Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Showing multiple threats

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Showing multiple threats

Unread postby beangod » December 18th, 2008, 8:25 pm

Well from what I can remember, the only way I could of got this virus is from a infected iso file. I should of scanned it but went ahead and mounted it then double clicked the setup file, then my Nod32 went crazy and I cancelled out and deleted the infected file I thought, but turned out to be a fake. And here I am, you guys have helped me before with amazing results.
Shaun

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:12:29 PM, on 12/18/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Findme.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {799FA50F-FE27-4B70-BC09-A1DEABA1B24D} - C:\WINDOWS\system32\mlJDurQI.dll
O2 - BHO: {fa547f09-3092-f82a-8064-8e6e7788b5bb} - {bb5b8877-e6e8-4608-a28f-290390f745af} - C:\WINDOWS\system32\ojklny.dll
O2 - BHO: (no name) - {FEF2A5ED-3406-46F6-A624-5351E1A0D765} - C:\WINDOWS\system32\opnnopmL.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [System Restore] C:\WINDOWS\TEMP\EXPLORER.EXE
O4 - HKLM\..\Run: [RUNDLL32] C:\WINDOWS\TEMP\rundll32.exe
O4 - HKLM\..\Run: [6c0a9762] rundll32.exe "C:\WINDOWS\system32\imcyntgj.dll",b
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\Haze\Application Data\gadcom\gadcom.exe" 61A847B5BBF72810329B385572FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKUS\S-1-5-20\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe (User 'NETWORK SERVICE')
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {02AA9E0F-B4EB-4BE9-A769-FD09543FEEC2} (UniInstaller Class) - http://www.sexyads.net/members/voice-installer.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0835BC90-6ABC-4F52-A103-4FC3A61F2C33} (A18X Control) - http://www.albatross18.com/cabs/A18X.ocx
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://www.nexon.co.jp/JP/f/ActiveX/Public/nxpm.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/ ... 1.2.76.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://pcpitstop.com/pestscan/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 0231545154
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabinogi.jp/3drender/rend ... 07.4.4.cab
O16 - DPF: {77B4BB82-C2AD-4BF8-A1A2-795605604CA8} (CNeoInstallShieldX Object) - http://d-fighter.nefficient.co.kr/samsu ... er/dis.cab
O16 - DPF: {ADCC68D4-AAEA-4338-817D-1F261D9FB759} (ENetLauncher Control) - http://www.dragongemworld.com/Active_X/ENetLauncher.cab
O16 - DPF: {B45E969D-924F-4C83-ACF3-38CDD115AA2C} (MpiPlugin Class) - https://www.isaackorea.net/update/ilkactx.cab
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/control/ ... ctiveX.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - https://my.levelupgames.ph/KeyCrypt/npkcx.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.gamengame.com/KALogoutComponent.cab
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O20 - AppInit_DLLs: ojklny.dll
O20 - Winlogon Notify: mlJDurQI - C:\WINDOWS\SYSTEM32\mlJDurQI.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: npkcmsvc - Unknown owner - C:\Nexon\Mabinogi\npkcmsvc.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe

--
End of file - 7919 bytes
beangod
Regular Member
 
Posts: 17
Joined: January 13th, 2008, 12:26 pm
Advertisement
Register to Remove

Re: Showing multiple threats

Unread postby MikeSwim07 » December 19th, 2008, 9:23 pm

Hello, and Image to the Malware Removal forums.
My name is Michael I'll be glad to help you with your computer problems.

HijackThis logs can take some time to research, so please be patient with me. I know that you need
your computer working as quickly as possible, and I will work hard to help see that happen.

Please be patient and I'd be grateful if you would note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Please note: All of my posts need to be checked by a teacher, so please be patient while I attempt to remove your malware.

Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:
  • Start HijackThis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
  • Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Save the file to your desktop.

Please post this log on your next reply.

Thanks, Michael
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone

Re: Showing multiple threats

Unread postby beangod » December 20th, 2008, 8:32 am

Hello Michael, here is the list you requested.
Thanks


3Com NIC Diagnostics
3ivx D4 4.5.1 (remove only)
ABC (remove only)
AC3Filter (remove only)
Ad-Aware
Adobe Flash Player 10 Plugin
Adobe Flash Player 9 ActiveX
Adobe Reader 8.1.3
Adobe Shockwave Player
AIM 6.0
AOL Instant Messenger
ASUS SmartDoctor
ATI Display Driver
Codec Pack - All In 1 6.0.3.0
ConvertXtoDVD 2.2.3.258
Counter-Strike: Source
Creative EAX Settings
Creative Speaker Settings
CTIAPI32 (remove only)
CtiLogC (remove only)
Device Control
Direct Show Ogg Vorbis Filter (remove only)
Diskeeper Professional Premier Edition
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
ESET NOD32 Antivirus
ExtremeATi
Geiss2 for Winamp 2x (remove only)
G-Force
GSpot Codec Information Appliance
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
IrfanView (remove only)
Java(TM) 6 Update 4
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft AppLocale
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Windows Application Compatibility Database
mIRC
Motherboard Monitor 5
Mozilla Firefox (3.0.5)
Mozilla Thunderbird (2.0.0.18)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Nero 7 Ultra Edition
NOD32 v3.x FiX 1.1 by TemDono (Free Updates - Expire in 2050)
PCI Audio Driver
PeerGuardian 2.0
Planet Poker
Project64 1.6
Quick Macro v6.20
QuickTime
Real Alternative 1.38
Revo Uninstaller 1.75
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
SpywareBlaster 4.1
Steam
Sword of The New World
TeamSpeak 2 RC2
TeamSpeak Overlay BETA (#60)
TrekStor i.Beat emo
Tribes Vengeance
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Ventrilo Client
VIA Integrated Setup Wizard
VideoLAN VLC media player 0.8.4a
Viewpoint Media Player
Winamp
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows XP Service Pack 3
WinRAR archiver
WinZip
Wise Registry Cleaner 3 Professional V3.81
x2 Server Query
Yahoo! Messenger
beangod
Regular Member
 
Posts: 17
Joined: January 13th, 2008, 12:26 pm

Re: Showing multiple threats

Unread postby MikeSwim07 » December 20th, 2008, 9:00 am

Hello Beangod,

I have noticed that you have a cracked version of Nod32. This is illegal.

Please follow these instructions to uninstall NOD32 and install a free AV.

Uninstall programs

Some programs that you have are malicious. We need to uninstall them.

  • First, Click on Start > Control Panel
  • Next, Click on Add or Remove Programs
  • Wait for the list of programs to load
  • Located the following programs and click Remove
    ESET NOD32 Antivirus
    NOD32 v3.x FiX 1.1 by TemDono (Free Updates - Expire in 2050)
  • Follow the prompts of the uninstaller to uninstall/remove the program
  • Once all of the above have been uninstalled, please close Add/Remove Programs

Download an Anti Virus

Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. Here are some Anti Virus products which are free for personal use and most used:
Avast I recommend this one
Avira
AVG Free

Here are some really good paid programs which you can buy online or in a shop nearby:
ESET NOD32
Kaspersky Anti-Virus or Kaspersky Internet Security with Firewall included

Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Please post a new Hijackthis log.
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone

Re: Showing multiple threats

Unread postby beangod » December 20th, 2008, 2:18 pm

Alright, Nod is removed and new AV installed and updated.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:16:15 PM, on 12/20/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\Findme.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: {216e469d-2688-369b-2c54-36ab19782f01} - {10f28791-ba63-45c2-b963-8862d964e612} - C:\WINDOWS\system32\gngpiv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6A6085BE-D9AD-4F2B-9EDE-E90FDD4FAD20} - C:\WINDOWS\system32\opnnopmL.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: (no name) - {799FA50F-FE27-4B70-BC09-A1DEABA1B24D} - (no file)
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [6c0a9762] rundll32.exe "C:\WINDOWS\system32\xleokmqm.dll",b
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\Haze\Application Data\gadcom\gadcom.exe" 61A847B5BBF72810329B385572FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKUS\S-1-5-20\..\RunOnce: [NeroHomeFirstStart] C:\Program Files\Common Files\Ahead\Lib\NMFirstStart.exe (User 'NETWORK SERVICE')
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {02AA9E0F-B4EB-4BE9-A769-FD09543FEEC2} (UniInstaller Class) - http://www.sexyads.net/members/voice-installer.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0835BC90-6ABC-4F52-A103-4FC3A61F2C33} (A18X Control) - http://www.albatross18.com/cabs/A18X.ocx
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://www.nexon.co.jp/JP/f/ActiveX/Public/nxpm.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/ ... 1.2.76.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://pcpitstop.com/pestscan/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 0231545154
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabinogi.jp/3drender/rend ... 07.4.4.cab
O16 - DPF: {77B4BB82-C2AD-4BF8-A1A2-795605604CA8} (CNeoInstallShieldX Object) - http://d-fighter.nefficient.co.kr/samsu ... er/dis.cab
O16 - DPF: {ADCC68D4-AAEA-4338-817D-1F261D9FB759} (ENetLauncher Control) - http://www.dragongemworld.com/Active_X/ENetLauncher.cab
O16 - DPF: {B45E969D-924F-4C83-ACF3-38CDD115AA2C} (MpiPlugin Class) - https://www.isaackorea.net/update/ilkactx.cab
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/control/ ... ctiveX.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} - https://my.levelupgames.ph/KeyCrypt/npkcx.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.gamengame.com/KALogoutComponent.cab
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O20 - AppInit_DLLs: gngpiv.dll
O20 - Winlogon Notify: mlJDurQI - C:\WINDOWS\
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: npkcmsvc - Unknown owner - C:\Nexon\Mabinogi\npkcmsvc.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe

--
End of file - 8090 bytes
beangod
Regular Member
 
Posts: 17
Joined: January 13th, 2008, 12:26 pm

Re: Showing multiple threats

Unread postby MikeSwim07 » December 21st, 2008, 9:43 am

Download and Run ComboFix

Please visit this webpage for instructions for downloading ComboFix at your DESKTOP :
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.

Additional links to download the tool:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. A guide to do this can be found here.
    The ones that need to be closed/disabled are:
    Avast!

  • Click Yes to allow ComboFix to continue scanning for malware.
  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone

Re: Showing multiple threats

Unread postby beangod » December 21st, 2008, 7:01 pm

ComboFix 08-12-21.02 - Haze 2008-12-21 17:50:53.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.287 [GMT -5:00]
Running from: c:\documents and settings\Haze\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Haze\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Haze\Application Data\inst.exe
c:\documents and settings\Haze\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\AppPatch\Custom\{deb7008b-681e-4a4a-8aae-cc833e8216ce}.sdb
c:\windows\qmdispatch.dll
c:\windows\system32\dumphive.exe
c:\windows\system32\gngpiv.dll
c:\windows\system32\iinjnsfk.dll
c:\windows\system32\imcyntgj.dll
c:\windows\system32\iqtijkrk.dll
c:\windows\system32\ivwywolt.dll
c:\windows\system32\jduisyri.dll
c:\windows\system32\ljJYRJbb.dll
c:\windows\system32\lkhrid.dll
c:\windows\system32\Lmponnpo.ini
c:\windows\system32\Lmponnpo.ini2
c:\windows\system32\ltefqbvh.dll
c:\windows\system32\mlwisajx.dll
c:\windows\system32\nmbadpaa.dll
c:\windows\system32\ojklny.dll
c:\windows\system32\opnnopmL.dll
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\tuvUKEwu.dll
c:\windows\system32\ucqkoj.dll
c:\windows\system32\udawvuom.dll
c:\windows\system32\VCCLSID.exe
c:\windows\system32\vqfomt.dll
c:\windows\system32\vurirgon.dll
c:\windows\system32\xleokmqm.dll
c:\windows\system32\ycuxlska.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_OREANS32
-------\Service_oreans32


((((((((((((((((((((((((( Files Created from 2008-11-21 to 2008-12-21 )))))))))))))))))))))))))))))))
.

2008-12-21 13:22 . 2008-12-21 13:22 120 --ahs---- c:\windows\system32\tlowywvi.ini
2008-12-20 17:13 . 2008-12-20 17:13 120 --ahs---- c:\windows\system32\mouvwadu.ini
2008-12-20 13:09 . 2008-12-20 13:09 <DIR> d-------- c:\program files\Alwil Software
2008-12-19 17:12 . 2008-12-19 17:12 120 --ahs---- c:\windows\system32\mqmkoelx.ini
2008-12-18 06:46 . 2008-12-18 06:46 120 --ahs---- c:\windows\system32\jgtnycmi.ini
2008-12-08 20:06 . 2008-12-20 21:41 <DIR> d-------- c:\program files\Steam
2008-12-08 15:34 . 2008-12-08 15:35 481 --a------ c:\windows\system32\de.bat
2008-12-04 06:47 . 2008-12-04 06:50 <DIR> d-------- c:\program files\Wise Registry Cleaner 3 Pro
2008-12-03 23:20 . 2008-12-03 23:20 <DIR> d-------- c:\program files\VS Revo Group
2008-12-03 22:57 . 2008-12-03 22:57 361,600 --a------ c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-21 22:44 --------- d-----w c:\documents and settings\Haze\Application Data\SiteAdvisor
2008-12-20 22:41 --------- d-----w c:\program files\Mozilla Thunderbird
2008-12-19 00:03 --------- d-----w c:\program files\QMacro
2008-12-13 13:40 --------- d-----w c:\documents and settings\Haze\Application Data\uTorrent
2008-12-09 00:36 --------- d-----w c:\documents and settings\Haze\Application Data\Vso
2008-12-07 13:44 --------- d-----w c:\program files\mIRC
2008-12-04 03:57 361,600 ----a-w c:\windows\system32\drivers\TCPIP.SYS
2008-11-28 00:27 --------- d-----w c:\program files\Viewpoint
2008-11-15 18:06 --------- d-----w c:\program files\Common Files\Adobe
2008-11-11 00:24 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-11 00:23 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-10 02:41 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-09 23:50 --------- d-----w c:\program files\GSC 2.00
2008-11-09 02:38 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-09 02:37 --------- d-----w c:\program files\SpywareBlaster
2008-11-04 00:52 --------- d-----w c:\program files\PeerGuardian2
2008-11-03 19:29 --------- d-----w c:\documents and settings\Haze\Application Data\Red Alert 3
2008-11-02 16:44 --------- d-----w c:\program files\Electronic Arts
2008-10-29 23:20 --------- d-----w c:\program files\Sword of The New World
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-09-02 00:11 94,208 ----a-w c:\documents and settings\Haze\Application Data\ezplay.sys
2008-09-02 00:11 47,360 ----a-w c:\documents and settings\Haze\Application Data\pcouffin.sys
2008-01-15 02:35 22,328 ----a-w c:\documents and settings\Haze\Application Data\PnkBstrK.sys
2006-12-26 00:23 81,920 ----a-w c:\documents and settings\Haze\Application Data\ezpinst.exe
.

------- Sigcheck -------

2007-10-30 11:53 360832 64798ecfa43d78c7178375fcdd16d8c8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2008-06-20 05:44 360960 744e57c99232201ae98c49168b918f48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
2008-06-20 06:51 361600 9aefa14bd6b182d61e3119fa5f436d3d c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
2008-06-20 06:59 361600 ad978a1b783b5719720cff204b666c8e c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
2008-06-20 05:45 360320 2a5554fc5b1e04e131230e3ce035c3f9 c:\windows\$NtServicePackUninstall$\tcpip.sys
2004-08-04 01:14 359040 9f4b36614a0fc234525ba224957de55c c:\windows\$NtUninstallKB941644$\tcpip.sys
2008-04-13 14:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\$NtUninstallKB951748$\tcpip.sys
2007-10-30 12:20 360064 90caff4b094573449a0872a0f919b178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
2008-04-13 14:20 361344 93ea8d04ec73a85db02eb8805988f733 c:\windows\ServicePackFiles\i386\TCPIP.SYS
2008-12-03 22:57 361600 d24ea301e2b36c4e975fd216ca85d8e7 c:\windows\system32\dllcache\TCPIP.SYS
2008-12-03 22:57 361600 d24ea301e2b36c4e975fd216ca85d8e7 c:\windows\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 221184]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"AtiPTA"="atiptaxx.exe" [2005-06-28 c:\windows\system32\atiptaxx.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=vqfomt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3IV2"= 3ivxVfWCodec.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, snapapi32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\VIA\RAID\via raid tool.lnk
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anti-Blaxx Manager
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eTrust PestPatrol Active Protection]
none [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GLSetIT32
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nod32kui
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pando
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TBPS
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2006-08-01 15:35 67112 c:\progra~1\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2006-11-07 10:29 50736 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS SmartDoctor]
--a------ 2004-02-02 17:13 954368 c:\program files\ASUS\SmartDoctor\SmartDoctor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
--a------ 2005-11-22 17:38 221184 c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExtremeTWRF]
--a------ 2008-01-14 08:44 45056 c:\windows\system32\extwrf.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 00:31 208952 c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-02-16 16:15 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-04 00:31 59392 c:\windows\system32\IME\PINTLGNT\imscinst.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 14:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerGuardian]
--a------ 2005-09-18 18:40 1421824 c:\program files\PeerGuardian2\pg2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-04 00:32 455168 c:\windows\system32\IME\TINTLGNT\tintsetp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-04 00:32 455168 c:\windows\system32\IME\TINTLGNT\tintsetp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 22:37 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-12-14 03:42 144784 c:\program files\Java\jre1.6.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TvServerQuery]
--a------ 2008-07-21 22:45 73728 c:\program files\x2\x2 Server Query\TVServerQuery.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-06-07 13:08 4670968 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-06-28 21:05 344064 c:\windows\system32\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
--a------ 2008-01-13 15:30 1818624 c:\windows\Mixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a------ 2005-05-03 19:38 64512 c:\windows\system32\P17.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PtiuPbmd]
--a------ 2003-01-15 14:41 24576 c:\windows\system32\ptipbm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TCASUTIEXE]
--a------ 2003-07-16 02:34 1323008 c:\windows\system32\TCAUDIAG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

R0 viasraid;viasraid;c:\windows\system32\DRIVERS\viasraid.sys [2004-12-01 77056]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-20 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-12-20 20560]
R2 tcaicchg;tcaicchg;\??\c:\windows\System32\tcaicchg.sys [2000-06-06 21233]
R2 TCAITDI;TCAITDI Protocol;c:\windows\system32\DRIVERS\TCAITDI.sys [2001-09-03 19534]
S3 ATIXPGAA;ATIXPGAA;\??\c:\program files\ASUS\SmartDoctor\ATIXPGAA.SYS [2003-10-29 11776]
S3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys []
S3 NTProcDrv;Process creation detector for NT.;\??\d:\downloaded shit\1.19\NtProcDrv.sys []
S3 SaiH0109;SaiH0109;c:\windows\system32\DRIVERS\SaiH0109.sys [2005-12-31 55936]
S3 SaiU0109;SaiU0109;c:\windows\system32\DRIVERS\SaiU0109.sys [2005-12-31 19456]
S3 Video3D;ASUS Video3D Service;c:\windows\system32\Drivers\Video3D.sys []
S3 XDva028;XDva028;\??\c:\windows\System32\XDva028.sys []
S3 XDva031;XDva031;\??\c:\windows\System32\XDva031.sys []
S3 XDva037;XDva037;\??\c:\windows\system32\XDva037.sys []
S3 XDva090;XDva090;\??\c:\windows\system32\XDva090.sys []
S3 XDva119;XDva119;\??\c:\windows\system32\XDva119.sys []
S3 XDva121;XDva121;\??\c:\windows\system32\XDva121.sys []
S3 XDva132;XDva132;\??\c:\windows\system32\XDva132.sys []
S3 XDva134;XDva134;\??\c:\windows\system32\XDva134.sys []
S3 XDva158;XDva158;\??\c:\windows\system32\XDva158.sys []
S3 XDva164;XDva164;\??\c:\windows\system32\XDva164.sys []
S3 XDva167;XDva167;\??\c:\windows\system32\XDva167.sys []
S3 XDva186;XDva186;\??\c:\windows\system32\XDva186.sys []
S3 XDva190;XDva190;\??\c:\windows\system32\XDva190.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e18ef05e-77a3-11dd-ad87-000ea67471ed}]
\Shell\AutoRun\command - h:\system\viewer\FlipVideoforPC.exe
\Shell\Flip Video for PC\command - h:\system\viewer\FlipVideoforPC.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{5db781f0-dc46-40de-acbe-3dd2388f3887} - c:\windows\system32\vqfomt.dll
BHO-{6A6085BE-D9AD-4F2B-9EDE-E90FDD4FAD20} - c:\windows\system32\opnnopmL.dll
BHO-{799FA50F-FE27-4B70-BC09-A1DEABA1B24D} - (no file)
ShellExecuteHooks-{799FA50F-FE27-4B70-BC09-A1DEABA1B24D} - (no file)
Notify-mlJDurQI - (no file)
MSConfigStartUp-6c0a9762 - c:\windows\system32\imcyntgj.dll
MSConfigStartUp-RUNDLL32 - c:\windows\TEMP\rundll32.exe
MSConfigStartUp-SService - c:\windows\TEMP\EXPLORER.EXE
MSConfigStartUp-System Restore - c:\windows\TEMP\EXPLORER.EXE
MSConfigStartUp-ctfmon - (no file)
MSConfigStartUp-gcasDtServ - gcasDtServ.exe
MSConfigStartUp-igndlm - (no file)


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

c:\windows\Downloaded Program Files\UniInstallerLicense.htm - c:\windows\Downloaded Program Files\UniInstallerGui.xml
c:\windows\Downloaded Program Files\UniInstallerTop.bmp
c:\windows\Downloaded Program Files\UniInstallerBottom.bmp
c:\windows\Downloaded Program Files\UniInstaller.dll
c:\windows\Downloaded Program Files\UniInet.dll
O16 -: {02AA9E0F-B4EB-4BE9-A769-FD09543FEEC2}
hxxp://www.sexyads.net/members/voice-installer.cab
c:\windows\Downloaded Program Files\UniInstaller.inf

c:\windows\Downloaded Program Files\A18X.ocx - O16 -: {0835BC90-6ABC-4F52-A103-4FC3A61F2C33}
hxxp://www.albatross18.com/cabs/A18X.ocx

c:\windows\nxpm.ocx - O16 -: {2931566C-B8A6-46C5-BF4D-E6AB9251E953}
hxxp://www.nexon.co.jp/JP/f/ActiveX/Public/nxpm.cab
c:\windows\Downloaded Program Files\nxpm.inf

c:\windows\Downloaded Program Files\mainstrings.txt - c:\windows\Downloaded Program Files\pestscan.ini
c:\windows\Downloaded Program Files\ppctl.dll
c:\windows\Downloaded Program Files\pestscanx.ocx
O16 -: {56393399-041A-4650-94C7-13DFCB1F4665}
hxxp://pcpitstop.com/pestscan/pestscan.cab
c:\windows\Downloaded Program Files\pestscanx.inf

c:\windows\Downloaded Program Files\mabiwebframe.dll - O16 -: {7623BE59-D4CF-4379-ABC4-B39E11854D66}
hxxp://avatar.mabinogi.jp/3drender/rend ... 07.4.4.cab
c:\windows\Downloaded Program Files\mabiweb.inf

c:\windows\Downloaded Program Files\nislib.dll - c:\windows\Downloaded Program Files\nisx.dll
O16 -: {77B4BB82-C2AD-4BF8-A1A2-795605604CA8}
hxxp://d-fighter.nefficient.co.kr/samsu ... er/dis.cab

c:\windows\System32\ENetLauncher.ocx - O16 -: {ADCC68D4-AAEA-4338-817D-1F261D9FB759}
hxxp://www.dragongemworld.com/Active_X/ENetLauncher.cab
c:\windows\Downloaded Program Files\ENetLauncher.inf

c:\windows\System32\msvcrt.dll - c:\windows\System32\mfc42.dll
c:\windows\System32\olepro32.dll
c:\windows\System32\ILKmpihc.dll
O16 -: {B45E969D-924F-4C83-ACF3-38CDD115AA2C}
hxxps://www.isaackorea.net/update/ilkactx.cab
c:\windows\Downloaded Program Files\ILKmpihc.inf

c:\windows\System32\mfc42.dll - c:\windows\System32\msvcrt.dll
c:\windows\System32\olepro32.dll
c:\windows\Downloaded Program Files\TricksterActiveX.lic
c:\windows\Downloaded Program Files\TricksterActiveX.ocx
O16 -: {CEA3052D-65B9-44E2-A501-5E14024BC66F}
hxxp://www.tricksteronline.com/control/ ... ctiveX.cab
c:\windows\Downloaded Program Files\TricksterActiveX.inf

c:\windows\System32\mfc42.dll - O16 -: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D}
hxxp://www.gamengame.com/KALogoutComponent.cab
c:\windows\Downloaded Program Files\KALogoutComponent.inf

c:\windows\Downloaded Program Files\iaplayer.dll - O16 -: {DB7BF79A-FC51-4B5A-92BC-A65731174380}
hxxp://www.instantaction.com/download/iaplayer.cab
c:\windows\Downloaded Program Files\cab.inf
FF - ProfilePath - c:\documents and settings\Haze\Application Data\Mozilla\Firefox\Profiles\8aaml5t5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.myspace.com/
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Haze\Application Data\Mozilla\Firefox\Profiles\8aaml5t5.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("general.useragent.vendorComment", "ax");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 9);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.classID.allowByDefault", false);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6BF52A52-394A-11D3-B153-00C04F79FAA6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID22D6F312-B0F6-11D0-94AB-0080C74C7E95", "AllAccess");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-21 17:56:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(592)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\ati2evxx.exe
.
**************************************************************************
.
Completion time: 2008-12-21 17:58:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-21 22:58:37

Pre-Run: 8,841,969,664 bytes free
Post-Run: 8,955,424,768 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /usepmtimer /NoExecute=OptIn

334 --- E O F --- 2008-12-10 01:13:17





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:00:43 PM, on 12/21/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Findme.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {02AA9E0F-B4EB-4BE9-A769-FD09543FEEC2} (UniInstaller Class) - http://www.sexyads.net/members/voice-installer.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0835BC90-6ABC-4F52-A103-4FC3A61F2C33} (A18X Control) - http://www.albatross18.com/cabs/A18X.ocx
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://www.nexon.co.jp/JP/f/ActiveX/Public/nxpm.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/ ... 1.2.76.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://pcpitstop.com/pestscan/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 0231545154
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabinogi.jp/3drender/rend ... 07.4.4.cab
O16 - DPF: {77B4BB82-C2AD-4BF8-A1A2-795605604CA8} (CNeoInstallShieldX Object) - http://d-fighter.nefficient.co.kr/samsu ... er/dis.cab
O16 - DPF: {ADCC68D4-AAEA-4338-817D-1F261D9FB759} (ENetLauncher Control) - http://www.dragongemworld.com/Active_X/ENetLauncher.cab
O16 - DPF: {B45E969D-924F-4C83-ACF3-38CDD115AA2C} (MpiPlugin Class) - https://www.isaackorea.net/update/ilkactx.cab
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/control/ ... ctiveX.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.gamengame.com/KALogoutComponent.cab
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O20 - AppInit_DLLs: vqfomt.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: npkcmsvc - Unknown owner - C:\Nexon\Mabinogi\npkcmsvc.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe

--
End of file - 7370 bytes
beangod
Regular Member
 
Posts: 17
Joined: January 13th, 2008, 12:26 pm

Re: Showing multiple threats

Unread postby MikeSwim07 » December 22nd, 2008, 12:40 pm

Run CFScript

Open Notepad and copy/paste the text in the box into the window:

Code: Select all
File::
c:\windows\system32\tlowywvi.ini
c:\windows\system32\mouvwadu.ini
c:\windows\system32\mqmkoelx.ini
c:\windows\system32\jgtnycmi.ini
c:\windows\system32\extwrf.exe
Folder::
c:\documents and settings\Haze\Application Data\uTorrent
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExtremeTWRF]


Save it to your desktop as CFScript.txt

Refering to the picture below, drag CFScript.txt into ComboFix.exe
Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Please post the ComboFix log and a new Hijackthis log.
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone

Re: Showing multiple threats

Unread postby beangod » December 22nd, 2008, 6:48 pm

ComboFix 08-12-21.02 - Haze 2008-12-22 17:42:49.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.767.40 [GMT -5:00]
Running from: c:\documents and settings\Haze\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Haze\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\extwrf.exe
c:\windows\system32\jgtnycmi.ini
c:\windows\system32\mouvwadu.ini
c:\windows\system32\mqmkoelx.ini
c:\windows\system32\tlowywvi.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Haze\Application Data\uTorrent
c:\documents and settings\Haze\Application Data\uTorrent\dht.dat
c:\documents and settings\Haze\Application Data\uTorrent\dht.dat.old
c:\documents and settings\Haze\Application Data\uTorrent\resume.dat
c:\documents and settings\Haze\Application Data\uTorrent\resume.dat.old
c:\documents and settings\Haze\Application Data\uTorrent\rss.dat
c:\documents and settings\Haze\Application Data\uTorrent\rss.dat.old
c:\documents and settings\Haze\Application Data\uTorrent\settings.dat
c:\documents and settings\Haze\Application Data\uTorrent\settings.dat.old
c:\documents and settings\Haze\Application Data\uTorrent\SRO_GlobalOfficial_v1_110.exe.torrent
c:\documents and settings\Haze\Application Data\uTorrent\utorrent.lng
c:\windows\system32\extwrf.exe
c:\windows\system32\jgtnycmi.ini
c:\windows\system32\mouvwadu.ini
c:\windows\system32\mqmkoelx.ini
c:\windows\system32\tlowywvi.ini

.
((((((((((((((((((((((((( Files Created from 2008-11-22 to 2008-12-22 )))))))))))))))))))))))))))))))
.

2008-12-20 13:09 . 2008-12-20 13:09 <DIR> d-------- c:\program files\Alwil Software
2008-12-08 20:06 . 2008-12-21 23:02 <DIR> d-------- c:\program files\Steam
2008-12-08 15:34 . 2008-12-08 15:35 481 --a------ c:\windows\system32\de.bat
2008-12-04 06:47 . 2008-12-04 06:50 <DIR> d-------- c:\program files\Wise Registry Cleaner 3 Pro
2008-12-03 23:20 . 2008-12-03 23:20 <DIR> d-------- c:\program files\VS Revo Group
2008-12-03 22:57 . 2008-12-03 22:57 361,600 --a------ c:\windows\system32\drivers\TCPIP.SYS.ORIGINAL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-22 22:38 --------- d-----w c:\documents and settings\Haze\Application Data\SiteAdvisor
2008-12-22 12:05 --------- d-----w c:\program files\Mozilla Thunderbird
2008-12-19 00:03 --------- d-----w c:\program files\QMacro
2008-12-09 00:36 --------- d-----w c:\documents and settings\Haze\Application Data\Vso
2008-12-07 13:44 --------- d-----w c:\program files\mIRC
2008-12-04 03:57 361,600 ----a-w c:\windows\system32\drivers\TCPIP.SYS
2008-11-28 00:27 --------- d-----w c:\program files\Viewpoint
2008-11-15 18:06 --------- d-----w c:\program files\Common Files\Adobe
2008-11-11 00:24 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-11 00:23 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-10 02:41 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-09 23:50 --------- d-----w c:\program files\GSC 2.00
2008-11-09 02:38 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-09 02:37 --------- d-----w c:\program files\SpywareBlaster
2008-11-04 00:52 --------- d-----w c:\program files\PeerGuardian2
2008-11-03 19:29 --------- d-----w c:\documents and settings\Haze\Application Data\Red Alert 3
2008-11-02 16:44 --------- d-----w c:\program files\Electronic Arts
2008-10-29 23:20 --------- d-----w c:\program files\Sword of The New World
2008-10-27 15:04 70,992 ----a-w c:\windows\system32\XAPOFX1_2.dll
2008-10-27 15:04 514,384 ----a-w c:\windows\system32\XAudio2_3.dll
2008-10-27 15:04 235,856 ----a-w c:\windows\system32\xactengine3_3.dll
2008-10-27 15:04 23,376 ----a-w c:\windows\system32\X3DAudio1_5.dll
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-10 09:52 452,440 ----a-w c:\windows\system32\d3dx10_40.dll
2008-10-10 09:52 4,379,984 ----a-w c:\windows\system32\D3DX9_40.dll
2008-10-10 09:52 2,036,576 ----a-w c:\windows\system32\D3DCompiler_40.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-02 00:11 94,208 ----a-w c:\documents and settings\Haze\Application Data\ezplay.sys
2008-09-02 00:11 47,360 ----a-w c:\documents and settings\Haze\Application Data\pcouffin.sys
2008-01-15 02:35 22,328 ----a-w c:\documents and settings\Haze\Application Data\PnkBstrK.sys
2006-12-26 00:23 81,920 ----a-w c:\documents and settings\Haze\Application Data\ezpinst.exe
2003-07-31 09:53 147,456 ----a-w c:\windows\inf\EL2K_XP.sys
2003-07-31 09:50 448,768 ----a-w c:\windows\inf\EL2K_N64.sys
2003-07-31 09:43 147,456 ----a-w c:\windows\inf\EL2K_2K.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DiskeeperSystray"="c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2005-11-22 221184]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"AtiPTA"="atiptaxx.exe" [2005-06-28 c:\windows\system32\atiptaxx.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3IV2"= 3ivxVfWCodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\VIA\RAID\via raid tool.lnk

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eTrust PestPatrol Active Protection]
none [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
--a------ 2006-08-01 15:35 67112 c:\progra~1\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
--a------ 2006-11-07 10:29 50736 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ASUS SmartDoctor]
--a------ 2004-02-02 17:13 954368 c:\program files\ASUS\SmartDoctor\SmartDoctor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DiskeeperSystray]
--a------ 2005-11-22 17:38 221184 c:\program files\Diskeeper Corporation\Diskeeper\DkIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 00:31 208952 c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-02-16 16:15 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-04 00:31 59392 c:\windows\system32\IME\PINTLGNT\imscinst.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 14:40 155648 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerGuardian]
--a------ 2005-09-18 18:40 1421824 c:\program files\PeerGuardian2\pg2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-04 00:32 455168 c:\windows\system32\IME\TINTLGNT\tintsetp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-04 00:32 455168 c:\windows\system32\IME\TINTLGNT\tintsetp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 22:37 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-12-14 03:42 144784 c:\program files\Java\jre1.6.0_04\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TvServerQuery]
--a------ 2008-07-21 22:45 73728 c:\program files\x2\x2 Server Query\TVServerQuery.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-06-07 13:08 4670968 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2005-06-28 21:05 344064 c:\windows\system32\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
--a------ 2008-01-13 15:30 1818624 c:\windows\Mixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a------ 2005-05-03 19:38 64512 c:\windows\system32\P17.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PtiuPbmd]
--a------ 2003-01-15 14:41 24576 c:\windows\system32\ptipbm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TCASUTIEXE]
--a------ 2003-07-16 02:34 1323008 c:\windows\system32\TCAUDIAG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

R0 viasraid;viasraid;c:\windows\system32\DRIVERS\viasraid.sys [2004-12-01 77056]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-20 111184]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2008-12-20 20560]
R2 tcaicchg;tcaicchg;\??\c:\windows\System32\tcaicchg.sys [2000-06-06 21233]
R2 TCAITDI;TCAITDI Protocol;c:\windows\system32\DRIVERS\TCAITDI.sys [2001-09-03 19534]
R3 XDva190;XDva190;\??\c:\windows\system32\XDva190.sys []
S3 ATIXPGAA;ATIXPGAA;\??\c:\program files\ASUS\SmartDoctor\ATIXPGAA.SYS [2003-10-29 11776]
S3 AvFlt;Antivirus Filter Driver;c:\windows\system32\drivers\av5flt.sys []
S3 NTProcDrv;Process creation detector for NT.;\??\d:\downloaded shit\1.19\NtProcDrv.sys []
S3 SaiH0109;SaiH0109;c:\windows\system32\DRIVERS\SaiH0109.sys [2005-12-31 55936]
S3 SaiU0109;SaiU0109;c:\windows\system32\DRIVERS\SaiU0109.sys [2005-12-31 19456]
S3 Video3D;ASUS Video3D Service;c:\windows\system32\Drivers\Video3D.sys []
S3 XDva028;XDva028;\??\c:\windows\System32\XDva028.sys []
S3 XDva031;XDva031;\??\c:\windows\System32\XDva031.sys []
S3 XDva037;XDva037;\??\c:\windows\system32\XDva037.sys []
S3 XDva090;XDva090;\??\c:\windows\system32\XDva090.sys []
S3 XDva119;XDva119;\??\c:\windows\system32\XDva119.sys []
S3 XDva121;XDva121;\??\c:\windows\system32\XDva121.sys []
S3 XDva132;XDva132;\??\c:\windows\system32\XDva132.sys []
S3 XDva134;XDva134;\??\c:\windows\system32\XDva134.sys []
S3 XDva158;XDva158;\??\c:\windows\system32\XDva158.sys []
S3 XDva164;XDva164;\??\c:\windows\system32\XDva164.sys []
S3 XDva167;XDva167;\??\c:\windows\system32\XDva167.sys []
S3 XDva186;XDva186;\??\c:\windows\system32\XDva186.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e18ef05e-77a3-11dd-ad87-000ea67471ed}]
\Shell\AutoRun\command - h:\system\viewer\FlipVideoforPC.exe
\Shell\Flip Video for PC\command - h:\system\viewer\FlipVideoforPC.exe
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7

c:\windows\Downloaded Program Files\UniInstallerLicense.htm - c:\windows\Downloaded Program Files\UniInstallerGui.xml
c:\windows\Downloaded Program Files\UniInstallerTop.bmp
c:\windows\Downloaded Program Files\UniInstallerBottom.bmp
c:\windows\Downloaded Program Files\UniInstaller.dll
c:\windows\Downloaded Program Files\UniInet.dll
O16 -: {02AA9E0F-B4EB-4BE9-A769-FD09543FEEC2}
hxxp://www.sexyads.net/members/voice-installer.cab
c:\windows\Downloaded Program Files\UniInstaller.inf

c:\windows\Downloaded Program Files\A18X.ocx - O16 -: {0835BC90-6ABC-4F52-A103-4FC3A61F2C33}
hxxp://www.albatross18.com/cabs/A18X.ocx

c:\windows\nxpm.ocx - O16 -: {2931566C-B8A6-46C5-BF4D-E6AB9251E953}
hxxp://www.nexon.co.jp/JP/f/ActiveX/Public/nxpm.cab
c:\windows\Downloaded Program Files\nxpm.inf

c:\windows\Downloaded Program Files\mainstrings.txt - c:\windows\Downloaded Program Files\pestscan.ini
c:\windows\Downloaded Program Files\ppctl.dll
c:\windows\Downloaded Program Files\pestscanx.ocx
O16 -: {56393399-041A-4650-94C7-13DFCB1F4665}
hxxp://pcpitstop.com/pestscan/pestscan.cab
c:\windows\Downloaded Program Files\pestscanx.inf

c:\windows\Downloaded Program Files\mabiwebframe.dll - O16 -: {7623BE59-D4CF-4379-ABC4-B39E11854D66}
hxxp://avatar.mabinogi.jp/3drender/rend ... 07.4.4.cab
c:\windows\Downloaded Program Files\mabiweb.inf

c:\windows\Downloaded Program Files\nislib.dll - c:\windows\Downloaded Program Files\nisx.dll
O16 -: {77B4BB82-C2AD-4BF8-A1A2-795605604CA8}
hxxp://d-fighter.nefficient.co.kr/samsu ... er/dis.cab

c:\windows\System32\ENetLauncher.ocx - O16 -: {ADCC68D4-AAEA-4338-817D-1F261D9FB759}
hxxp://www.dragongemworld.com/Active_X/ENetLauncher.cab
c:\windows\Downloaded Program Files\ENetLauncher.inf

c:\windows\System32\msvcrt.dll - c:\windows\System32\mfc42.dll
c:\windows\System32\olepro32.dll
c:\windows\System32\ILKmpihc.dll
O16 -: {B45E969D-924F-4C83-ACF3-38CDD115AA2C}
hxxps://www.isaackorea.net/update/ilkactx.cab
c:\windows\Downloaded Program Files\ILKmpihc.inf

c:\windows\System32\mfc42.dll - c:\windows\System32\msvcrt.dll
c:\windows\System32\olepro32.dll
c:\windows\Downloaded Program Files\TricksterActiveX.lic
c:\windows\Downloaded Program Files\TricksterActiveX.ocx
O16 -: {CEA3052D-65B9-44E2-A501-5E14024BC66F}
hxxp://www.tricksteronline.com/control/ ... ctiveX.cab
c:\windows\Downloaded Program Files\TricksterActiveX.inf

c:\windows\System32\mfc42.dll - O16 -: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D}
hxxp://www.gamengame.com/KALogoutComponent.cab
c:\windows\Downloaded Program Files\KALogoutComponent.inf

c:\windows\Downloaded Program Files\iaplayer.dll - O16 -: {DB7BF79A-FC51-4B5A-92BC-A65731174380}
hxxp://www.instantaction.com/download/iaplayer.cab
c:\windows\Downloaded Program Files\cab.inf
FF - ProfilePath - c:\documents and settings\Haze\Application Data\Mozilla\Firefox\Profiles\8aaml5t5.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.myspace.com/
FF - plugin: c:\documents and settings\All Users\Application Data\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\documents and settings\Haze\Application Data\Mozilla\Firefox\Profiles\8aaml5t5.default\extensions\iaplayer@instantaction.com\plugins\npiaplayer.dll
FF - plugin: c:\progra~1\Yahoo!\Common\npyaxmpb.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("general.useragent.vendorComment", "ax");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 9);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("security.classID.allowByDefault", false);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6BF52A52-394A-11D3-B153-00C04F79FAA6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID22D6F312-B0F6-11D0-94AB-0080C74C7E95", "AllAccess");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-22 17:44:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(592)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-22 17:44:57
ComboFix-quarantined-files.txt 2008-12-22 22:44:42
ComboFix2.txt 2008-12-21 22:58:42

Pre-Run: 8,899,440,640 bytes free
Post-Run: 8,883,249,152 bytes free

273 --- E O F --- 2008-12-10 01:13:17





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:47:42 PM, on 12/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Findme.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {02AA9E0F-B4EB-4BE9-A769-FD09543FEEC2} (UniInstaller Class) - http://www.sexyads.net/members/voice-installer.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0835BC90-6ABC-4F52-A103-4FC3A61F2C33} (A18X Control) - http://www.albatross18.com/cabs/A18X.ocx
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://www.nexon.co.jp/JP/f/ActiveX/Public/nxpm.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/ ... 1.2.76.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://pcpitstop.com/pestscan/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 0231545154
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabinogi.jp/3drender/rend ... 07.4.4.cab
O16 - DPF: {77B4BB82-C2AD-4BF8-A1A2-795605604CA8} (CNeoInstallShieldX Object) - http://d-fighter.nefficient.co.kr/samsu ... er/dis.cab
O16 - DPF: {ADCC68D4-AAEA-4338-817D-1F261D9FB759} (ENetLauncher Control) - http://www.dragongemworld.com/Active_X/ENetLauncher.cab
O16 - DPF: {B45E969D-924F-4C83-ACF3-38CDD115AA2C} (MpiPlugin Class) - https://www.isaackorea.net/update/ilkactx.cab
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/control/ ... ctiveX.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.gamengame.com/KALogoutComponent.cab
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: npkcmsvc - Unknown owner - C:\Nexon\Mabinogi\npkcmsvc.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe

--
End of file - 7272 bytes
beangod
Regular Member
 
Posts: 17
Joined: January 13th, 2008, 12:26 pm

Re: Showing multiple threats

Unread postby MikeSwim07 » December 23rd, 2008, 8:03 am

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware and save to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:

    Update Malwarebytes' Anti-Malware
    Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform Full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply

    Note:
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.

Update Java and Remove Old Versions

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location.


Then download and install Java SE Runtime Environment (JRE) 6 Update 11 following the instructions below:
  • Go to Java SE Runtime Environment (JRE) 6 Update 11 and click on Download button.
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says "jre-6u11-windows-i586-p.exe" and save the downloaded file to your desktop.
  • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
  • Reboot your computer

Please post the Malwarebyte's log and the JavaRa log.
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone

Re: Showing multiple threats

Unread postby beangod » December 23rd, 2008, 7:42 pm

Malwarebytes' Anti-Malware 1.31
Database version: 1538
Windows 5.1.2600 Service Pack 3

12/23/2008 6:12:52 PM
mbam-log-2008-12-23 (18-12-52).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 116562
Time elapsed: 24 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 7
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 42

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/uniinstallerbottom.bmp (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/uniinstallergui.xml (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/uniinstallerlicense.htm (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/uniinstallertop.bmp (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\UniInstallerBottom.bmp (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\UniInstallerGui.xml (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\UniInstallerLicense.htm (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\UniInstallerTop.bmp (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securewebinfo.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.safetyincludes.com (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow\*.securemanaging.com (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\gngpiv.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\iinjnsfk.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\imcyntgj.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\iqtijkrk.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ivwywolt.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\jduisyri.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\lkhrid.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ltefqbvh.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\mlwisajx.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\nmbadpaa.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ojklny.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\opnnopmL.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ucqkoj.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\udawvuom.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\vqfomt.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\vurirgon.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\xleokmqm.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ycuxlska.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C89D0922-C6D1-45BF-95FE-BA0BEA67F03F}\RP2\A0000014.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C89D0922-C6D1-45BF-95FE-BA0BEA67F03F}\RP2\A0000015.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C89D0922-C6D1-45BF-95FE-BA0BEA67F03F}\RP2\A0000016.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C89D0922-C6D1-45BF-95FE-BA0BEA67F03F}\RP2\A0000017.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C89D0922-C6D1-45BF-95FE-BA0BEA67F03F}\RP2\A0000018.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C89D0922-C6D1-45BF-95FE-BA0BEA67F03F}\RP2\A0000019.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C89D0922-C6D1-45BF-95FE-BA0BEA67F03F}\RP2\A0000021.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C89D0922-C6D1-45BF-95FE-BA0BEA67F03F}\RP2\A0000022.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C89D0922-C6D1-45BF-95FE-BA0BEA67F03F}\RP2\A0000023.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C89D0922-C6D1-45BF-95FE-BA0BEA67F03F}\RP2\A0000024.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C89D0922-C6D1-45BF-95FE-BA0BEA67F03F}\RP2\A0000025.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C89D0922-C6D1-45BF-95FE-BA0BEA67F03F}\RP2\A0000026.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C89D0922-C6D1-45BF-95FE-BA0BEA67F03F}\RP2\A0000028.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C89D0922-C6D1-45BF-95FE-BA0BEA67F03F}\RP2\A0000029.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C89D0922-C6D1-45BF-95FE-BA0BEA67F03F}\RP2\A0000030.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C89D0922-C6D1-45BF-95FE-BA0BEA67F03F}\RP2\A0000031.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C89D0922-C6D1-45BF-95FE-BA0BEA67F03F}\RP2\A0000032.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{C89D0922-C6D1-45BF-95FE-BA0BEA67F03F}\RP2\A0000033.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
D:\Downloaded Shit\EvID4226Patch223d-en\EvID4226Patch.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\UniInstaller.inf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\UniInstallerBottom.bmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\UniInstallerGui.xml (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\UniInstallerLicense.htm (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\UniInstallerTop.bmp (Trojan.Agent) -> Quarantined and deleted successfully.






JavaRa 1.12 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Tue Dec 23 18:15:04 2008

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\JavaWebStart.isInstalled.1.5.0.0

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D510000

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC}

Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D610004

Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D610004

Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610004

Found and removed: SOFTWARE\Classes\JavaPlugin.160_04

Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.6.0_04

Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_04

Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610004

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D610004

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610004

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160040}

Found and removed: Software\Classes\JavaPlugin.160_04

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.6.0_04

Found and removed: Software\JavaSoft\Java2D\1.6.0_04

Found and removed: Software\JavaSoft\Java Runtime Environment\1.6.0_04

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_04\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_04\bin\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0_04.b12\

------------------------------------

Finished reporting.
beangod
Regular Member
 
Posts: 17
Joined: January 13th, 2008, 12:26 pm

Re: Showing multiple threats

Unread postby MikeSwim07 » December 24th, 2008, 12:04 pm

How is everything running now?

Run Kaspersky Online Scan

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply.

Please post the Kaspersky log and a new Hijackthis log.
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone

Re: Showing multiple threats

Unread postby beangod » December 25th, 2008, 10:50 am

Things seem like normal I think, no more popups. Does everything look good on your end?

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, December 25, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, December 24, 2008 23:57:15
Records in database: 1511202
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
H:\

Scan statistics:
Files scanned: 71367
Threat name: 2
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 01:24:41


File name / Threat name / Threats count
C:\PolarisX\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ljJYRJbb.dll.vir Infected: Trojan.Win32.Agent.arif 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tuvUKEwu.dll.vir Infected: Trojan.Win32.Agent.arif 1

The selected area was scanned.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:46:41 AM, on 12/25/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Documents and Settings\Haze\Local Settings\temp\jkos-Haze\binaries\ScanningProcess.exe
C:\Program Files\Trend Micro\HijackThis\Findme.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {02AA9E0F-B4EB-4BE9-A769-FD09543FEEC2} (UniInstaller Class) - http://www.sexyads.net/members/voice-installer.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0835BC90-6ABC-4F52-A103-4FC3A61F2C33} (A18X Control) - http://www.albatross18.com/cabs/A18X.ocx
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2931566C-B8A6-46C5-BF4D-E6AB9251E953} (Nexon Package Manager Control) - http://www.nexon.co.jp/JP/f/ActiveX/Public/nxpm.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/ ... 1.2.76.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://pcpitstop.com/pestscan/pestscan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 0231545154
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/house ... hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {7623BE59-D4CF-4379-ABC4-B39E11854D66} (MabinogiWebAvatarRenderer Class) - http://avatar.mabinogi.jp/3drender/rend ... 07.4.4.cab
O16 - DPF: {77B4BB82-C2AD-4BF8-A1A2-795605604CA8} (CNeoInstallShieldX Object) - http://d-fighter.nefficient.co.kr/samsu ... er/dis.cab
O16 - DPF: {ADCC68D4-AAEA-4338-817D-1F261D9FB759} (ENetLauncher Control) - http://www.dragongemworld.com/Active_X/ENetLauncher.cab
O16 - DPF: {B45E969D-924F-4C83-ACF3-38CDD115AA2C} (MpiPlugin Class) - https://www.isaackorea.net/update/ilkactx.cab
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/control/ ... ctiveX.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} (Logout Class) - http://www.gamengame.com/KALogoutComponent.cab
O16 - DPF: {DB7BF79A-FC51-4B5A-92BC-A65731174380} (InstantAction Game Launcher) - http://www.instantaction.com/download/iaplayer.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: npkcmsvc - Unknown owner - C:\Nexon\Mabinogi\npkcmsvc.exe (file missing)
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\System32\UAService7.exe

--
End of file - 8209 bytes
beangod
Regular Member
 
Posts: 17
Joined: January 13th, 2008, 12:26 pm

Re: Showing multiple threats

Unread postby MikeSwim07 » December 25th, 2008, 1:06 pm

This is my normal post for when you are clear - which you now are - or seem to be.
Please advise of any problems you still have. If you think you're clean please give one more reply so that I can archive this topic.

Now that you are clean, I have some tips & tricks for you to keep your computer clean and secure. The first few (like removing dangerous tools and Windows Update) have to be done, the others are optional.

It may seem like your system will be too much protected with all these things installed, but a lot of programs aren't running always on the background so don't slow down your computer. Please take a look at the following things:

  • Uninstall tools - The following will not only uninstall ComboFix but also clean up some other dangerous tools and backups, clean up the System Restore points and hide the system files.
    • Go to Start
    • Click on Run
    • Type ComboFix /u

    You may delete any logs left on the desktop. Please also delete JavaRa.exe

    You aren't running Firewall Software. Please download and install one

    Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. If you use the Windows Firewall you might think that's sufficient but it only controls one way of the traffic (inbound). Simply using a Firewall in its default configuration can lower your risk greatly. Here are some firewalls which are free for personal use and most used:
    Comodo
    Kerio
    ZoneAlarm
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialise and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.
  • Visit Microsoft's Update Site Frequently - It is important that you visit http://update.microsoft.com/ regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • Install WinPatrol - As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. You can download it from this website:
    WinPatrol
    The developer is a well-known man in the MalWare Removal business. If you really like WinPatrol think about upgrading to the PLUS version. It will give you additional features and you will only have to pay once, for your whole malware-free life.
  • Install MVPS HOSTS - This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
    For information on how to download and install, please read this tutorial here:
    WinHelp2002
    Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.
  • Use an alternative Internet Browser - Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:
    Firefox << Most used, I use this one myself.
    Opera
  • Bookmark general cleanup links - It could be that your computer is becoming slower and slower. This is not always the cause of malware. Most of the times it's malware when you're computer is suddenly getting slow or doing strange. When the slowdown increases slowly check (so now bookmark) these links for tips & tricks:
    Help! My computer is slow
    Slow Computer? Check here first; it may not be malware
  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

>> Here << you can see how you can help us.
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone

Re: Showing multiple threats

Unread postby beangod » December 26th, 2008, 7:02 pm

Yep I think I'm clean, thank you for you help, you guys are great as always.
beangod
Regular Member
 
Posts: 17
Joined: January 13th, 2008, 12:26 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 59 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware