Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Problem with pop ups; please help!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Problem with pop ups; please help!

Unread postby Jason2781 » February 6th, 2009, 12:22 am

Hey,

Sorry for not responding sooner. Just been really busy. Here are the logs you asked for. Thanks!

-Jason

ComboFix 09-01-21.04 - Owner 2009-02-05 21:34:16.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1534.1010 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -

FILE ::
c:\documents and settings\Owner\.jpi_cache\jar\1.0\jvmsecman.jar-69ee0e0e-1c7b7d37.zip
c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\51\23354cf3-678213a2
c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\51\25d09bb3-6925c751
c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\57\538bb179-3e574d45
c:\windows\system32\bituvosu.dll.tmp
c:\windows\system32\guwozova.dll.tmp
c:\windows\system32\huvagobi.dll
c:\windows\system32\ivakafot.tmp
c:\windows\system32\leperamu.dll.tmp
c:\windows\system32\leruwuzu.dll.tmp
c:\windows\system32\mesakopi.dll
c:\windows\system32\mizejeti.dll.tmp
c:\windows\system32\motimuha.dll.tmp
c:\windows\system32\pemugobo.dll
c:\windows\system32\pivejehu.dll
c:\windows\system32\poyasava.dll.tmp
c:\windows\system32\rokogusi.dll.tmp
c:\windows\system32\wuzopagu.dll.tmp
c:\windows\system32\yoyebinu.dll.tmp
c:\windows\system32\yozehuwu.dll
c:\windows\system32\zagokagi.dll.tmp
c:\windows\system32\zuvozaju.dll.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\.jpi_cache\jar\1.0\jvmsecman.jar-69ee0e0e-1c7b7d37.zip
c:\documents and settings\Owner\Application Data\BitTorrent
c:\documents and settings\Owner\Application Data\BitTorrent\[W90]MasonWyler - Jonny T., Mason, Ricky M. (Feb 2, 09).wmv.torrent
c:\documents and settings\Owner\Application Data\BitTorrent\Bruce Springsteen - Working On A Dream [mp3-320-2009].torrent
c:\documents and settings\Owner\Application Data\BitTorrent\Bruce_Springsteen_&_The_E_Street_Band_-_Greatest Hits-2009-DDAWN[www.dutchdawn.com].torrent
c:\documents and settings\Owner\Application Data\BitTorrent\CF-ACM0632 - Cole's First Time.torrent
c:\documents and settings\Owner\Application Data\BitTorrent\Corbin Fisher's Amateur College Men - ACM0632 - Cole's First Time.torrent
c:\documents and settings\Owner\Application Data\BitTorrent\dht.dat
c:\documents and settings\Owner\Application Data\BitTorrent\dht.dat.old
c:\documents and settings\Owner\Application Data\BitTorrent\Dylan McLovin_fucks_TommyD.wmv.torrent
c:\documents and settings\Owner\Application Data\BitTorrent\Eurocreme (TWINKZ) - BAREBACK STREET GANG.avi.torrent
c:\documents and settings\Owner\Application Data\BitTorrent\Huge Boys Bare .avi.torrent
c:\documents and settings\Owner\Application Data\BitTorrent\Photo_Shoot[CocksureMen].wmv.torrent
c:\documents and settings\Owner\Application Data\BitTorrent\rb_Christian_fucks_Trent.wmv.torrent
c:\documents and settings\Owner\Application Data\BitTorrent\resume.dat
c:\documents and settings\Owner\Application Data\BitTorrent\resume.dat.old
c:\documents and settings\Owner\Application Data\BitTorrent\rss.dat
c:\documents and settings\Owner\Application Data\BitTorrent\rss.dat.old
c:\documents and settings\Owner\Application Data\BitTorrent\sc0746 - Shane & Curtis.wmv.torrent
c:\documents and settings\Owner\Application Data\BitTorrent\settings.dat
c:\documents and settings\Owner\Application Data\BitTorrent\settings.dat.old
c:\documents and settings\Owner\Application Data\BitTorrent\The-Trainer-and-the-Kid.avi.torrent
c:\documents and settings\Owner\Application Data\BitTorrent\Twinks Love Bareback And Cum.avi.torrent
c:\documents and settings\Owner\Application Data\BitTorrent\VA-Anjunabeats.Vol.6.Mixed.AboYe.And.Beyond.2CD.(2008).[BajandoAlbums.CoM].rar.torrent
c:\documents and settings\Owner\Application Data\BitTorrent\VA-Anjunabeats_Vol_6__Mixed_By_Above_And_Beyond-2CD-2008-TGX_www.trancezone.nu.torrent
c:\documents and settings\Owner\Application Data\BitTorrent\Wipeout HD Custom.torrent
c:\documents and settings\Owner\Application Data\BitTorrent\Wolverine.And.The.X-Men.Complete Season1.torrent
c:\documents and settings\Owner\Application Data\DNA
c:\documents and settings\Owner\Application Data\DNA\dht.dat
c:\documents and settings\Owner\Application Data\DNA\dht.dat.old
c:\documents and settings\Owner\Application Data\DNA\dna.lng
c:\documents and settings\Owner\Application Data\DNA\resume.dat
c:\documents and settings\Owner\Application Data\DNA\resume.dat.old
c:\documents and settings\Owner\Application Data\DNA\rss.dat
c:\documents and settings\Owner\Application Data\DNA\rss.dat.old
c:\documents and settings\Owner\Application Data\DNA\settings.dat
c:\documents and settings\Owner\Application Data\DNA\settings.dat.old
c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\51\23354cf3-678213a2
c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\51\23354cf3-678213a2\
c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\51\25d09bb3-6925c751
c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\51\25d09bb3-6925c751\
c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\57\538bb179-3e574d45
c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\57\538bb179-3e574d45\
c:\program files\BitTorrent
c:\program files\BitTorrent\bittorrent.exe
c:\program files\BitTorrent\BitTorrentIE.2.dll
c:\program files\BitTorrent\uninst.exe
c:\program files\DNA
c:\program files\DNA\btdna.exe
c:\program files\DNA\DNAcpl.cpl
c:\program files\DNA\plugins\npbtdna.dll
C:\VundoFix Backups
c:\vundofix backups\awvtq.dll.bad
c:\vundofix backups\hhkmp.bak1.bad
c:\vundofix backups\hhkmp.bak2.bad
c:\vundofix backups\hhkmp.ini.bad
c:\vundofix backups\pmkhh.dll.bad
c:\vundofix backups\svknhis.dll .bad
c:\windows\system32\bituvosu.dll.tmp
c:\windows\system32\guwozova.dll.tmp
c:\windows\system32\huvagobi.dll
c:\windows\system32\ivakafot.tmp
c:\windows\system32\leperamu.dll.tmp
c:\windows\system32\leruwuzu.dll.tmp
c:\windows\system32\mesakopi.dll
c:\windows\system32\mizejeti.dll.tmp
c:\windows\system32\motimuha.dll.tmp
c:\windows\system32\pemugobo.dll
c:\windows\system32\pivejehu.dll
c:\windows\system32\poyasava.dll.tmp
c:\windows\system32\rokogusi.dll.tmp
c:\windows\system32\wuzopagu.dll.tmp
c:\windows\system32\yoyebinu.dll.tmp
c:\windows\system32\yozehuwu.dll
c:\windows\system32\zagokagi.dll.tmp
c:\windows\system32\zuvozaju.dll.tmp

.
((((((((((((((((((((((((( Files Created from 2009-01-06 to 2009-02-06 )))))))))))))))))))))))))))))))
.

2009-01-28 23:51 . 2009-01-28 23:51 <DIR> d-------- c:\documents and settings\Owner\Application Data\WTablet
2009-01-28 21:36 . 2009-01-28 21:36 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-28 21:36 . 2009-01-28 21:36 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-01-28 21:36 . 2009-01-28 21:36 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-28 21:36 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-28 21:36 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-26 18:39 . 2009-01-28 00:06 <DIR> d-------- C:\Lop SD

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-28 05:03 --------- d-----w c:\program files\Viewpoint
2009-01-17 09:34 --------- d-----w c:\program files\Google
2009-01-05 22:33 3,751,995 ----a-w c:\windows\system32\GPhotos.scr
2008-12-26 04:18 --------- d-----w c:\program files\Tablet
2008-12-25 17:59 6,944 ----a-w c:\windows\system32\ealregsnapshot1.reg
2008-12-25 17:58 --------- d-----w c:\program files\Electronic Arts
2008-12-25 17:56 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-10 03:32 --------- d-----w c:\program files\iTunes
2008-12-10 03:32 --------- d-----w c:\program files\iPod
2008-12-10 03:32 --------- d-----w c:\program files\Common Files\Apple
2008-12-10 03:32 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-10 03:31 --------- d-----w c:\program files\QuickTime
2008-12-10 03:22 --------- d-----w c:\program files\Safari
2008-12-06 01:36 --------- d-----w c:\program files\Sims2Pack Clean Installer
2008-11-13 16:26 410,976 ----a-w c:\windows\system32\deploytk.dll
2007-12-05 23:04 284 -c--a-w c:\documents and settings\Owner\Application Data\ViewerApp.dat
2007-11-13 14:12 382 -c--a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2006-06-26 03:13 565,248 -csha-w c:\program files\ehthumbs.db
.

((((((((((((((((((((((((((((( snapshot_2009-01-28_ 0.20.12.39 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-01-27 08:12:06 16,384 -csha-w c:\windows\Temp\Cookies\index.dat
+ 2009-02-03 23:09:35 16,384 -csha-w c:\windows\Temp\Cookies\index.dat
- 2009-01-27 08:12:06 16,384 -csha-w c:\windows\Temp\History\History.IE5\index.dat
+ 2009-02-03 23:09:35 16,384 -csha-w c:\windows\Temp\History\History.IE5\index.dat
+ 2009-02-03 23:09:40 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_2a0.dat
+ 2009-02-03 23:09:42 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_80c.dat
+ 2009-01-31 00:31:43 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_8ac.dat
- 2009-01-27 08:12:06 32,768 -csha-w c:\windows\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-03 23:09:35 32,768 -csha-w c:\windows\Temp\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
"H/PC Connection Agent"="c:\progra~1\MI3AA1~1\wcescomm.exe" [2006-06-20 1207080]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-01-04 133104]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [BU]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="c:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 6731312]
"ShowWnd"="ShowWnd.exe" [2003-09-19 c:\windows\ShowWnd.exe]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 c:\windows\system32\Hdaudpropshortcut.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-01-05 c:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-01-31 c:\windows\ALCWZRD.EXE]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{F2A0229A-C4CA-4789-B606-973D24DCDD1C}"= "c:\progra~1\mcafee\mcafee antispyware\mssshell.dll" [2005-07-17 155769]
path=
backup=

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware]
--a------ 2007-06-11 04:25 6731312 c:\program files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-10-01 11:57 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
--a------ 2008-07-22 12:34 2772992 c:\program files\Electronic Arts\EADM\Core.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2009-01-04 12:24 133104 c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
--a--c--- 2004-06-23 21:22 729088 c:\program files\Microsoft Works\WksSb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a--c--- 2001-08-16 23:41 28738 c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
--a------ 2008-01-07 15:02 495616 c:\program files\Winamp Remote\bin\OrbTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
--a------ 2002-09-14 01:42 212992 c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Reminder]
--a--c--- 2005-03-09 10:49 966656 c:\windows\creator\remind_xp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 11:35 90112 c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-11-13 11:26 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 15:45 313472 c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
--a------ 2008-01-15 17:54 37376 c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-11-03 19:20 866584 c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
--a--c--- 2001-10-05 19:34 24576 c:\program files\Microsoft Works\wkfud.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
--a--c--- 2004-05-17 20:30 543232 c:\windows\zHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Netscape\\Netscape\\Netscp.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\MidTen Media\\Comic Collector Live\\CCL.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Symantec\\LiveUpdate\\AUPDATE.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R4 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2008-12-25 1373480]
R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-10-10 24652]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
.
Contents of the 'Scheduled Tasks' folder

2009-02-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-02-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3980681228-1451906632-1211546294-1006.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-04 12:24]

2009-02-03 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/def ... earch.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
IE: &Winamp Toolbar Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\5kfmn57h.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\5kfmn57h.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-05 21:35:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3980681228-1451906632-1211546294-1006\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\ActiveSync]
"Name"="ActiveSync"
"DisplayName"="Microsoft ActiveSync"
"Param1"="ActiveSync"
"Type"="wellknown"
"Order"=dword:00000001
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-3980681228-1451906632-1211546294-1006\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\IESettings]
"Name"="IESettings"
"Type"="IESettings"
"Order"=dword:00000004
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-3980681228-1451906632-1211546294-1006\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\MediaFiles]
"Name"="MediaFiles"
"Type"="MediaFiles"
"Order"=dword:00000003
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-3980681228-1451906632-1211546294-1006\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\NPW]
"Name"="NPW"
"Param1"="NPW"
"Type"="wellknown"
"Order"=dword:00000002
"State"=dword:0000000b

[HKEY_USERS\S-1-5-21-3980681228-1451906632-1211546294-1006\Software\Microsoft\Windows Mobile Disc\S*a*m*s*u*n*g* *B*l*a*c*k*J*a*c*k*"!\CriticalAppInstall\Outlook]
"Name"="Outlook"
"DisplayName"="Microsoft Outlook"
"Param1"="Outlook"
"Type"="wellknown"
"Order"=dword:00000000
"State"=dword:00000002

[HKEY_USERS\S-1-5-21-3980681228-1451906632-1211546294-1006\Software\SecuROM\License information*]
"datasecu"=hex:bc,83,e5,ce,b8,7b,5d,03,91,57,26,b7,fa,a2,44,8f,a3,92,a6,1c,17,
ff,86,87,43,9b,a5,11,f7,c9,eb,99,8a,5f,ff,a1,27,74,b1,d5,c5,3f,bb,ad,05,2f,\
"rkeysecu"=hex:3e,80,9e,c4,40,b4,90,83,87,8e,33,49,64,ac,f8,d9
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-02-05 21:39:48
ComboFix-quarantined-files.txt 2009-02-06 02:38:31
ComboFix2.txt 2009-01-31 16:51:37
ComboFix3.txt 2009-01-28 05:22:37
ComboFix4.txt 2009-01-27 00:24:38
ComboFix5.txt 2009-02-06 02:33:44

Pre-Run: 24,526,749,696 bytes free
Post-Run: 24,687,280,128 bytes free

330 --- E O F --- 2009-02-02 15:31:27


# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3831 (20090205)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=4841963b53b72c4dba6fd0190da97b30
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2009-02-06 04:08:13
# local_time=2009-02-05 11:08:13 (-0500, Eastern Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=629634
# found=97
# scan_time=4959
C:\Lop SD\Backup-Lop\DOCUME~1\Owner\APPLIC~1\DUMBSA~1\bdwlqloh.exe Win32/Obfuscated.A1 trojan 3F512AA28CB1BC05059E7699D240E6A9
C:\Lop SD\Backup-Lop\DOCUME~1\Owner\APPLIC~1\DUMBSA~1\cfjilnwd.exe probably a variant of Win32/TrojanDownloader.Swizzor.NBD trojan E0CBD5668EBF28515C3E1D3343B5AD53
C:\Lop SD\Backup-Lop\DOCUME~1\Owner\APPLIC~1\DUMBSA~1\jsgypvwx.exe Win32/Obfuscated.A1 trojan DA9D8AF38766698DA0F2D18346972F68
C:\Lop SD\Backup-Lop\DOCUME~1\Owner\APPLIC~1\DUMBSA~1\khyvhnce.exe probably a variant of Win32/Inject trojan 284F9C9DEE07694E64D2DFCB2AB7755D
C:\Lop SD\Backup-Lop\DOCUME~1\Owner\APPLIC~1\DUMBSA~1\nfbkckag.exe Win32/Obfuscated.A1 trojan 66F688A67C152C2DF6424BB6B228DA42
C:\Lop SD\Backup-Lop\DOCUME~1\Owner\APPLIC~1\DUMBSA~1\oqaxjwio.exe Win32/Obfuscated.A1 trojan 3F425B07228117E9453CEC195707306E
C:\Lop SD\Backup-Lop\DOCUME~1\Owner\APPLIC~1\DUMBSA~1\qshtifsm.exe probably a variant of Win32/TrojanDownloader.Swizzor.NBD trojan 1AFDF6B4E39DDBFC969634314650F30D
C:\Lop SD\Backup-Lop\DOCUME~1\Owner\APPLIC~1\DUMBSA~1\tetbcdag.exe probably a variant of Win32/TrojanDownloader.Agent trojan B72962536C6AF3AFCF02D6CD27F87DF1
C:\Lop SD\Backup-Lop\DOCUME~1\Owner\APPLIC~1\DUMBSA~1\vdpovnts.exe Win32/Obfuscated.A1 trojan 05BC74DDB13D2D827CB7AE0F08F5B51B
C:\QooBox\Quarantine\C\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\51\23354cf3-678213a2.vir Java/TrojanDownloader.OpenStream.NAC trojan DBEE24E93B7EFBC279DAA14F64E9575E
C:\QooBox\Quarantine\C\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\51\25d09bb3-6925c751.vir Java/TrojanDownloader.OpenStream.NAC trojan DBEE24E93B7EFBC279DAA14F64E9575E
C:\QooBox\Quarantine\C\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\57\538bb179-3e574d45.vir Java/TrojanDownloader.OpenStream.NAB trojan CEC0DD504B18CCC2D97A22CECE9C96E7
C:\QooBox\Quarantine\C\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\57\538bb179-3e574d45.vir »ZIP »OP.class Java/TrojanDownloader.OpenStream.NAB trojan 00000000000000000000000000000000
C:\QooBox\Quarantine\C\DOCUME~1(3)\Owner\APPLIC~1(3)\SCURIT~1\w?wexec.exe.vir probably a variant of Win32/Adware.PurityScan application A8FCE4384AB9AC5F46A4D7772D4847C8
C:\QooBox\Quarantine\C\DOCUME~1(3)\Owner\MYDOCU~1\YSTEM~1\wucrtupd.exe.vir a variant of Win32/TrojanDownloader.PurityScan trojan 120C80C02BF33763451A35FC25B85330
C:\QooBox\Quarantine\C\Program Files\WinBudget\bin\crap.1165322059.old.vir probably a variant of Win32/Adware.BHO.BY application 8C2189F6BEB2EFD8AEB264A8F0215AA5
C:\QooBox\Quarantine\C\Program Files\WinBudget\bin\crap.1165947043.old.vir probably a variant of Win32/Adware.BHO.BY application 0F4ED0332A04F71426556795E734A016
C:\QooBox\Quarantine\C\Program Files\WinBudget\bin\crap.1166051515.old.vir Win32/TrojanClicker.BHO.S trojan E684A77D8A99280E46410AF68AD37C7A
C:\QooBox\Quarantine\C\Program Files\WinBudget\bin\crap.1166073476.old.vir Win32/TrojanClicker.BHO.S trojan E684A77D8A99280E46410AF68AD37C7A
C:\QooBox\Quarantine\C\Program Files\WinBudget\bin\crap.1166336981.old.vir Win32/TrojanClicker.BHO.S trojan E684A77D8A99280E46410AF68AD37C7A
C:\QooBox\Quarantine\C\Program Files\WinBudget\bin\crap.1166571235.old.vir Win32/TrojanClicker.BHO.S trojan C6688D5B1369AE7B2738CDAEAF7007FC
C:\QooBox\Quarantine\C\Program Files\WinBudget\bin\matrix.dll.1165947043.old.vir Win32/TrojanClicker.BHO.S trojan 8159FE7B6992B9D72748AD5192ADE634
C:\QooBox\Quarantine\C\Program Files\WinBudget\bin\matrix.dll.1166051515.old.vir Win32/TrojanClicker.BHO.S trojan 1D09E08B492B0EF7D2B73E21026F645D
C:\QooBox\Quarantine\C\Program Files\WinBudget\bin\matrix.dll.1166073475.old.vir Win32/TrojanClicker.BHO.S trojan 8159FE7B6992B9D72748AD5192ADE634
C:\QooBox\Quarantine\C\Program Files\WinBudget\bin\matrix.dll.1166336980.old.vir Win32/TrojanClicker.BHO.S trojan 8159FE7B6992B9D72748AD5192ADE634
C:\QooBox\Quarantine\C\Program Files\WinBudget\bin\matrix.dll.1166571235.old.vir Win32/TrojanClicker.BHO.S trojan 8159FE7B6992B9D72748AD5192ADE634
C:\QooBox\Quarantine\C\Program Files\WinBudget\bin\matrix.dll.vir probably a variant of Win32/Adware.BHO.BY application F08371665A9DC5B6FB181D1B90673978
C:\QooBox\Quarantine\C\VundoFix Backups\awvtq.dll.bad.vir a variant of Win32/Adware.Virtumonde.FP application 51976F9B1ED4C817CF5FF467DDF75537
C:\QooBox\Quarantine\C\VundoFix Backups\pmkhh.dll.bad.vir a variant of Win32/Adware.Virtumonde.FP application 51976F9B1ED4C817CF5FF467DDF75537
C:\QooBox\Quarantine\C\VundoFix Backups\svknhis.dll .bad.vir probably a variant of Win32/Adware.PurityScan application ED11C01E7BDE9ED439D04DDA3080DA96
C:\QooBox\Quarantine\C\WINDOWS\system32\bahurefa.dll.vir Win32/Adware.Virtumonde application AD66918E34324988A659BAE54264D79A
C:\QooBox\Quarantine\C\WINDOWS\system32\bizozuye.dll.vir Win32/Adware.Virtumonde application 71A03F4531E207500EDE7FF3A5CFBDC1
C:\QooBox\Quarantine\C\WINDOWS\system32\dafajone.dll.vir Win32/Adware.Virtumonde application 039E3E4107DAFAEB0C4717B4C95E42C4
C:\QooBox\Quarantine\C\WINDOWS\system32\dawuluze.dll.vir Win32/Adware.Virtumonde application 546560623610701376B9BE31BF2DCA5F
C:\QooBox\Quarantine\C\WINDOWS\system32\dupupimo.dll.vir Win32/Adware.Virtumonde application ABF0B850C2EA5BE41C3A2540067B4845
C:\QooBox\Quarantine\C\WINDOWS\system32\fasodoya.dll.vir Win32/Adware.Virtumonde application 2384371CC8353B1A009F4D52BB50473A
C:\QooBox\Quarantine\C\WINDOWS\system32\fehunado.dll.vir Win32/Adware.Virtumonde application A9A98CE54C90101B904C8C7AFE8BB90A
C:\QooBox\Quarantine\C\WINDOWS\system32\feyulisu.dll.vir Win32/Adware.Virtumonde application 011337110718631C4BD0CAE896CBD734
C:\QooBox\Quarantine\C\WINDOWS\system32\furimaro.dll.vir Win32/Adware.Virtumonde application 0FE0607F168D7A2B2D5796B0B8DCC12A
C:\QooBox\Quarantine\C\WINDOWS\system32\galifuza.dll.vir Win32/Adware.Virtumonde application 297936A51DEF8BB0DBFA365F6E7B93C5
C:\QooBox\Quarantine\C\WINDOWS\system32\gedobago.dll.vir Win32/Adware.Virtumonde application A34EDF8602CDF1CAE4C315E2AEFF7A63
C:\QooBox\Quarantine\C\WINDOWS\system32\gjjjmdiu.dll.vir Win32/Adware.Virtumonde application 6FA8E72FD19C9B6C3EAAF263DA6C31FA
C:\QooBox\Quarantine\C\WINDOWS\system32\gosavaja.dll.vir Win32/Adware.Virtumonde application 205418E8A60E31ADF52356470F7208D6
C:\QooBox\Quarantine\C\WINDOWS\system32\hurevubi.dll.vir Win32/Adware.Virtumonde application 9C5671CF7D107BE5853B20EC1D238733
C:\QooBox\Quarantine\C\WINDOWS\system32\jabubewi.dll.vir Win32/Adware.Virtumonde application B9F622691BDD5BBFA3F2796F1E64B40E
C:\QooBox\Quarantine\C\WINDOWS\system32\jefaduku.dll.vir Win32/Adware.Virtumonde application 465EFAE887A906AABF052103C357D3F7
C:\QooBox\Quarantine\C\WINDOWS\system32\jihikowi.dll.vir Win32/Adware.Virtumonde application 3FBD19F654C0AB286D0C2F829B389E43
C:\QooBox\Quarantine\C\WINDOWS\system32\jkkjg.dll.vir a variant of Win32/Adware.Virtumonde.FP application 1A4D4AB93B237544CE76263B2DEA3233
C:\QooBox\Quarantine\C\WINDOWS\system32\jovohovi.dll.vir Win32/Adware.Virtumonde application F6285783DCB6DA07E7DAEBB002F0F5E6
C:\QooBox\Quarantine\C\WINDOWS\system32\kajohewa.dll.vir Win32/Adware.Virtumonde application E6BFA5E2DFDE0644AF5EFAA5EBD5414E
C:\QooBox\Quarantine\C\WINDOWS\system32\kajojife.dll.vir Win32/Adware.Virtumonde application 21049B2B98FF9B841DCB6378F6F5F70D
C:\QooBox\Quarantine\C\WINDOWS\system32\kemuzoju.dll.vir Win32/Adware.Virtumonde application 4716EF9CA3B4C0C7911557D1E5CE49EC
C:\QooBox\Quarantine\C\WINDOWS\system32\keyiyiho.dll.vir Win32/Adware.Virtumonde application 422BE858A1FC463020D9C786D0B30F31
C:\QooBox\Quarantine\C\WINDOWS\system32\kibozebe.dll.vir Win32/Adware.Virtumonde application 21049B2B98FF9B841DCB6378F6F5F70D
C:\QooBox\Quarantine\C\WINDOWS\system32\lapefafi.dll.vir Win32/Adware.Virtumonde application 5E196E449A00C6A90A3813042B32F6B1
C:\QooBox\Quarantine\C\WINDOWS\system32\lirolohu.dll.vir Win32/Adware.Virtumonde application 896591A77B6452858BAC50D5CFED2215
C:\QooBox\Quarantine\C\WINDOWS\system32\mesakopi.dll.vir Win32/Adware.Virtumonde application C57F1FD9C402A58047FD9D278410C606
C:\QooBox\Quarantine\C\WINDOWS\system32\mesirako.dll.vir Win32/Adware.Virtumonde application 63AB6D635698360DF0F24EF8E5F17783
C:\QooBox\Quarantine\C\WINDOWS\system32\mihezazo.dll.vir Win32/Adware.Virtumonde application 68BB01470BF67000D1FC4F6B662F1E11
C:\QooBox\Quarantine\C\WINDOWS\system32\mljgg.dll.vir a variant of Win32/Adware.Virtumonde.FP application 51976F9B1ED4C817CF5FF467DDF75537
C:\QooBox\Quarantine\C\WINDOWS\system32\najukabu.dll.vir Win32/Adware.Virtumonde application EEF179AF301E1EDB287B127528740D4F
C:\QooBox\Quarantine\C\WINDOWS\system32\netawesi.dll.vir Win32/Adware.Virtumonde application 1F4480B9CC3066A1A830EF62F084B2DC
C:\QooBox\Quarantine\C\WINDOWS\system32\pageteba.dll.vir Win32/Adware.Virtumonde application DF300B33BB6A96457963CE920FA479DA
C:\QooBox\Quarantine\C\WINDOWS\system32\pemugobo.dll.vir Win32/Adware.Virtumonde application 51078ABE6EB9F3E0F792986CDB667F8A
C:\QooBox\Quarantine\C\WINDOWS\system32\pudosuji.dll.vir Win32/Adware.Virtumonde application C0762C2DA281A89E6C3ABEC0145FCA61
C:\QooBox\Quarantine\C\WINDOWS\system32\rikevuku.dll.vir Win32/Adware.Virtumonde application 5C77AE5DBCE617B264B362DA2D64EFDD
C:\QooBox\Quarantine\C\WINDOWS\system32\sesefuhu.dll.tmp.vir Win32/Adware.Virtumonde application 71A03F4531E207500EDE7FF3A5CFBDC1
C:\QooBox\Quarantine\C\WINDOWS\system32\setideru.dll.vir Win32/Adware.Virtumonde application 8725E2EBE6A3DD0E27068885E0287BB2
C:\QooBox\Quarantine\C\WINDOWS\system32\sotogiko.dll.tmp.vir Win32/Adware.Virtumonde application 21049B2B98FF9B841DCB6378F6F5F70D
C:\QooBox\Quarantine\C\WINDOWS\system32\sulezuto.dll.vir Win32/Adware.Virtumonde application 3853847C08EE1ACC58E79DEE7609D75B
C:\QooBox\Quarantine\C\WINDOWS\system32\suvatonu.dll.vir Win32/Adware.Virtumonde application 095355B75FC57FF29D98EDADD4CD0F47
C:\QooBox\Quarantine\C\WINDOWS\system32\suvobepo.dll.vir Win32/Adware.Virtumonde application 3678364B4806F6B1ED20EC805328634F
C:\QooBox\Quarantine\C\WINDOWS\system32\suyisuso.dll.vir Win32/Adware.Virtumonde application A3CA98C0F1A46E92065EC989345B06E4
C:\QooBox\Quarantine\C\WINDOWS\system32\vomobozi.dll.vir Win32/Adware.Virtumonde application 896ECB1A85116D73EE3DC313625DEF36
C:\QooBox\Quarantine\C\WINDOWS\system32\walonupu.dll.vir Win32/Adware.Virtumonde application 4D9FE241E063353BFBD415EF5384BA1B
C:\QooBox\Quarantine\C\WINDOWS\system32\wojefere.dll.vir Win32/Adware.Virtumonde application CCC2AC49874FB7B9A235BB69AA409C1B
C:\QooBox\Quarantine\C\WINDOWS\system32\yekotaju.dll.vir Win32/Adware.Virtumonde application 78943BA154D3FAA342BBDDE00B6BA721
C:\QooBox\Quarantine\C\WINDOWS\system32\yeteyoya.dll.vir Win32/Adware.Virtumonde application D9648B431BC0141FC098BF1594C6957A
C:\QooBox\Quarantine\C\WINDOWS\system32\yigedfnv.dll.vir a variant of Win32/BHO.G trojan 877E9387775E415332E2C7D8D233B9C6
C:\QooBox\Quarantine\C\WINDOWS\system32\yijugahi.dll.vir Win32/Adware.Virtumonde application 202E32CFBFB2226ED362F42C1A7C598B
C:\QooBox\Quarantine\C\WINDOWS\system32\yodohasi.dll.vir Win32/Adware.Virtumonde application 672057B79AEFE4E553727548E5CA22B4
C:\QooBox\Quarantine\C\WINDOWS\system32\yotukuzo.dll.vir Win32/Adware.Virtumonde application CDE64ACDCDC1D3B04CC9BCEA82D6EEE3
C:\QooBox\Quarantine\C\WINDOWS\system32\yozehuwu.dll.vir Win32/Adware.Virtumonde application 488A4ECEAD4BB5B9CF939345485EE385
C:\QooBox\Quarantine\C\WINDOWS\system32\yozojuba.dll.vir Win32/Adware.Virtumonde application 02F459C8D6E347E3C53C327FA2F94F83
C:\QooBox\Quarantine\C\WINDOWS\system32\yunuduha.dll.vir Win32/Adware.Virtumonde application A1DDED98C9D363ADA0149AB865C02AEF
C:\QooBox\Quarantine\C\WINDOWS\system32\yutayigi.dll.vir Win32/Adware.Virtumonde application DD566CBECEBF4EBC99AD94EA2EA746FE
C:\QooBox\Quarantine\C\WINDOWS\system32\zikujame.dll.vir Win32/Adware.Virtumonde application 71A03F4531E207500EDE7FF3A5CFBDC1
C:\QooBox\Quarantine\C\WINDOWS\system32\zusekuga.dll.vir Win32/Adware.Virtumonde application 3E1AB478062506216337DA610F8667B0
C:\QooBox\Quarantine\C\WINDOWS\system32\f10WtR\f10WtR1099.exe.vir a variant of Win32/TrojanDownloader.VB.AWJ trojan 64F3532920F73C6E9C0F5DEF8BD560EF
C:\_OTMoveIt\MovedFiles\_OTMoveIt\MovedFiles\_OTMoveIt\MovedFiles\DOCUME~1\Owner\APPLIC~1\dumbsavereadme\Show tray.exe Win32/Obfuscated.A1 trojan 8A229CCC46BFF76AD122F1F39AAF6A52
C:\_OTMoveIt\MovedFiles\_OTMoveIt\MovedFiles\_OTMoveIt\MovedFiles\Program Files\poolsv\wr-1-0000077.exe Win32/TrojanDownloader.Small.EQN trojan F5210D0508B4E2BEA9379DF4A16FF437
C:\_OTMoveIt\MovedFiles\_OTMoveIt\MovedFiles\_OTMoveIt\MovedFiles\Program Files\svhost\wr-1-0000077.exe Win32/TrojanDownloader.Small.EQN trojan F5210D0508B4E2BEA9379DF4A16FF437
C:\_OTMoveIt\MovedFiles\_OTMoveIt\MovedFiles\_OTMoveIt\MovedFiles\QooBox\Quarantine\C\WINDOWS\system32\cfmbgyoj.dll.vir Win32/Adware.Virtumonde.KI application CF69CDD8BC8BCB2FA4BFE350BEA48471
C:\_OTMoveIt\MovedFiles\_OTMoveIt\MovedFiles\_OTMoveIt\MovedFiles\QooBox\Quarantine\C\WINDOWS\system32\dbexxotb.dll.vir Win32/BHO.G trojan 364798B0004288C5F23D7821F6C0B065
C:\_OTMoveIt\MovedFiles\_OTMoveIt\MovedFiles\_OTMoveIt\MovedFiles\QooBox\Quarantine\C\WINDOWS\system32\dvqfsxda.dll.vir Win32/Spy.VBStat.J trojan 0526A23F50CB325C6EDBF56C45C46507
C:\_OTMoveIt\MovedFiles\_OTMoveIt\MovedFiles\_OTMoveIt\MovedFiles\QooBox\Quarantine\C\WINDOWS\system32\jkkjj.dll.vir Win32/Adware.Virtumonde.FP application 123EB0C9FA625C3A2986EA04FF698405
C:\_OTMoveIt\MovedFiles\_OTMoveIt\MovedFiles\_OTMoveIt\MovedFiles\WINDOWS\system32\config\systemprofile\Application Data\dumbsavereadme\Show tray.exe Win32/Obfuscated.A1 trojan 8A229CCC46BFF76AD122F1F39AAF6A52


Logfile of HijackThis v1.99.1
Scan saved at 11:23:37 PM, on 2/5/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\ehome\RMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\Scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=488
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: &Winamp Toolbar Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures04.aim.com/ygp/aol/plugi ... .5.1.8.cab
O16 - DPF: {BC18E6DF-BE57-4580-93E8-F228F9A133AA} (MaxisSimCity4LotTeleX Control) - http://simcity.ea.com/exchange/lots/tel ... tTeleX.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - McAfee, Inc. - c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Jason2781
Regular Member
 
Posts: 18
Joined: June 30th, 2007, 9:50 pm
Advertisement
Register to Remove

Re: Problem with pop ups; please help!

Unread postby Axephilic » February 6th, 2009, 2:04 pm

Congratulations, you are now all clean! To help to prevent from becoming reinfected, please follow the instructions below in order. If you have any questions, please feel free to ask them. If after 48 hours you have not responded to this, then I will assume you have no questions and have the topic closed.

I see from your logs that you have AVG Anti-Spyware 7.5. I would like to let you know that this product is outdated and no longer supported by Grisoft. It doesn't recieve any updates anymore so it is basically useless. I recommend using MalwareBytes' Anti-Malware instead. ;)

First, lets uninstall ComboFix:

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Click the CleanUp! button.
  • When it prompts you to Restart, click Yes.

Flush the system restore points

  1. Right click on My Computer and select Properties.
  2. Select the System Restore tab.
  3. Check (tick) Turn off system restore on all drives box.
  4. Click Apply.
  5. Uncheck (untick) Turn off system restore on all drives box.
  6. Click OK.
  7. Restart your computer.
Note: Do this only ONCE, don't flush it regularly.

Keep your system updated

Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Please ensure that you visit the following websites regularly or do update your system regularly.

Install the updates immediately if they are found. Reboot your computer if necessary, revisit Windows Update and Office update sites until there are no more updates to be installed.

To update Windows and office

Go to Start > All Programs > Microsoft Update


Alternatively, you can visit the link below to update Windows and Office products.

Microsoft Update

I also recommend, if it's not already on, to enable Automatic updates. It will notify you whenever there are new updates available. Here's how:

  1. Go to Start > Control Panel > Automatic Updates
  2. Select Automatic (recommended) radio button if you want the updates to be downloaded and installed without prompting you.
  3. Select Download updates for me, but let me chose when to install them radio button if you want the updates to be downloaded automatically but to be installed at another time.
  4. Select Notify me but don't automatically download or install them radio button if you want to be notified of the updates.

Besides Windows that needs regular updating, antivirus, anti-spyware and firewall programs update regularly too.

Please make sure that you update your antivirus, firewall and anti-spyware programs at least once a week.

Surf safely

Many of the exploits are directed to users of Internet Explorer and Firefox.

Using Firefox with NoScript add-on helps to prevent most exploits from running as NoScript by default disables all scripts on all websites. If you trust the website, you can manually allow it.

If you prefer to use Internet Explorer, here are some settings to change to improve the security of Internet Explorer.

For Internet Explorer 7

Please read this article to configure Internet Explorer 7 properly.

Backup regularly

You never know when your PC will become unstable or become so infected that you can't recover it. Follow this Microsoft article to learn how to backup. Follow this article by Microsoft to restore your backups.

Alternatively, you can use 3rd-party programs to back up your data. One example can be found at Bleeping Computer.

Avoid P2P

P2P may be a great way to get lots of stuffs, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. If you do need to use them, use them sparingly. Check this list of clean and infected P2P programs if you need to use one.

Prevent a re-infection

  1. Winpatrol
    Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

    You can get a free copy of Winpatrol or use the Plus version for more features.

    You can read Winpatrol's FAQ if you run into problems.

  2. Hosts File
    A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your PC will look up the website's IP address before you can view the website.

    Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

    Here are some Hosts files:

    MVPS Hosts File
    Bluetack's Hosts File
    Bluetack's Host Manager
    hpHosts

    A tutorial about Hosts File can be found at Malware Removal.

  3. Spybot Search and Destroy
    Spybot Search & Destroy is another program for scanning spywares and adwares. Not only so, it has other preventive options as well. You are strongly encouraged to run a scan at least once per week.

    Spybot Search & Destroy can be downloaded from here.

    If you need help in using Spybot Search & Destroy, you can read Spybot Search and Destroy tutorial at Bleeping Computer.

    Before downloading any anti-spyware programs, always check the Rogue/Suspect list of anti-spyware programs and Malwarebytes RogueNET. This will save you from a lot of trouble. If in doubt, don't ever download it.

  4. SiteHound Toolbar
    SiteHound is a toolbar that warns you if you go to a site that is known to scam people, that has potentially lots of viruses or spywares or has questionable contents. If you know the site, you can enter it; if you don't, it will bring you back to the previous page. Currently, SiteHound works for Internet Explorer and Firefox only.


Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Happy surfing and stay clean!

Regards,
Adam
User avatar
Axephilic
Retired Graduate
 
Posts: 2180
Joined: June 18th, 2007, 1:10 pm
Location: Wisconsin, US

Re: Problem with pop ups; please help!

Unread postby askey127 » February 9th, 2009, 11:09 pm

Jason2781, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 47 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware