Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Cant download MBAM.exe HijakThis Log.

Started by MANDA, Oct 14 2009 06:53 PM

This topic is locked
Go to first unread post

11 replies to this topic

#1
MANDA

Posted 14 October 2009 - 06:53 PM

New Member

Members
9 posts

I have a virus called artemis and vundo. I use McAfee anti virus. I was able to download hijak this and have a log I dont know if that could be of any help with my problem. I was recommened to download Malwarebytes but then when I did I got a message that mbam.exe was unable to be found. Heres my logs.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:41:38 PM, on 10/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\dllhost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptsn.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: (no name) - {b227d665-405d-437b-aadc-876c4882dea5} - kimulizi.dll (file missing)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [lphcl84j0epbj] C:\WINDOWS\system32\lphcl84j0epbj.exe
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [fawiyumoz] Rundll32.exe "c:\windows\system32\wowinule.dll",a
O4 - HKLM\..\Run: [fovuzevevo] Rundll32.exe "yorefenu.dll",s
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [zuwi] C:\PROGRA~1\COMMON~1\zuwi\zuwim.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [tiviu] C:\WINDOWS\system32\xtkptc.exe reg_run (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{A4BC867B-0AE9-1033-1008-050412200001}] "C:\Program Files\Common Files\{A4BC867B-0AE9-1033-1008-050412200001}\Update.exe" mc-110-12-0000509 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [zuwi] C:\PROGRA~1\COMMON~1\zuwi\zuwim.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{A4BC867B-0AE9-1033-1008-050412200001}] "C:\Program Files\Common Files\{A4BC867B-0AE9-1033-1008-050412200001}\Update.exe" mc-110-12-0000509 (User 'Default user')
O4 - S-1-5-18 Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe (User 'Default user')
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.whataboutadog.com
O15 - Trusted Zone: *.whataboutarabit.com
O16 - DPF: {400429E4-BED4-472E-93BF-F85AB8565DFF} - http://www.terp17.com/ax/axo.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemed...s/eliteview.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab
O18 - Filter hijack: text/html - {9cf9032e-1de7-42e4-82ba-3ce8262a9b34} - (no file)
O20 - AppInit_DLLs: c:\windows\system32\wowinule.dll,nusoyeta.dll
O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\
O21 - SSODL: remabikoy - {f65753e3-606a-4bd9-99a8-04eaab3aebef} - c:\windows\system32\wowinule.dll
O22 - SharedTaskScheduler: mujuzedij - {f65753e3-606a-4bd9-99a8-04eaab3aebef} - c:\windows\system32\wowinule.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 8642 bytes

#2
sUBs

Posted 14 October 2009 - 11:24 PM

Forum Deity

Moderators
6,031 posts

Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix when you've accomplished that.

sUBs
Research Engineer

#3
MANDA

Posted 15 October 2009 - 01:23 AM

New Member

Members
9 posts

ComboFix 09-10-14.04 - Amanda 10/14/2009 20:29.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.258 [GMT -4:00]
Running from: c:\documents and settings\Amanda\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: Norton AntiVirus *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Documents\buhy.inf
c:\documents and settings\Amanda\Application Data\kodog.reg
c:\documents and settings\Amanda\Application Data\Sskdmns.dll
c:\documents and settings\Amanda\Application Data\toboroh.inf
c:\documents and settings\Amanda\Cookies\abomomameg.lib
c:\documents and settings\Amanda\Cookies\asubihy.db
c:\documents and settings\Amanda\Cookies\epabaleh._sy
c:\documents and settings\Amanda\Cookies\gaquj.inf
c:\documents and settings\Amanda\Cookies\isamose.com
c:\documents and settings\Amanda\Cookies\omykezypi._sy
c:\documents and settings\Amanda\Cookies\qigodypa.bat
c:\documents and settings\Amanda\Cookies\roxosacufo.pif
c:\documents and settings\Amanda\Cookies\urykariz.dl
c:\documents and settings\Amanda\Cookies\voqurew.dat
c:\documents and settings\Amanda\Cookies\yjedekyweq.db
c:\documents and settings\Amanda\Cookies\yzyrun.vbs
c:\documents and settings\Amanda\Local Settings\Temporary Internet Files\hyvyqocacu.reg
c:\documents and settings\Amanda\Local Settings\Temporary Internet Files\ijibajener.lib
c:\documents and settings\Amanda\Local Settings\Temporary Internet Files\pybowy.bat
c:\documents and settings\Amanda\Local Settings\Temporary Internet Files\yvafof.dll
c:\documents and settings\LocalService\Local Settings\Temporary Internet Files\Ssk.log
c:\documents and settings\LocalService\Start Menu\Programs\UCmore - The Search Accelerator
c:\documents and settings\LocalService\Start Menu\Programs\UCmore - The Search Accelerator\UCmore - The Search Accelerator.lnk
c:\progra~1\COMMON~1\{A4BC8~1
c:\program files\Common Files\misc002
c:\program files\pslister
c:\program files\pslister\Uninstall.exe
c:\program files\Windows Police Pro
c:\program files\Windows Police Pro\msvcm80.dll
c:\program files\Windows Police Pro\msvcp80.dll
c:\program files\Windows Police Pro\msvcr80.dll
c:\recycler\NPROTECT
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\temp\bkR11
c:\temp\bkR11\ftCa.log
c:\temp\tn3
c:\windows\aqin._sy
c:\windows\duliqu.dll
c:\windows\ibacamon.dll
c:\windows\ihotilefi._sy
c:\windows\inub.inf
c:\windows\kb913800.exe
c:\windows\oxubuhatap.reg
c:\windows\polaxuqoha.dll
c:\windows\system32\apadeirk.ini
c:\windows\system32\appaghgc.ini
c:\windows\system32\blwagplf.ini
c:\windows\system32\ckwksxgf.ini
c:\windows\system32\crunner
c:\windows\system32\crunner\cproc.exe.config
c:\windows\system32\crunner\cupdater.exe.config
c:\windows\system32\crunner\ICSharpCode.SharpZipLib.dll
c:\windows\system32\crunner\Version.txt
c:\windows\system32\cvqsfxcf.ini
c:\windows\system32\dgoivwbb.ini
c:\windows\system32\dmsadaue.ini
c:\windows\system32\dviykotg.ini
c:\windows\system32\efihiq.vbs
c:\windows\system32\fjdcpdlm.ini
c:\windows\system32\hgjlm.ini
c:\windows\system32\hgjlm.ini2
c:\windows\system32\howenuze.dll
c:\windows\system32\ikoqurlv.ini
c:\windows\system32\jdjuboen.ini
c:\windows\system32\jhpyrkoo.ini
c:\windows\system32\jlptkowq.ini
c:\windows\system32\jycejihag.vbs
c:\windows\system32\migeewlr.ini
c:\windows\system32\mubodigi.dll
c:\windows\system32\mwbjiydn.ini
c:\windows\system32\nusoyeta.dll
c:\windows\system32\nyirwljd.ini
c:\windows\system32\otqnxgcv.ini
c:\windows\system32\pgfqsnfv.ini
c:\windows\system32\posinobo.dll
c:\windows\system32\pump.exe
c:\windows\system32\qmsbcttu.ini
c:\windows\system32\rdvwxvxi.ini
c:\windows\system32\rerdjqqv.ini
c:\windows\system32\swsllsot.ini
c:\windows\system32\uscjuudb.ini
c:\windows\system32\uvnjoikh.ini
c:\windows\system32\uxgsncwk.ini
c:\windows\system32\vltxshyi.ini
c:\windows\system32\wyonmqtr.ini
c:\windows\system32\xkyilmiq.ini
c:\windows\system32\yorefenu.dll
c:\windows\uhepohal.dll
c:\windows\yzumovesam.scr

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DOMAINSERVICE
-------\Legacy_RUNDLL.EXE
-------\Legacy_WINDOWS_OVERLAY_COMPONENTS

((((((((((((((((((((((((( Files Created from 2009-09-15 to 2009-10-15 )))))))))))))))))))))))))))))))
.

2009-10-15 00:20 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-15 00:20 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-14 18:39 . 2009-10-14 18:39 -------- d-----w- c:\program files\Trend Micro
2009-10-14 17:11 . 2009-10-14 17:11 693760 ----a-w- c:\windows\is-K6BIJ.exe
2009-10-14 17:05 . 2009-10-15 00:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-14 11:55 . 2009-10-14 12:07 -------- d-----w- c:\documents and settings\All Users\Application Data\40021007
2009-10-13 14:37 . 2009-10-13 14:37 -------- d-----w- c:\documents and settings\Amanda\Local Settings\Application Data\AIM
2009-09-20 03:32 . 2009-09-20 03:32 -------- d-sh--w- c:\documents and settings\Debbie\PrivacIE
2009-09-20 03:04 . 2009-09-20 03:04 -------- d-----w- c:\documents and settings\Debbie\Application Data\acccore
2009-09-20 03:02 . 2009-09-20 03:02 -------- d-----w- c:\documents and settings\Debbie\Local Settings\Application Data\AOL OCP
2009-09-20 03:02 . 2009-09-20 03:02 -------- d-----w- c:\documents and settings\Debbie\Local Settings\Application Data\AOL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-14 00:28 . 2008-12-16 01:42 -------- d-----w- c:\documents and settings\Debbie\Application Data\LimeWire
2009-09-29 21:39 . 2006-05-20 06:10 -------- d-----w- c:\program files\McAfee
2009-09-17 16:38 . 2006-05-20 06:10 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-15 00:47 . 2009-09-15 00:47 -------- d-----w- c:\documents and settings\Amanda\Application Data\Malwarebytes
2009-09-15 00:47 . 2009-09-15 00:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-14 00:03 . 2009-09-14 00:03 -------- d-----w- c:\documents and settings\Amanda\Application Data\McAfee
2009-09-13 23:17 . 2009-09-13 23:17 19439 ----a-w- c:\documents and settings\Amanda\Local Settings\Application Data\uhivol.scr
2009-09-13 23:17 . 2009-09-13 23:17 19084 ----a-w- c:\windows\azygagazy.com
2009-09-13 23:17 . 2009-09-13 23:17 13685 ----a-w- c:\documents and settings\Amanda\Application Data\jesimuboq.dat
2009-09-13 23:17 . 2009-09-13 23:17 10666 ----a-w- c:\documents and settings\Amanda\Application Data\tawib.dll
2009-09-13 16:59 . 2009-09-13 16:59 17438 ----a-w- c:\program files\Common Files\lilano.pif
2009-09-13 16:59 . 2009-09-13 16:59 17235 ----a-w- c:\documents and settings\All Users\Application Data\kekiqasety.dat
2009-09-13 16:59 . 2009-09-13 16:59 17036 ----a-w- c:\documents and settings\Amanda\Application Data\loqu.dll
2009-09-13 16:59 . 2009-09-13 16:59 15882 ----a-w- c:\documents and settings\Amanda\Local Settings\Application Data\hygiza.scr
2009-09-13 16:59 . 2009-09-13 16:59 12438 ----a-w- c:\windows\labojuju.com
2009-09-13 16:59 . 2009-09-13 16:59 12096 ----a-w- c:\windows\dytojo.com
2009-08-27 19:23 . 2006-12-17 03:52 -------- d-----w- c:\program files\AIM6
2009-08-27 19:22 . 2006-12-17 03:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-08-27 19:21 . 2006-12-17 03:51 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-08-05 09:01 . 2005-08-16 08:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-27 18:22 . 2006-05-27 22:19 96616 ----a-w- c:\documents and settings\Amanda\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-25 22:45 . 2009-06-28 00:17 33061 ----a-w- c:\windows\king-uninstall.exe
2009-07-25 09:23 . 2009-06-10 23:28 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-21 14:35 . 2006-05-27 22:19 8404 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-07-17 19:01 . 2005-08-16 08:18 58880 ----a-w- c:\windows\system32\atl.dll
1989-12-12 14:10 . 2006-08-27 00:13 550000 --sh--r- c:\windows\knpiqba.exe
2007-03-10 18:23 . 2007-03-10 18:23 56 --sh--r- c:\windows\system32\399DCE404B.sys
2006-06-14 22:21 . 2006-06-14 22:21 56 --sh--r- c:\windows\system32\7FC3E94890.sys
2006-06-02 02:30 . 2006-05-27 22:19 88 --sh--r- c:\windows\system32\D438FE4D12.sys
2009-07-14 11:55 . 2009-07-14 11:55 52224 --sha-w- c:\windows\system32\jijuwajo.dll
2009-07-14 11:57 . 2009-07-14 11:57 52224 --sha-w- c:\windows\system32\kimulizi.dll
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2004-12-13 19:30 . 2007-01-09 22:32 58984 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe

2007-06-01 20:51 . 2007-06-01 20:51 257088 c:\program files\iTunes\bak\iTunesHelper.exe
2009-04-02 20:11 . 2009-04-02 20:11 342312 c:\program files\iTunes\iTunesHelper.exe

2001-08-16 21:52 . 2001-08-16 21:52 74832 c:\program files\Norton SystemWorks\Norton AntiVirus\bak\navapw32.exe

2007-04-27 13:41 . 2007-04-27 13:41 282624 c:\program files\QuickTime\bak\qttask.exe
2009-01-05 20:18 . 2009-01-05 20:18 413696 c:\program files\QuickTime\QTTask.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b227d665-405d-437b-aadc-876c4882dea5}]
2009-07-14 11:57 52224 --sha-w- c:\windows\system32\kimulizi.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-05 39408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Aim6"="" [N/A]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lphcl84j0epbj"="c:\windows\system32\lphcl84j0epbj.exe" [N/A]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [N/A]
"fawiyumoz"="c:\windows\system32\howenuze.dll" [N/A]
"fovuzevevo"="yorefenu.dll" [N/A]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"zuwi"="c:\progra~1\COMMON~1\zuwi\zuwim.exe" [N/A]
"tiviu"="c:\windows\system32\xtkptc.exe" [N/A]

[HKEY_USERS\.DEFAULT\software\microsoft\windows\Currentversion\policies\explorer\Run]
"{A4BC867B-0AE9-1033-1008-050412200001}"="c:\program files\Common Files\{A4BC867B-0AE9-1033-1008-050412200001}\Update.exe" [N/A]

c:\documents and settings\Amanda\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-7-31 139776]

c:\documents and settings\Debbie\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-7-31 139776]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LUMIX Simple Viewer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\LUMIX Simple Viewer.lnk
backup=c:\windows\pss\LUMIX Simple Viewer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Motorola\\iDEN WebJAL\\WebJAL.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\AIM6\\aolsoftware.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcods.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsmap.exe"=
"c:\\Program Files\\McAfee\\MSC\\mcmscsvc.exe"=
"c:\\Program Files\\McAfee\\MSM\\McSmtFwk.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-09-16 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-08 01:26]

2009-09-17 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-08 01:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://ie.search.msn.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: whataboutadog.com
Trusted Zone: whataboutarabit.com
.
.
------- File Associations -------
.
.
- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{f65753e3-606a-4bd9-99a8-04eaab3aebef} - c:\windows\system32\wowinule.dll
SharedTaskScheduler-{8564bb19-855a-4a5e-af83-06401f4aade9} - c:\windows\system32\howenuze.dll
SSODL-remabikoy-{f65753e3-606a-4bd9-99a8-04eaab3aebef} - c:\windows\system32\wowinule.dll
SSODL-tuvahasal-{8564bb19-855a-4a5e-af83-06401f4aade9} - c:\windows\system32\howenuze.dll
Notify-CSCSettings - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-14 20:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1680)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-10-15 21:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-15 01:15

Pre-Run: 16,938,229,760 bytes free
Post-Run: 17,203,228,672 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

332 --- E O F --- 2009-09-10 07:05

#4
sUBs

Posted 15 October 2009 - 01:36 AM

Forum Deity

Moderators
6,031 posts

Open NOTEPAD and copy/paste the text in the quotebox below into it:

http://www.malwarebytes.org/forums/index.php?showtopic=27822
COLLECT::
c:\windows\is-K6BIJ.exe
c:\windows\knpiqba.exe
c:\windows\system32\jijuwajo.dll
c:\windows\system32\kimulizi.dll
FOLDER::
c:\documents and settings\All Users\Application Data\40021007
c:\program files\Common Files\Symantec Shared\bak
c:\program files\iTunes\bak
c:\program files\Norton SystemWorks\Norton AntiVirus\bak
c:\program files\QuickTime\bak
FILE::
c:\documents and settings\Amanda\Local Settings\Application Data\uhivol.scr
c:\windows\azygagazy.com
c:\documents and settings\Amanda\Application Data\jesimuboq.dat
c:\documents and settings\Amanda\Application Data\tawib.dll
c:\Program Files\Common Files\lilano.pif
c:\documents and settings\All Users\Application Data\kekiqasety.dat
c:\documents and settings\Amanda\Application Data\loqu.dll
c:\documents and settings\Amanda\Local Settings\Application Data\hygiza.scr
c:\windows\labojuju.com
c:\windows\dytojo.com
REGISTRY::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b227d665-405d-437b-aadc-876c4882dea5}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lphcl84j0epbj"=-
"Malwarebytes Anti-Malware (reboot)"=-
"fawiyumoz"=-
"fovuzevevo"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"zuwi"=-
"tiviu"=-
[HKEY_USERS\.DEFAULT\software\microsoft\windows\Currentversion\policies\explorer\Run]
"{A4BC867B-0AE9-1033-1008-050412200001}"=-
SECCENTER::
FW: Norton AntiVirus *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
DDS::
Trusted Zone: whataboutadog.com
Trusted Zone: whataboutarabit.com

Save this as "CFScript"

Posted Image

Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.

Additonally, ComboFix will generate a zipped file at C:\Qoobox\Quarantine\[4]Submit@Date_Time.zip
Before proceeding to the next step, please submit this file to http://www.bleepingc...e.php?channel=4

---------------

ESET Online Scanner

Please go to the following link ESET Online Scanner Link
Tick the box YES, I accept the Terms Of Use
Click the Start button
Now click the Install button
Click Start

The scanner engine will initialise and update
Do Not tick the box Remove found threats
Click the Scan button

The scan will now run, please be patient
When the scan finishes click the Details tab
Copy and paste the contents of the C:\Program Files\EsetOnlineScanner\log.txt back here.

---------------

In your next post, please include fresh logs from:

Online scan
ComboFix's log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

sUBs
Research Engineer

#5
MANDA

Posted 16 October 2009 - 05:04 PM

New Member

Members
9 posts

I saved what you told me to save dragged it into ComboFix the blue screen appeared and then stopped at please wait. I left it on over night because it was taking so long when I woke up it was still saying the same thing. I disabled my anti virus and now my computer has gotten WAY WORSE! I have no desktop icons and the desktop is completely white. I have the start menu. I ran my anti virus again and it says it took care of the virus but I know that it hasn't because of the obvious reasons. I'm unsure what I should do. There is no other ways of ridding my computer of this INFECTION! PLEASE HELP!

#6
sUBs

Posted 16 October 2009 - 05:09 PM

Forum Deity

Moderators
6,031 posts

Quote

the blue screen appeared and then stopped at please wait.

Run it once more BUT this time, when it hangs at the "Please wait" bit, launch Task Manager and tell me which processes are running.

sUBs
Research Engineer

#7
MANDA

Posted 17 October 2009 - 02:14 AM

New Member

Members
9 posts

I was able to run the ComboFix with the code you gave me. I was able to get the log but I dont know how to find the zip file that I had to send to that link. I was also able to do the ESET Online Scanner. I have both logs.

COMBOFIX LOG {after code}

ComboFix 09-10-14.04 - Amanda 10/16/2009 13:13.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.195 [GMT -4:00]
Running from: c:\documents and settings\Amanda\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Amanda\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\documents and settings\All Users\Application Data\kekiqasety.dat"
"c:\documents and settings\Amanda\Application Data\jesimuboq.dat"
"c:\documents and settings\Amanda\Application Data\loqu.dll"
"c:\documents and settings\Amanda\Application Data\tawib.dll"
"c:\documents and settings\Amanda\Local Settings\Application Data\hygiza.scr"
"c:\documents and settings\Amanda\Local Settings\Application Data\uhivol.scr"
"c:\program files\Common Files\lilano.pif"
"c:\windows\azygagazy.com"
"c:\windows\dytojo.com"
"c:\windows\labojuju.com"

file zipped: c:\windows\is-K6BIJ.exe
file zipped: c:\windows\knpiqba.exe
file zipped: c:\windows\system32\jijuwajo.dll
file zipped: c:\windows\system32\kimulizi.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\17475428
c:\documents and settings\All Users\Application Data\17475428\17475428.exe
c:\documents and settings\All Users\Application Data\40021007
c:\documents and settings\All Users\Application Data\40021007\40021007.bat
c:\documents and settings\All Users\Application Data\kekiqasety.dat
c:\documents and settings\Amanda\Application Data\jesimuboq.dat
c:\documents and settings\Amanda\Application Data\loqu.dll
c:\documents and settings\Amanda\Application Data\tawib.dll
c:\documents and settings\Amanda\Desktop\Security Tool.lnk
c:\documents and settings\Amanda\Local Settings\Application Data\hygiza.scr
c:\documents and settings\Amanda\Local Settings\Application Data\uhivol.scr
c:\program files\Common Files\lilano.pif
c:\program files\Common Files\Symantec Shared\bak
c:\program files\Common Files\Symantec Shared\bak\ccApp.exe
c:\program files\iTunes\bak
c:\program files\iTunes\bak\iTunesHelper.exe
c:\program files\Norton SystemWorks\Norton AntiVirus\bak
c:\program files\Norton SystemWorks\Norton AntiVirus\bak\navapw32.exe
c:\program files\QuickTime\bak
c:\program files\QuickTime\bak\qttask.exe
c:\windows\azygagazy.com
c:\windows\dytojo.com
c:\windows\is-K6BIJ.exe
c:\windows\knpiqba.exe
c:\windows\labojuju.com
c:\windows\system32\dayahiba.dll
c:\windows\system32\fudoneze.dll
c:\windows\system32\jijuwajo.dll
c:\windows\system32\kimulizi.dll
c:\windows\system32\lufuyuko.dll
c:\windows\system32\suhalewo.dll

.
((((((((((((((((((((((((( Files Created from 2009-09-16 to 2009-10-16 )))))))))))))))))))))))))))))))
.

2009-10-16 01:29 . 2009-10-16 03:27 -------- d-----w- c:\documents and settings\All Users\Application Data\83633831
2009-10-15 00:20 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-15 00:20 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-14 18:39 . 2009-10-14 18:39 -------- d-----w- c:\program files\Trend Micro
2009-10-14 17:05 . 2009-10-15 00:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-13 14:37 . 2009-10-13 14:37 -------- d-----w- c:\documents and settings\Amanda\Local Settings\Application Data\AIM
2009-09-20 03:32 . 2009-09-20 03:32 -------- d-sh--w- c:\documents and settings\Debbie\PrivacIE
2009-09-20 03:04 . 2009-09-20 03:04 -------- d-----w- c:\documents and settings\Debbie\Application Data\acccore
2009-09-20 03:02 . 2009-09-20 03:02 -------- d-----w- c:\documents and settings\Debbie\Local Settings\Application Data\AOL OCP
2009-09-20 03:02 . 2009-09-20 03:02 -------- d-----w- c:\documents and settings\Debbie\Local Settings\Application Data\AOL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-16 17:20 . 2006-12-09 02:44 -------- d-----w- c:\program files\iTunes
2009-10-14 00:28 . 2008-12-16 01:42 -------- d-----w- c:\documents and settings\Debbie\Application Data\LimeWire
2009-09-29 21:39 . 2006-05-20 06:10 -------- d-----w- c:\program files\McAfee
2009-09-17 16:38 . 2006-05-20 06:10 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-15 00:47 . 2009-09-15 00:47 -------- d-----w- c:\documents and settings\Amanda\Application Data\Malwarebytes
2009-09-15 00:47 . 2009-09-15 00:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-14 00:03 . 2009-09-14 00:03 -------- d-----w- c:\documents and settings\Amanda\Application Data\McAfee
2009-08-27 19:23 . 2006-12-17 03:52 -------- d-----w- c:\program files\AIM6
2009-08-27 19:22 . 2006-12-17 03:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-08-27 19:21 . 2006-12-17 03:51 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-08-05 09:01 . 2005-08-16 08:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-27 18:22 . 2006-05-27 22:19 96616 ----a-w- c:\documents and settings\Amanda\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-25 22:45 . 2009-06-28 00:17 33061 ----a-w- c:\windows\king-uninstall.exe
2009-07-25 09:23 . 2009-06-10 23:28 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-21 14:35 . 2006-05-27 22:19 8404 --sha-w- c:\windows\system32\KGyGaAvL.sys
2007-03-10 18:23 . 2007-03-10 18:23 56 --sh--r- c:\windows\system32\399DCE404B.sys
2006-06-14 22:21 . 2006-06-14 22:21 56 --sh--r- c:\windows\system32\7FC3E94890.sys
2009-07-16 13:29 . 2009-07-16 13:29 1111915 --sha-w- c:\windows\system32\badebusu.exe
2006-06-02 02:30 . 2006-05-27 22:19 88 --sh--r- c:\windows\system32\D438FE4D12.sys
2009-07-16 01:29 . 2009-07-16 01:29 88576 --sha-w- c:\windows\system32\noyijoyo.dll
2009-07-15 13:28 . 2009-07-15 13:28 88576 --sha-w- c:\windows\system32\suteniro.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-10-15_00.50.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-16 17:23 . 2009-10-16 17:23 16384 c:\windows\Temp\Perflib_Perfdata_3a8.dat
+ 2006-05-26 00:59 . 2009-10-16 16:17 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-05-26 00:59 . 2009-10-14 21:45 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-05-26 00:59 . 2009-10-16 16:17 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-05-26 00:59 . 2009-10-14 21:45 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-10-15 01:51 . 2009-10-16 16:17 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-05-26 00:59 . 2009-10-14 21:45 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-05 39408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

c:\documents and settings\Amanda\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-7-31 139776]

c:\documents and settings\Debbie\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-7-31 139776]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LUMIX Simple Viewer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\LUMIX Simple Viewer.lnk
backup=c:\windows\pss\LUMIX Simple Viewer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Motorola\\iDEN WebJAL\\WebJAL.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\AIM6\\aolsoftware.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcods.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsmap.exe"=
"c:\\Program Files\\McAfee\\MSC\\mcmscsvc.exe"=
"c:\\Program Files\\McAfee\\MSM\\McSmtFwk.exe"=
"c:\\Program Files\\McAfee.com\\Agent\\mcagent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-10-16 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-08 01:26]

2009-09-17 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-08 01:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://ie.search.msn.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-17475428 - c:\docume~1\ALLUSE~1\APPLIC~1\17475428\17475428.exe
SharedTaskScheduler-{7e908faf-0089-43cc-9d72-1082ce645de4} - c:\windows\system32\fudoneze.dll
SSODL-leyobusuw-{7e908faf-0089-43cc-9d72-1082ce645de4} - c:\windows\system32\fudoneze.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-16 13:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1104)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\McAfee\MNA\McNASvc.exe
c:\progra~1\COMMON~1\McAfee\McProxy\McProxy.exe
c:\progra~1\McAfee\VIRUSS~1\Mcshield.exe
c:\program files\McAfee\MPF\MpfSrv.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\progra~1\McAfee.com\Agent\mcagent.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Viewpoint\Common\ViewpointService.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\windows\system32\dllhost.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\SoftwareDistribution\Download\8fa1ad7968e63408057364ad07aa482c\update\update.exe
.
**************************************************************************
.
Completion time: 2009-10-16 13:48 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-16 17:47
ComboFix2.txt 2009-10-15 01:15

Pre-Run: 17,178,488,832 bytes free
Post-Run: 17,079,230,464 bytes free

249 --- E O F --- 2009-09-10 07:05

ESET ONLINE SCANNER LOG

C:\Documents and Settings\Amanda\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-6553fc85-1aa086ce.zip Java/Exploit.Bytverify trojan
C:\Program Files\Common Files\zuwi\zuwid\vocabulary Win32/TrojanDownloader.TSUpdate.J trojan
C:\Qoobox\Quarantine\[4]-Submit_2009-10-16_13.13.14.zip a variant of Win32/Adware.SuperJuan.H application
C:\Qoobox\Quarantine\C\WINDOWS\system32\apadeirk.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\appaghgc.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\blwagplf.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\ckwksxgf.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\cvqsfxcf.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\dayahiba.dll.vir a variant of Win32/KillAV.NFZ trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\dgoivwbb.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\dmsadaue.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\dviykotg.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\fjdcpdlm.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\hgjlm.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\hgjlm.ini2.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\ikoqurlv.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\jdjuboen.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\jhpyrkoo.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\jlptkowq.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\lufuyuko.dll.vir a variant of Win32/KillAV.NFZ trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\migeewlr.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\mubodigi.dll.vir a variant of Win32/KillAV.NFZ trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\mwbjiydn.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\nusoyeta.dll.vir a variant of Win32/Adware.SuperJuan.H application
C:\Qoobox\Quarantine\C\WINDOWS\system32\nyirwljd.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\otqnxgcv.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\pgfqsnfv.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\qmsbcttu.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\rdvwxvxi.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\rerdjqqv.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\suhalewo.dll.vir a variant of Win32/KillAV.NFZ trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\swsllsot.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\uscjuudb.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\uvnjoikh.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\uxgsncwk.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\vltxshyi.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\wyonmqtr.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\xkyilmiq.ini.vir Win32/Adware.Virtumonde.NEO application
C:\Qoobox\Quarantine\C\WINDOWS\system32\yorefenu.dll.vir a variant of Win32/Adware.SuperJuan.H application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP490\A0054814.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP490\A0054815.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP490\A0054816.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP490\A0054817.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP490\A0054821.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP490\A0054822.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP490\A0054823.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP490\A0054824.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP490\A0054826.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP490\A0054827.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP490\A0054828.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP490\A0054829.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP490\A0054830.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP490\A0054831.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP490\A0054833.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP490\A0054834.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP490\A0054835.dll a variant of Win32/Adware.SuperJuan.H application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP490\A0054836.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP490\A0054837.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP490\A0054838.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP490\A0054841.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP490\A0054842.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP490\A0054843.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP490\A0054844.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP490\A0054845.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP490\A0054846.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP490\A0054847.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP490\A0054848.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP490\A0054849.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP490\A0054850.ini Win32/Adware.Virtumonde.NEO application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP490\A0054851.dll a variant of Win32/Adware.SuperJuan.H application
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP491\A0056067.dll a variant of Win32/KillAV.NFZ trojan
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP491\A0056068.dll a variant of Win32/KillAV.NFZ trojan

#8
sUBs

Posted 17 October 2009 - 02:32 AM

Forum Deity

Moderators
6,031 posts

Keep your internet connection on when you run this. If ComboFix ask to update, allow it to do so.

Please run this new CF-Script

http://www.malwarebytes.org/forums/index.php?showtopic=27822&st=0&#entry144337
COLLECT::
c:\windows\system32\badebusu.exe
c:\windows\system32\noyijoyo.dll
c:\windows\system32\suteniro.dll
FILE::
C:\Documents and Settings\Amanda\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-6553fc85-1aa086ce.zip
FOLDER::
C:\Program Files\Common Files\zuwi

sUBs
Research Engineer

#9
MANDA

Posted 17 October 2009 - 03:07 AM

New Member

Members
9 posts

ComboFix 09-10-16.09 - Amanda 10/16/2009 22:50.3.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.211 [GMT -4:00]
Running from: c:\documents and settings\Amanda\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Amanda\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\documents and settings\Amanda\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-6553fc85-1aa086ce.zip"

file zipped: c:\windows\system32\noyijoyo.dll
file zipped: c:\windows\system32\suteniro.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Amanda\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-6553fc85-1aa086ce.zip
c:\program files\Common Files\zuwi
c:\program files\Common Files\zuwi\zuwia.lck
c:\program files\Common Files\zuwi\zuwid\class-barrel
c:\program files\Common Files\zuwi\zuwid\vocabulary
c:\program files\Common Files\zuwi\zuwil.lck
c:\program files\Common Files\zuwi\zuwim.lck
c:\windows\system32\noyijoyo.dll
c:\windows\system32\suteniro.dll

.
((((((((((((((((((((((((( Files Created from 2009-09-17 to 2009-10-17 )))))))))))))))))))))))))))))))
.

2009-10-16 17:54 . 2009-10-16 17:54 -------- d-----w- c:\program files\ESET
2009-10-16 01:29 . 2009-10-16 03:27 -------- d-----w- c:\documents and settings\All Users\Application Data\83633831
2009-10-14 18:39 . 2009-10-14 18:39 -------- d-----w- c:\program files\Trend Micro
2009-10-14 17:05 . 2009-10-17 02:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-13 14:37 . 2009-10-13 14:37 -------- d-----w- c:\documents and settings\Amanda\Local Settings\Application Data\AIM
2009-09-20 03:32 . 2009-09-20 03:32 -------- d-sh--w- c:\documents and settings\Debbie\PrivacIE
2009-09-20 03:04 . 2009-09-20 03:04 -------- d-----w- c:\documents and settings\Debbie\Application Data\acccore
2009-09-20 03:02 . 2009-09-20 03:02 -------- d-----w- c:\documents and settings\Debbie\Local Settings\Application Data\AOL OCP
2009-09-20 03:02 . 2009-09-20 03:02 -------- d-----w- c:\documents and settings\Debbie\Local Settings\Application Data\AOL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-16 17:20 . 2006-12-09 02:44 -------- d-----w- c:\program files\iTunes
2009-10-16 17:20 . 2006-05-20 06:04 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-10-14 00:28 . 2008-12-16 01:42 -------- d-----w- c:\documents and settings\Debbie\Application Data\LimeWire
2009-09-29 21:39 . 2006-05-20 06:10 -------- d-----w- c:\program files\McAfee
2009-09-17 16:38 . 2006-05-20 06:10 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2009-09-15 00:47 . 2009-09-15 00:47 -------- d-----w- c:\documents and settings\Amanda\Application Data\Malwarebytes
2009-09-15 00:47 . 2009-09-15 00:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-14 00:03 . 2009-09-14 00:03 -------- d-----w- c:\documents and settings\Amanda\Application Data\McAfee
2009-09-11 14:18 . 2005-08-16 08:18 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:03 . 2005-08-16 08:18 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-08-29 08:08 . 2005-08-16 08:18 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 19:23 . 2006-12-17 03:52 -------- d-----w- c:\program files\AIM6
2009-08-27 19:22 . 2006-12-17 03:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-08-27 19:21 . 2006-12-17 03:51 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads
2009-08-26 08:00 . 2005-08-16 08:19 247326 ----a-w- c:\windows\system32\strmdll.dll
2009-08-05 09:01 . 2005-08-16 08:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 15:13 . 2005-08-16 08:18 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe
2009-08-04 14:20 . 2004-08-04 02:59 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-07-27 18:22 . 2006-05-27 22:19 96616 ----a-w- c:\documents and settings\Amanda\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-25 22:45 . 2009-06-28 00:17 33061 ----a-w- c:\windows\king-uninstall.exe
2009-07-25 09:23 . 2009-06-10 23:28 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-21 14:35 . 2006-05-27 22:19 8404 --sha-w- c:\windows\system32\KGyGaAvL.sys
2007-03-10 18:23 . 2007-03-10 18:23 56 --sh--r- c:\windows\system32\399DCE404B.sys
2006-06-14 22:21 . 2006-06-14 22:21 56 --sh--r- c:\windows\system32\7FC3E94890.sys
2006-06-02 02:30 . 2006-05-27 22:19 88 --sh--r- c:\windows\system32\D438FE4D12.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-10-15_00.50.47 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-08-13 23:54 . 2009-07-03 17:09 55296 c:\windows\system32\msfeedsbs.dll
+ 2007-08-13 23:54 . 2009-08-29 08:08 55296 c:\windows\system32\msfeedsbs.dll
- 2005-08-16 08:18 . 2009-07-03 17:09 25600 c:\windows\system32\jsproxy.dll
+ 2005-08-16 08:18 . 2009-08-29 08:08 25600 c:\windows\system32\jsproxy.dll
+ 2009-07-20 02:45 . 2009-08-29 08:08 12800 c:\windows\system32\dllcache\xpshims.dll
- 2009-07-20 02:45 . 2009-07-03 17:09 12800 c:\windows\system32\dllcache\xpshims.dll
+ 2008-11-05 02:54 . 2009-08-29 08:08 55296 c:\windows\system32\dllcache\msfeedsbs.dll
- 2008-11-05 02:54 . 2009-07-03 17:09 55296 c:\windows\system32\dllcache\msfeedsbs.dll
+ 2009-09-04 21:03 . 2009-09-04 21:03 58880 c:\windows\system32\dllcache\msasn1.dll
+ 2006-05-10 05:25 . 2009-08-29 08:08 25600 c:\windows\system32\dllcache\jsproxy.dll
- 2006-05-10 05:25 . 2009-07-03 17:09 25600 c:\windows\system32\dllcache\jsproxy.dll
+ 2006-05-26 00:59 . 2009-10-17 01:21 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-05-26 00:59 . 2009-10-14 21:45 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-05-26 00:59 . 2009-10-17 01:21 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-05-26 00:59 . 2009-10-14 21:45 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-05-26 00:59 . 2009-10-14 21:45 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-10-16 20:44 . 2009-10-17 01:21 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-06-24 23:56 . 2009-06-24 23:56 73728 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe
- 2007-04-14 00:58 . 2007-04-14 00:58 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
+ 2008-05-28 04:49 . 2008-05-28 04:49 77824 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
+ 2008-05-28 04:49 . 2008-05-28 04:49 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
- 2007-04-14 00:57 . 2007-04-14 00:57 86016 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2008-05-28 04:49 . 2008-05-28 04:49 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2007-04-14 00:57 . 2007-04-14 00:57 81920 c:\windows\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2007-04-14 01:30 . 2007-04-14 01:30 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2008-05-28 05:30 . 2008-05-28 05:30 32768 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2004-09-29 22:11 . 2009-06-24 16:56 86016 c:\windows\Microsoft.NET\Framework\v1.0.3705\ToGac.exe
+ 2004-10-07 21:36 . 2009-06-24 16:56 73728 c:\windows\Microsoft.NET\Framework\v1.0.3705\SetRegNI.exe
+ 2005-08-16 08:38 . 2009-06-24 02:01 86016 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorld.dll
- 2005-08-16 08:38 . 2007-01-02 20:29 86016 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorld.dll
+ 2005-08-16 08:38 . 2009-06-24 02:01 73728 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorie.dll
- 2005-08-16 08:38 . 2007-01-02 20:29 73728 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorie.dll
- 2005-08-16 08:38 . 2008-04-13 16:10 32768 c:\windows\Microsoft.NET\Framework\v1.0.3705\aspnet_wp.exe
+ 2005-08-16 08:38 . 2009-06-24 02:12 32768 c:\windows\Microsoft.NET\Framework\v1.0.3705\aspnet_wp.exe
- 2005-08-16 08:38 . 2008-04-13 16:10 32768 c:\windows\Microsoft.NET\Framework\v1.0.3705\aspnet_state.exe
+ 2005-08-16 08:38 . 2009-06-24 02:12 32768 c:\windows\Microsoft.NET\Framework\v1.0.3705\aspnet_state.exe
+ 2009-10-16 17:56 . 2009-07-03 17:09 12800 c:\windows\ie8updates\KB974455-IE8\xpshims.dll
+ 2009-10-16 17:56 . 2009-07-03 17:09 55296 c:\windows\ie8updates\KB974455-IE8\msfeedsbs.dll
+ 2009-10-16 17:56 . 2009-07-03 17:09 25600 c:\windows\ie8updates\KB974455-IE8\jsproxy.dll
+ 2009-10-16 17:50 . 2009-10-16 17:50 90112 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_3fc42f1e\System.Drawing.Design.dll
+ 2009-10-16 17:50 . 2009-10-16 17:50 61440 c:\windows\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_702a6eb3\CustomMarshalers.dll
+ 2009-10-16 17:47 . 2009-10-16 17:47 90112 c:\windows\assembly\NativeImages1_v1.0.3705\System.Drawing.Design\1.0.3300.0__b03f5f7f11d50a3a_6427612f\System.Drawing.Design.dll
+ 2009-10-16 17:46 . 2009-10-16 17:46 61440 c:\windows\assembly\NativeImages1_v1.0.3705\CustomMarshalers\1.0.3300.0__b03f5f7f11d50a3a_d9478ba4\CustomMarshalers.dll
- 2005-08-16 08:38 . 2007-01-02 20:29 8192 c:\windows\Microsoft.NET\Framework\v1.0.3705\IEExec.exe
+ 2005-08-16 08:38 . 2009-06-29 15:57 8192 c:\windows\Microsoft.NET\Framework\v1.0.3705\IEExec.exe
+ 2005-08-16 08:19 . 2009-04-10 05:01 413544 c:\windows\system32\wmspdmod.dll
+ 2005-08-16 08:18 . 2009-08-29 08:08 206848 c:\windows\system32\occache.dll
- 2005-08-16 08:18 . 2009-07-03 17:09 206848 c:\windows\system32\occache.dll
+ 2007-08-13 23:54 . 2009-08-29 08:08 594432 c:\windows\system32\msfeeds.dll
- 2007-08-13 23:54 . 2009-07-03 17:09 594432 c:\windows\system32\msfeeds.dll
- 2005-08-16 08:18 . 2009-07-03 17:09 184320 c:\windows\system32\iepeers.dll
+ 2005-08-16 08:18 . 2009-08-29 08:08 184320 c:\windows\system32\iepeers.dll
+ 2005-08-16 08:18 . 2009-08-29 08:08 387584 c:\windows\system32\iedkcs32.dll
- 2005-08-16 08:18 . 2009-07-03 11:01 173056 c:\windows\system32\ie4uinit.exe
+ 2005-08-16 08:18 . 2009-08-28 10:35 173056 c:\windows\system32\ie4uinit.exe
+ 2009-04-10 05:01 . 2009-04-10 05:01 413544 c:\windows\system32\dllcache\wmspdmod.dll
+ 2006-05-10 05:25 . 2009-08-29 08:08 916480 c:\windows\system32\dllcache\wininet.dll
+ 2006-08-21 14:52 . 2009-08-26 08:00 247326 c:\windows\system32\dllcache\strmdll.dll
- 2006-08-21 14:52 . 2008-10-03 10:02 247326 c:\windows\system32\dllcache\strmdll.dll
+ 2007-08-13 23:44 . 2009-08-29 08:08 206848 c:\windows\system32\dllcache\occache.dll
- 2007-08-13 23:44 . 2009-07-03 17:09 206848 c:\windows\system32\dllcache\occache.dll
- 2009-06-25 08:25 . 2009-06-25 08:25 136192 c:\windows\system32\dllcache\msv1_0.dll
+ 2009-06-25 08:25 . 2009-09-11 14:18 136192 c:\windows\system32\dllcache\msv1_0.dll
+ 2008-11-05 02:54 . 2009-08-29 08:08 594432 c:\windows\system32\dllcache\msfeeds.dll
- 2008-11-05 02:54 . 2009-07-03 17:09 594432 c:\windows\system32\dllcache\msfeeds.dll
+ 2009-07-20 02:45 . 2009-08-29 08:08 246272 c:\windows\system32\dllcache\ieproxy.dll
- 2009-07-20 02:45 . 2009-07-03 17:09 246272 c:\windows\system32\dllcache\ieproxy.dll
- 2006-05-10 05:25 . 2009-07-03 17:09 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2006-05-10 05:25 . 2009-08-29 08:08 184320 c:\windows\system32\dllcache\iepeers.dll
+ 2007-08-13 23:39 . 2009-08-29 08:08 387584 c:\windows\system32\dllcache\iedkcs32.dll
+ 2007-08-13 23:39 . 2009-08-28 10:35 173056 c:\windows\system32\dllcache\ie4uinit.exe
- 2007-08-13 23:39 . 2009-07-03 11:01 173056 c:\windows\system32\dllcache\ie4uinit.exe
- 2009-07-20 03:04 . 2009-07-20 03:04 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2009-07-20 03:04 . 2009-10-16 19:01 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2007-04-14 00:58 . 2007-04-14 00:58 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
+ 2008-05-28 04:49 . 2008-05-28 04:49 102400 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
+ 2008-05-28 04:48 . 2008-05-28 04:48 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
- 2007-04-14 00:56 . 2007-04-14 00:56 315392 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2008-05-28 05:30 . 2008-05-28 05:30 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
- 2007-04-14 01:30 . 2007-04-14 01:30 258048 c:\windows\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2005-08-16 08:38 . 2009-06-24 01:59 303104 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorjit.dll
- 2005-08-16 08:38 . 2004-07-19 22:54 303104 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorjit.dll
+ 2005-08-16 08:38 . 2009-06-24 02:12 200704 c:\windows\Microsoft.NET\Framework\v1.0.3705\aspnet_isapi.dll
- 2005-08-16 08:38 . 2008-04-13 16:09 200704 c:\windows\Microsoft.NET\Framework\v1.0.3705\aspnet_isapi.dll
+ 2009-10-16 17:56 . 2009-07-03 17:09 915456 c:\windows\ie8updates\KB974455-IE8\wininet.dll
+ 2009-10-16 17:56 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB974455-IE8\spuninst\updspapi.dll
+ 2009-10-16 17:56 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB974455-IE8\spuninst\spuninst.exe
+ 2009-10-16 17:56 . 2009-07-03 17:09 206848 c:\windows\ie8updates\KB974455-IE8\occache.dll
+ 2009-10-16 17:56 . 2009-07-03 17:09 594432 c:\windows\ie8updates\KB974455-IE8\msfeeds.dll
+ 2009-10-16 17:56 . 2009-07-03 17:09 246272 c:\windows\ie8updates\KB974455-IE8\ieproxy.dll
+ 2009-10-16 17:56 . 2009-07-03 17:09 184320 c:\windows\ie8updates\KB974455-IE8\iepeers.dll
+ 2009-10-16 17:56 . 2009-07-03 17:09 386048 c:\windows\ie8updates\KB974455-IE8\iedkcs32.dll
+ 2009-10-16 17:56 . 2009-07-03 11:01 173056 c:\windows\ie8updates\KB974455-IE8\ie4uinit.exe
+ 2009-10-16 17:50 . 2009-10-16 17:50 835584 c:\windows\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_43f3405f\System.Drawing.dll
+ 2009-10-16 17:47 . 2009-10-16 17:47 847872 c:\windows\assembly\NativeImages1_v1.0.3705\System.Drawing\1.0.3300.0__b03f5f7f11d50a3a_3704c93d\System.Drawing.dll
+ 2009-10-15 01:03 . 2009-08-13 13:55 1748992 c:\windows\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\GdiPlus.dll
+ 2005-08-16 08:18 . 2009-08-29 08:08 1208832 c:\windows\system32\urlmon.dll
- 2005-08-16 08:18 . 2009-07-03 17:09 1208832 c:\windows\system32\urlmon.dll
- 2005-08-16 08:18 . 2008-04-14 00:12 1435648 c:\windows\system32\query.dll
+ 2005-08-16 08:18 . 2009-07-17 16:22 1435648 c:\windows\system32\query.dll
+ 2005-08-16 08:18 . 2009-08-29 08:08 5940224 c:\windows\system32\mshtml.dll
- 2007-08-13 23:34 . 2009-07-03 17:09 1985536 c:\windows\system32\iertutil.dll
+ 2007-08-13 23:34 . 2009-08-29 08:08 1985536 c:\windows\system32\iertutil.dll
+ 2006-05-10 05:25 . 2009-08-29 08:08 1208832 c:\windows\system32\dllcache\urlmon.dll
- 2006-05-10 05:25 . 2009-07-03 17:09 1208832 c:\windows\system32\dllcache\urlmon.dll
+ 2009-07-17 16:22 . 2009-07-17 16:22 1435648 c:\windows\system32\dllcache\query.dll
+ 2009-04-15 09:33 . 2009-08-05 00:44 2189184 c:\windows\system32\dllcache\ntoskrnl.exe
- 2009-04-15 09:33 . 2009-02-06 10:32 2023936 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2009-04-15 09:33 . 2009-08-04 14:20 2023936 c:\windows\system32\dllcache\ntkrpamp.exe
- 2009-02-07 23:02 . 2009-02-07 23:02 2066048 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2009-02-07 23:02 . 2009-08-04 14:20 2066048 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2009-04-15 09:33 . 2009-08-04 15:13 2145280 c:\windows\system32\dllcache\ntkrnlmp.exe
- 2009-04-15 09:33 . 2009-02-06 11:06 2145280 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2006-05-19 15:06 . 2009-08-29 08:08 5940224 c:\windows\system32\dllcache\mshtml.dll
- 2008-11-05 02:54 . 2009-07-03 17:09 1985536 c:\windows\system32\dllcache\iertutil.dll
+ 2008-11-05 02:54 . 2009-08-29 08:08 1985536 c:\windows\system32\dllcache\iertutil.dll
+ 2008-05-28 05:35 . 2008-05-28 05:35 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
- 2007-04-14 01:35 . 2007-04-14 01:35 1265664 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
+ 2008-05-28 05:35 . 2008-05-28 05:35 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
- 2007-04-14 01:35 . 2007-04-14 01:35 1232896 c:\windows\Microsoft.NET\Framework\v1.1.4322\System.dll
- 2007-04-14 00:57 . 2007-04-14 00:57 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2008-05-28 04:48 . 2008-05-28 04:48 2514944 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
- 2007-04-14 00:57 . 2007-04-14 00:57 2523136 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
+ 2008-05-28 04:48 . 2008-05-28 04:48 2523136 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
+ 2008-05-28 04:43 . 2008-05-28 04:43 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
- 2007-04-14 00:50 . 2007-04-14 00:50 2142208 c:\windows\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2005-08-16 08:38 . 2009-06-29 15:58 1200128 c:\windows\Microsoft.NET\Framework\v1.0.3705\System.Web.dll
- 2005-08-16 08:38 . 2007-01-02 20:40 1200128 c:\windows\Microsoft.NET\Framework\v1.0.3705\System.Web.dll
- 2005-08-16 08:38 . 2007-12-17 11:59 2281472 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
+ 2005-08-16 08:38 . 2009-06-24 02:00 2281472 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll
+ 2005-08-16 08:38 . 2009-06-24 02:00 2273280 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorsvr.dll
- 2005-08-16 08:38 . 2007-12-17 11:58 2273280 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorsvr.dll
+ 2005-08-16 08:38 . 2009-06-29 15:58 1998848 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorlib.dll
- 2005-08-16 08:38 . 2007-01-02 20:21 1998848 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscorlib.dll
+ 2009-10-16 17:56 . 2009-07-03 17:09 1208832 c:\windows\ie8updates\KB974455-IE8\urlmon.dll
+ 2009-10-16 17:56 . 2009-07-19 13:18 5937152 c:\windows\ie8updates\KB974455-IE8\mshtml.dll
+ 2009-10-16 17:56 . 2009-07-03 17:09 1985536 c:\windows\ie8updates\KB974455-IE8\iertutil.dll
+ 2009-04-15 09:33 . 2009-08-05 00:44 2189184 c:\windows\Driver Cache\i386\ntoskrnl.exe
- 2009-04-15 09:33 . 2009-02-06 10:32 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2009-04-15 09:33 . 2009-08-04 14:20 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2009-02-07 23:02 . 2009-02-07 23:02 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2009-02-07 23:02 . 2009-08-04 14:20 2066048 c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2009-04-15 09:33 . 2009-02-06 11:06 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2009-04-15 09:33 . 2009-08-04 15:13 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2009-10-16 17:50 . 2009-10-16 17:50 1966080 c:\windows\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_27662470\System.dll
+ 2009-10-16 17:50 . 2009-10-16 17:50 2088960 c:\windows\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_f6afbd9f\System.Xml.dll
+ 2009-10-16 17:50 . 2009-10-16 17:50 3018752 c:\windows\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_70eaeca5\System.Windows.Forms.dll
+ 2009-10-16 17:50 . 2009-10-16 17:50 1470464 c:\windows\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_d575b84f\System.Design.dll
+ 2009-10-16 17:50 . 2009-10-16 17:50 3391488 c:\windows\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_a060592d\mscorlib.dll
+ 2009-10-16 17:46 . 2009-10-16 17:46 1855488 c:\windows\assembly\NativeImages1_v1.0.3705\System\1.0.3300.0__b77a5c561934e089_b5f28db4\System.dll
+ 2009-10-16 17:47 . 2009-10-16 17:47 2027520 c:\windows\assembly\NativeImages1_v1.0.3705\System.Xml\1.0.3300.0__b77a5c561934e089_06d80f0b\System.Xml.dll
+ 2009-10-16 17:47 . 2009-10-16 17:47 2953216 c:\windows\assembly\NativeImages1_v1.0.3705\System.Windows.Forms\1.0.3300.0__b77a5c561934e089_98b97a53\System.Windows.Forms.dll
+ 2009-10-16 17:46 . 2009-10-16 17:46 1454080 c:\windows\assembly\NativeImages1_v1.0.3705\System.Design\1.0.3300.0__b03f5f7f11d50a3a_f255ba26\System.Design.dll
+ 2009-10-16 17:46 . 2009-10-16 17:46 3301376 c:\windows\assembly\NativeImages1_v1.0.3705\mscorlib\1.0.3300.0__b77a5c561934e089_89cb1009\mscorlib.dll
+ 2009-10-16 17:49 . 2009-10-16 17:49 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
- 2008-06-10 07:08 . 2008-06-10 07:08 1232896 c:\windows\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
- 2008-06-10 07:08 . 2008-06-10 07:08 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2009-10-16 17:49 . 2009-10-16 17:49 1265664 c:\windows\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
- 2009-07-20 01:36 . 2009-07-20 01:36 1200128 c:\windows\assembly\GAC\System.Web\1.0.3300.0__b03f5f7f11d50a3a\System.Web.dll
+ 2009-10-16 17:45 . 2009-10-16 17:45 1200128 c:\windows\assembly\GAC\System.Web\1.0.3300.0__b03f5f7f11d50a3a\System.Web.dll
+ 2009-10-16 17:51 . 2009-10-02 15:01 25198016 c:\windows\system32\MRT.exe
+ 2007-08-13 23:54 . 2009-08-29 08:08 11069440 c:\windows\system32\ieframe.dll
+ 2008-11-05 02:53 . 2009-08-29 08:08 11069440 c:\windows\system32\dllcache\ieframe.dll
+ 2009-08-11 01:08 . 2009-08-11 01:08 11315712 c:\windows\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp
+ 2009-08-10 18:09 . 2009-08-10 18:09 17254912 c:\windows\Installer\1806a8.msp
+ 2009-10-16 17:56 . 2009-07-19 22:48 11067392 c:\windows\ie8updates\KB974455-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-05 39408]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]

c:\documents and settings\Amanda\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-7-31 139776]

c:\documents and settings\Debbie\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2009-7-31 139776]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^LUMIX Simple Viewer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\LUMIX Simple Viewer.lnk
backup=c:\windows\pss\LUMIX Simple Viewer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Motorola\\iDEN WebJAL\\WebJAL.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\AIM6\\aolsoftware.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcods.exe"=
"c:\\Program Files\\McAfee\\VirusScan\\mcvsmap.exe"=
"c:\\Program Files\\McAfee\\MSC\\mcmscsvc.exe"=
"c:\\Program Files\\McAfee\\MSM\\McSmtFwk.exe"=
"c:\\Program Files\\McAfee.com\\Agent\\mcagent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/10/2007 5:17 PM 24652]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-10-16 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-08 01:26]

2009-10-17 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-04-08 01:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uDefault_Search_URL = hxxp://ie.search.msn.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-16 22:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2009-10-17 23:05
ComboFix-quarantined-files.txt 2009-10-17 03:03
ComboFix2.txt 2009-10-16 17:48
ComboFix3.txt 2009-10-15 01:15

Pre-Run: 16,788,529,152 bytes free
Post-Run: 16,742,084,608 bytes free

336 --- E O F --- 2009-10-16 17:57
Upload was successful

#10
sUBs

Posted 17 October 2009 - 10:35 AM

Forum Deity

Moderators
6,031 posts

Quote

Mind telling me how you got around that?

Quote

I disabled my anti virus and now my computer has gotten WAY WORSE! I have no desktop icons and the desktop is completely white. I have the start menu. I ran my anti virus again and it says it took care of the virus but I know that it hasn't because of the obvious reasons. I'm unsure what I should do. There is no other ways of ridding my computer of this INFECTION! PLEASE HELP!

Your log looks clean now. Do you still have the above issues?

sUBs
Research Engineer

#11
MANDA

Posted 17 October 2009 - 07:05 PM

New Member

Members
9 posts

Its beyond me how I got around that. I left it on over night and when I woke up my computer was saying the same thing. Then I left and left the computer running and it must have restarted while I was gone. But as far as I know now its fine Im going to run another virus scan and see how that goes. Im also going to try and download Malwarebytes if that dont work I guess Im back where I started. I was a little concerned though because the ESET Online Scanner said it found 72 infections and Im not sure if thats what you had me fix or not. Thank you SOOOOOO much for your help though!! If I have any other issues I will let you know. Thank you thank you thank you!

#12
sUBs

Posted 17 October 2009 - 07:25 PM

Forum Deity

Moderators
6,031 posts

Quote

Im also going to try and download Malwarebytes if that dont work I guess Im back where I started

MBAM should install fine now. Let me know if that isn't so.

Quote

a little concerned though because the ESET Online Scanner said it found 72 infections

Of the stuff found,

C:\QooBox is ComboFix's quarantine folder. We'll take care of it when we uninstall ComboFix

C:\System Volume Information\ is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be reseting/clearing the cache in a little while

----------------------

Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

Uninstall ComboFix ... do not skip this step
This process will perform some post cleanup measures.
Do this by going to to Start > Run & typing in ComboFix /U
ANTIVIRUS SOFTWARE
It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Microsoft Windows Update → http://www.windowsupdate.com
Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
http://www.mozilla.o...oducts/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
http://www.aumha.org...erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://www.spywarein...showtopic=60955

After doing all these, your system will be optimised against future threats.
.
Have a safe & happy computing day. Posted Image