboot.
c:\WINDOWS\system32\nivunaso.dll (Trojan.BHO) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\TypeLib\{00476c87-a276-49bf-86bc-ff005732430b} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{892b2785-b0d0-4aa2-ae6a-0ed60b00a979} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{99c6d1bb-7555-474c-91da-d8fb62a9cc75} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{99c6d1bb-7555-474c-91da-d8fb62a9cc75} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{99c6d1bb-7555-474c-91da-d8fb62a9cc75} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\solution.solution (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\solution.solution.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{e81cf86b-f683-422a-b742-3f2427ea9d6a} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\901e66c8 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm932d5554 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tigezoteti (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: c:\windows\system32\nivunaso.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.BHO) -> Data: system32\nivunaso.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\lijaduhi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ihudajil.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wurubawu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\uwaburuw.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\34o213VE.dll (Adware.Agent) -> Delete on reboot.
c:\WINDOWS\system32\nivunaso.dll (Trojan.BHO) -> Delete on reboot.
C:\System Volume Information\_restore{D5B9C491-D20E-40C7-A324-44FB7E1A78A1}\RP731\A0055465.dll (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D5B9C491-D20E-40C7-A324-44FB7E1A78A1}\RP731\A0055478.sys (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\67m546TC.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.

ogfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:08:31 AM, on 20/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\RioMSC.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Java\jre1.5.0_10\bin\jucheck.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\67m546TC.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://login.passport.net/uilogin.srf?id=2
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: (no name) - {8e1d4397-4ee0-49de-8ca5-35a818e53c84} - C:\WINDOWS\system32\gogohowa.dll (file missing)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O3 - Toolbar: NavExcel Toolbar - {5AA06644-BC46-4220-A460-47A6EB47C96D} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: INAC Identity Defender - {06EF399D-109D-4991-B9C0-88D2FC9DDA25} - C:\Program Files\INAC\Identity Defender\INACID.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Microsoft DirectX] wuamgrd.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CPM932d5554] Rundll32.exe "c:\windows\system32\nivunaso.dll",a
O4 - HKLM\..\Run: [tigezoteti] Rundll32.exe "C:\WINDOWS\system32\yenojuje.dll",s
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunServices: [Microsoft DirectX] wuamgrd.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft DirectX] wuamgrd.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKLM\..\Policies\Explorer\Run: [ishost.exe] ishost.exe
O4 - HKLM\..\Policies\Explorer\Run: [issearch.exe] issearch.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [tigezoteti] Rundll32.exe "C:\WINDOWS\system32\yenojuje.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: INAC Identity Defender - {1354F629-7238-495c-8262-EEC830B393CD} - C:\Program Files\INAC\Identity Defender\INACID.dll
O9 - Extra 'Tools' menuitem: INAC Identity Defender - {1354F629-7238-495c-8262-EEC830B393CD} - C:\Program Files\INAC\Identity Defender\INACID.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.nuker.com/products/swn2004/installers/default/SpyWareNukerInstaller.exe
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {7AF47882-331B-4AA3-AFCB-C154F8E9856C} - http://download.lemontonic.com/LemontonicMessenger.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\dakegopu.dll c:\windows\system32\nivunaso.dll
O20 - Winlogon Notify: ssttu - C:\WINDOWS\system32\ssttu.dll (file missing)
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - C:\WINDOWS\system32\urroxtl.dll (file missing)
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\nivunaso.dll
O22 - SharedTaskScheduler: {03413bf7-e34c-445b-bfc0-a2b127255871} - incestuously - (no file)
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\nivunaso.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
 
Hi JamesJimmy and welcome to ComputerForum.

Malwarebytes' has taken care of a few of the infections, but there's still quite a bit more remaining.

Please download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to C:\SDFix

You may wish to print out these instructions or copy them to a notepad document since you will be unable to access the Internet while in Safe Mode to read from this site.

Please then reboot your computer in Safe Mode (tap F8 just before Windows starts to load and select Safe Mode from the list).
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Please paste the contents of the Report.txt back on the forum in your next reply.

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log and the SDFix report.
 
My computer seems to be running good now, I appreciate the help.

ComboFix 08-11-19.08 - Ted Ishii 2008-11-20 15:07:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.451 [GMT -8:00]
Running from: c:\documents and settings\Ted Ishii\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Ted Ishii\Cookies\mosokicor._dl
c:\documents and settings\Ted Ishii\Cookies\uzirar.vbs
c:\documents and settings\Ted Ishii\Local Settings\Temporary Internet Files\jujenocege.bin
c:\documents and settings\Ted Ishii\Local Settings\Temporary Internet Files\webiqabyk.bin
c:\program files\Common Files\{301E6~1
c:\program files\Common Files\{301E6~1\Uninst.exe
c:\program files\Need2Find
c:\program files\Need2Find\bar\1.bin\N2FFXTBR.JAR
c:\program files\Need2Find\bar\1.bin\N2NTSTBR.JAR
c:\program files\Need2Find\bar\1.bin\PARTNER.DAT
c:\windows\Downloaded Program Files\setup.inf
c:\windows\system32\67m546TC.exe.a_a
c:\windows\system32\amesujaj.ini
c:\windows\system32\buzalevu.dll
c:\windows\system32\components
c:\windows\system32\dakegopu.dll
c:\windows\system32\dowileyi.dll
c:\windows\system32\jajusema.dll
c:\windows\system32\kanolalo.dll
c:\windows\system32\mabemime.dll
c:\windows\system32\TDSSmtvd.dat
c:\windows\system32\uttss.bak1
c:\windows\system32\uttss.bak2
c:\windows\system32\uttss.ini
c:\windows\system32\uttss.ini2
c:\windows\system32\uttss.tmp
c:\windows\system32\vdMtfr16.dll
c:\windows\system32\vetidika.dll
c:\windows\system32\vimopihu.dll
c:\windows\system32\ymante~1
c:\windows\system32\ymante~1\?ymantec\

.
((((((((((((((((((((((((( Files Created from 2008-10-20 to 2008-11-20 )))))))))))))))))))))))))))))))
.

2008-11-20 12:04 . 2008-11-20 12:04 <DIR> d-------- c:\windows\ERUNT
2008-11-20 11:54 . 2008-11-20 12:37 <DIR> d-------- C:\SDFix
2008-11-15 14:34 . 2008-11-15 14:34 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-15 14:34 . 2008-11-15 14:34 <DIR> d-------- c:\documents and settings\Ted Ishii\Application Data\Malwarebytes
2008-11-15 14:34 . 2008-11-15 14:34 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-11-15 14:34 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-15 14:34 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-05 22:51 . 2008-11-05 22:51 230 --a------ c:\windows\system32\spupdsvc.inf
2008-11-03 17:17 . 2008-11-12 01:58 197 --a------ c:\windows\system32\MRT.INI
2008-11-03 17:14 . 2008-11-03 17:14 19,075 --a------ c:\documents and settings\All Users.WINDOWS\Application Data\ideba.pif
2008-11-03 17:14 . 2008-11-03 17:14 18,988 --a------ c:\windows\system32\utywojy.reg
2008-11-03 17:14 . 2008-11-03 17:14 17,683 --a------ c:\documents and settings\Ted Ishii\Application Data\exuxih.vbs
2008-11-03 17:14 . 2008-11-03 17:14 17,277 --a------ c:\windows\system32\emavaryv._sy
2008-11-03 17:14 . 2008-11-03 17:14 15,871 --a------ c:\windows\ulasimyv.pif
2008-11-03 17:14 . 2008-11-03 17:14 15,393 --a------ c:\documents and settings\Ted Ishii\Application Data\qifynehoh.bin
2008-11-03 17:14 . 2008-11-03 17:14 15,007 --a------ c:\program files\Common Files\tupytuqon.dat
2008-11-03 17:14 . 2008-11-03 17:14 14,422 --a------ c:\documents and settings\Ted Ishii\Application Data\oxikiw.vbs
2008-11-03 17:14 . 2008-11-03 17:14 11,921 --a------ c:\program files\Common Files\ubix.vbs
2008-11-03 17:14 . 2008-11-03 17:14 10,591 --a------ c:\program files\Common Files\ihenedavo.bat
2008-10-22 17:36 . 2008-11-15 10:02 1,739 --a------ c:\windows\Sysvxd.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-20 07:56 --------- d-----w c:\program files\Trend Micro
2008-11-06 07:25 --------- d-----w c:\program files\ASUS
2008-11-02 21:55 44,024 ----a-w c:\documents and settings\Ted Ishii\Application Data\GDIPFONTCACHEV1.DAT
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-05 08:13 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-05 08:05 --------- d-----w c:\program files\Microsoft Games
2008-10-05 06:31 --------- d-----w c:\program files\MSN Messenger
2007-07-18 23:08 456,272 ----a-w c:\documents and settings\All Users.WINDOWS\Application Data\pswi_preloaded.exe
2004-12-18 05:46 284 ----a-w c:\documents and settings\Ted Ishii\Application Data\ViewerApp.dat
2004-10-01 23:00 40,960 ----a-w c:\program files\Uninstall_CDS.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-03 401491]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-05-12 344064]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"ccRegVfy"="c:\program files\Common Files\Symantec Shared\ccRegVfy.exe" [2003-12-02 58392]
"ezShieldProtector for Px"="c:\windows\System32\ezSP_Px.exe" [2002-08-20 40960]
"CTSysVol"="c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152]
"CTDVDDet"="c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_10\bin\jusched.exe" [2006-11-09 49263]
"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2005-01-24 81920]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-05-26 98304]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-11-20 185896]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"CTHelper"="CTHELPER.EXE" [2003-10-06 c:\windows\system32\CTHELPER.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-03 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil9f.exe" [2008-03-24 218496]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-01-05 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 288472]
HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 73728]
Picture Package Menu.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2004-12-07 151552]
Picture Package VCD Maker.lnk - c:\program files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2004-12-07 106496]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.DIV3"= DivXc32.dll
"msacm.divxa32"= DivXa32.acm
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"MSACM.CEGSM"= mobilev.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\messenger\\msmsgs.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\TVersity\\Media Server\\TVersity.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\ComboFix\\fdsv.cfexe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwuSchd2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"25827:TCP"= 25827:TCP:BitComet 25827 TCP
"25827:UDP"= 25827:UDP:BitComet 25827 UDP
"10243:TCP"= 10243:TCP:xbox 360
"10284:UDP"= 10284:UDP:xbox 360
"10283:UDP"= 10283:UDP:xbox 360
"10282:UDP"= 10282:UDP:xbox 360
"10281:UDP"= 10281:UDP:xbox 360
"10280:UDP"= 10280:UDP:xbox 360
"41952:TCP"= 41952:TCP:tversity media centre port
"41952:UDP"= 41952:UDP:tversity media centre port

S3 Cap7134;VideoMate TV Capture;c:\windows\system32\DRIVERS\Cap7134.sys [2005-03-11 351456]
S3 ICAM3NT5;Intel USB Video Camera III;c:\windows\system32\Drivers\Icam3.sys [2004-10-03 141056]
S3 oflpydin;oflpydin;\??\c:\docume~1\TEDISH~1\LOCALS~1\Temp\oflpydin.sys []
S3 PhTVTune;VideoMate TV Tuner;c:\windows\system32\DRIVERS\PhTVTune.sys [2005-03-11 19584]
.
Contents of the 'Scheduled Tasks' folder

2008-11-20 c:\windows\Tasks\At1.job
- c:\windows\system32\xBG6VgKR.exe [2008-09-07 13:11]

2008-11-19 c:\windows\Tasks\At10.job
- c:\windows\system32\xBG6VgKR.exe [2008-09-07 13:11]

2008-11-19 c:\windows\Tasks\At11.job
- c:\windows\system32\xBG6VgKR.exe [2008-09-07 13:11]

2008-11-20 c:\windows\Tasks\At12.job
- c:\windows\system32\xBG6VgKR.exe [2008-09-07 13:11]

2008-11-19 c:\windows\Tasks\At13.job
- c:\windows\system32\xBG6VgKR.exe [2008-09-07 13:11]

2008-11-19 c:\windows\Tasks\At14.job
- c:\windows\system32\xBG6VgKR.exe [2008-09-07 13:11]

2008-11-19 c:\windows\Tasks\At15.job
- c:\windows\system32\xBG6VgKR.exe [2008-09-07 13:11]

2008-11-15 c:\windows\Tasks\At16.job
- c:\windows\system32\xBG6VgKR.exe [2008-09-07 13:11]

2008-11-20 c:\windows\Tasks\At17.job
- c:\windows\system32\xBG6VgKR.exe [2008-09-07 13:11]

2008-11-20 c:\windows\Tasks\At18.job
- c:\windows\system32\xBG6VgKR.exe [2008-09-07 13:11]

2008-11-07 c:\windows\Tasks\At19.job
- c:\windows\system32\xBG6VgKR.exe [2008-09-07 13:11]

2008-11-20 c:\windows\Tasks\At2.job
- c:\windows\system32\xBG6VgKR.exe [2008-09-07 13:11]

2008-11-07 c:\windows\Tasks\At20.job
- c:\windows\system32\xBG6VgKR.exe [2008-09-07 13:11]

2008-11-07 c:\windows\Tasks\At21.job
- c:\windows\system32\xBG6VgKR.exe [2008-09-07 13:11]

2008-11-09 c:\windows\Tasks\At22.job
- c:\windows\system32\xBG6VgKR.exe [2008-09-07 13:11]

2008-11-13 c:\windows\Tasks\At23.job
- c:\windows\system32\xBG6VgKR.exe [2008-09-07 13:11]

2008-11-20 c:\windows\Tasks\At24.job
- c:\windows\system32\xBG6VgKR.exe [2008-09-07 13:11]

2008-11-20 c:\windows\Tasks\At25.job
- c:\windows\system32\67m546TC.exe [2008-11-20 11:15]

2008-11-20 c:\windows\Tasks\At26.job
- c:\windows\system32\67m546TC.exe [2008-11-20 11:15]

2008-11-19 c:\windows\Tasks\At27.job
- c:\windows\system32\67m546TC.exe [2008-11-20 11:15]

2008-11-19 c:\windows\Tasks\At28.job
- c:\windows\system32\67m546TC.exe [2008-11-20 11:15]

2008-11-19 c:\windows\Tasks\At29.job
- c:\windows\system32\67m546TC.exe [2008-11-20 11:15]

2008-11-19 c:\windows\Tasks\At3.job
- c:\windows\system32\xBG6VgKR.exe [2008-09-07 13:11]

2008-11-19 c:\windows\Tasks\At30.job
- c:\windows\system32\67m546TC.exe [2008-11-20 11:15]

2008-11-19 c:\windows\Tasks\At31.job
- c:\windows\system32\67m546TC.exe [2008-11-20 11:15]

2008-11-19 c:\windows\Tasks\At32.job
- c:\windows\system32\67m546TC.exe [2008-11-20 11:15]

2008-11-19 c:\windows\Tasks\At33.job
- c:\windows\system32\67m546TC.exe [2008-11-20 11:15]

2008-11-19 c:\windows\Tasks\At34.job
- c:\windows\system32\67m546TC.exe [2008-11-20 11:15]

2008-11-19 c:\windows\Tasks\At35.job
- c:\windows\system32\67m546TC.exe [2008-11-20 11:15]

2008-11-20 c:\windows\Tasks\At36.job
- c:\windows\system32\67m546TC.exe [2008-11-20 11:15]

2008-11-19 c:\windows\Tasks\At37.job
- c:\windows\system32\67m546TC.exe [2008-11-20 11:15]

2008-11-19 c:\windows\Tasks\At38.job
- c:\windows\system32\67m546TC.exe [2008-11-20 11:15]

2008-11-19 c:\windows\Tasks\At39.job
- c:\windows\system32\67m546TC.exe [2008-11-20 11:15]

2008-11-19 c:\windows\Tasks\At4.job
- c:\windows\system32\xBG6VgKR.exe [2008-09-07 13:11]

2008-11-15 c:\windows\Tasks\At40.job
- c:\windows\system32\67m546TC.exe [2008-11-20 11:15]

2008-11-20 c:\windows\Tasks\At41.job
- c:\windows\system32\67m546TC.exe [2008-11-20 11:15]

2008-11-20 c:\windows\Tasks\At42.job
- c:\windows\system32\67m546TC.exe [2008-11-20 11:15]

2008-11-07 c:\windows\Tasks\At43.job
- c:\windows\system32\67m546TC.exe [2008-11-20 11:15]

2008-11-07 c:\windows\Tasks\At44.job
- c:\windows\system32\67m546TC.exe [2008-11-20 11:15]

2008-11-07 c:\windows\Tasks\At45.job
- c:\windows\system32\67m546TC.exe [2008-11-20 11:15]

2008-11-09 c:\windows\Tasks\At46.job
- c:\windows\system32\67m546TC.exe [2008-11-20 11:15]

2008-11-13 c:\windows\Tasks\At47.job
- c:\windows\system32\67m546TC.exe [2008-11-20 11:15]

2008-11-20 c:\windows\Tasks\At48.job
- c:\windows\system32\67m546TC.exe [2008-11-20 11:15]

2008-11-20 c:\windows\Tasks\At49.job
- c:\windows\system32\s215WtBU.exe [2008-10-04 00:50]

2008-11-19 c:\windows\Tasks\At5.job
- c:\windows\system32\xBG6VgKR.exe [2008-09-07 13:11]

2008-11-20 c:\windows\Tasks\At50.job
- c:\windows\system32\s215WtBU.exe [2008-10-04 00:50]

2008-11-19 c:\windows\Tasks\At51.job
- c:\windows\system32\s215WtBU.exe [2008-10-04 00:50]

2008-11-19 c:\windows\Tasks\At52.job
- c:\windows\system32\s215WtBU.exe [2008-10-04 00:50]

2008-11-19 c:\windows\Tasks\At53.job
- c:\windows\system32\s215WtBU.exe [2008-10-04 00:50]

2008-11-19 c:\windows\Tasks\At53.job
- ?:\U []

2008-11-19 c:\windows\Tasks\At54.job
- c:\windows\system32\s215WtBU.exe [2008-10-04 00:50]

2008-11-19 c:\windows\Tasks\At55.job
- c:\windows\system32\s215WtBU.exe [2008-10-04 00:50]

2008-11-19 c:\windows\Tasks\At56.job
- c:\windows\system32\s215WtBU.exe [2008-10-04 00:50]

2008-11-19 c:\windows\Tasks\At57.job
- c:\windows\system32\s215WtBU.exe [2008-10-04 00:50]

2008-11-19 c:\windows\Tasks\At58.job
- c:\windows\system32\s215WtBU.exe [2008-10-04 00:50]

2008-11-19 c:\windows\Tasks\At59.job
- c:\windows\system32\s215WtBU.exe [2008-10-04 00:50]

2008-11-19 c:\windows\Tasks\At6.job
- c:\windows\system32\xBG6VgKR.exe [2008-09-07 13:11]

2008-11-20 c:\windows\Tasks\At60.job
- c:\windows\system32\s215WtBU.exe [2008-10-04 00:50]

2008-11-19 c:\windows\Tasks\At61.job
- c:\windows\system32\s215WtBU.exe [2008-10-04 00:50]

2008-11-19 c:\windows\Tasks\At62.job
- c:\windows\system32\s215WtBU.exe [2008-10-04 00:50]

2008-11-19 c:\windows\Tasks\At63.job
- c:\windows\system32\s215WtBU.exe [2008-10-04 00:50]

2008-11-15 c:\windows\Tasks\At64.job
- c:\windows\system32\s215WtBU.exe [2008-10-04 00:50]

2008-11-20 c:\windows\Tasks\At65.job
- c:\windows\system32\s215WtBU.exe [2008-10-04 00:50]

2008-11-20 c:\windows\Tasks\At66.job
- c:\windows\system32\s215WtBU.exe [2008-10-04 00:50]

2008-11-07 c:\windows\Tasks\At67.job
- c:\windows\system32\s215WtBU.exe [2008-10-04 00:50]

2008-11-07 c:\windows\Tasks\At68.job
- c:\windows\system32\s215WtBU.exe [2008-10-04 00:50]

2008-11-07 c:\windows\Tasks\At69.job
- c:\windows\system32\s215WtBU.exe [2008-10-04 00:50]

2008-11-19 c:\windows\Tasks\At7.job
- c:\windows\system32\xBG6VgKR.exe [2008-09-07 13:11]

2008-11-09 c:\windows\Tasks\At70.job
- c:\windows\system32\s215WtBU.exe [2008-10-04 00:50]

2008-11-13 c:\windows\Tasks\At71.job
- c:\windows\system32\s215WtBU.exe [2008-10-04 00:50]

2008-11-20 c:\windows\Tasks\At72.job
- c:\windows\system32\s215WtBU.exe [2008-10-04 00:50]

2008-11-19 c:\windows\Tasks\At8.job
- c:\windows\system32\xBG6VgKR.exe [2008-09-07 13:11]

2008-11-19 c:\windows\Tasks\At9.job
- c:\windows\system32\xBG6VgKR.exe [2008-09-07 13:11]
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-_{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
BHO-{8e1d4397-4ee0-49de-8ca5-35a818e53c84} - c:\windows\system32\gogohowa.dll
HKCU-Run-Microsoft DirectX - wuamgrd.exe
HKLM-Run-PHIME2002ASync - c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE
HKLM-Run-PHIME2002A - c:\windows\System32\IME\TINTLGNT\TINTSETP.EXE
HKLM-Run-tigezoteti - c:\windows\system32\yenojuje.dll
HKLM-Run-Microsoft DirectX - wuamgrd.exe
HKLM-RunServices-Microsoft DirectX - wuamgrd.exe
HKU-Default-Run-Microsoft DirectX - wuamgrd.exe
Notify-ssttu - c:\windows\system32\ssttu.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Ted Ishii\Application Data\Mozilla\Firefox\Profiles\hny4zi5o.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-20 15:16:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\HPZipm12.exe
c:\windows\system32\PSIService.exe
c:\windows\system32\RioMSC.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
.
**************************************************************************
.
Completion time: 2008-11-20 15:20:24 - machine was rebooted [Ted Ishii]
ComboFix-quarantined-files.txt 2008-11-20 23:20:21

Pre-Run: 70,363,697,152 bytes free
Post-Run: 71,401,803,776 bytes free

358 --- E O F --- 2008-11-12 09:58:18


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:27:50 PM, on 20/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\system32\RioMSC.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://login.passport.net/uilogin.srf?id=2
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: INAC Identity Defender - {06EF399D-109D-4991-B9C0-88D2FC9DDA25} - C:\Program Files\INAC\Identity Defender\INACID.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: INAC Identity Defender - {1354F629-7238-495c-8262-EEC830B393CD} - C:\Program Files\INAC\Identity Defender\INACID.dll
O9 - Extra 'Tools' menuitem: INAC Identity Defender - {1354F629-7238-495c-8262-EEC830B393CD} - C:\Program Files\INAC\Identity Defender\INACID.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Program Files\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {7AF47882-331B-4AA3-AFCB-C154F8E9856C} - http://download.lemontonic.com/LemontonicMessenger.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe

--
End of file - 10029 bytes
 
So far so good, but we're not quite finished yet.

  • Open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: 
    File::
c:\documents and settings\All Users.WINDOWS\Application Data\ideba.pif
c:\windows\system32\utywojy.reg
c:\documents and settings\Ted Ishii\Application Data\exuxih.vbs
c:\windows\system32\emavaryv._sy
c:\windows\ulasimyv.pif
c:\documents and settings\Ted Ishii\Application Data\qifynehoh.bin
c:\program files\Common Files\tupytuqon.dat
c:\documents and settings\Ted Ishii\Application Data\oxikiw.vbs
c:\program files\Common Files\ubix.vbs
c:\program files\Common Files\ihenedavo.bat
c:\windows\Sysvxd.exe
c:\windows\system32\xBG6VgKR.exe 
c:\windows\system32\67m546TC.exe
c:\windows\system32\s215WtBU.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At49.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At50.job
c:\windows\Tasks\At51.job
c:\windows\Tasks\At52.job
c:\windows\Tasks\At53.job
c:\windows\Tasks\At53.job
c:\windows\Tasks\At54.job
c:\windows\Tasks\At55.job
c:\windows\Tasks\At56.job
c:\windows\Tasks\At57.job
c:\windows\Tasks\At58.job
c:\windows\Tasks\At59.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At60.job
c:\windows\Tasks\At61.job
c:\windows\Tasks\At62.job
c:\windows\Tasks\At63.job
c:\windows\Tasks\At64.job
c:\windows\Tasks\At65.job
c:\windows\Tasks\At66.job
c:\windows\Tasks\At67.job
c:\windows\Tasks\At68.job
c:\windows\Tasks\At69.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At70.job
c:\windows\Tasks\At71.job
c:\windows\Tasks\At72.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

Driver::
oflpydin
  • Save this as CFScript.txt and change the Save as type to All Files and place it on your desktop.


    CFScriptB-4.gif



  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply, along with a new HijackThis log.
CAUTION:
Do NOT mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do NOT adjust your time format while ComboFix is running.
 
You must log in or register to reply here.
Back
Top