Free Malware Removal Forum

[rattrap1337]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:31:51 PM, on 6/12/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18248)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\umpalumpa.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\2.bin\ASKSBAR.DLL
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\2.bin\ASKSBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [COMODO SafeSurf] "C:\Program Files\COMODO\SafeSurf\cssurf.exe" -s
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O13 - Gopher Prefix:
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resour ... cctrl2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - AppInit_DLLs: C:\Windows\System32\cssdll32.dll
O23 - Service: Apache2.2 - Apache Software Foundation - C:\xampp\apache\bin\apache.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: TeamViewer 4 (TeamViewer4) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe

--
End of file - 4921 bytes

[Shaba]

Uninstall via add/remove programs:

Ask Toolbar
Comodo SafeSurf

• Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
  
  

  Code: Select all

  File::
  c:\windows\system32\3z447not-a-5i9us5.exe
  c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll
  
  Folder::
  c:\program files\AskSBar
  c:\program files\uTorrent
  
  Registry::
  [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
  "{E6564EE3-F839-412B-AF07-3FD748E260DC}"=-
  "{67D66EFD-1F57-45AF-AAFE-5DA449FB4FF3}"=-
  "{25FCADDB-0AE5-44B9-87B7-4DE3501245FD}"=-
  "{B5E58C79-C9EF-41F8-923F-335221E2E5B6}"=-
  

  
  
• Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
  
  
  
• Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
• ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

[rattrap1337]

ComboFix 09-06-13.03 - kd 06/13/2009 16:50.2 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.1.1033.18.1021.434 [GMT -5:00]
Running from: c:\users\kd\Desktop\combifias.exe
Command switches used :: c:\users\kd\Desktop\CFScript.txt
AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
SP: COMODO Defense+ *disabled* (Updated) {043803A4-4F86-4ef7-AFC5-F6E02A79969B}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\program files\Mozilla Firefox\plugins\NPAskSBr.dll"
"c:\windows\system32\3z447not-a-5i9us5.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\uTorrent
c:\program files\uTorrent\uTorrent.exe
c:\windows\system32\3z447not-a-5i9us5.exe

.
((((((((((((((((((((((((( Files Created from 2009-05-13 to 2009-06-13 )))))))))))))))))))))))))))))))
.

2009-06-13 21:56 . 2009-06-13 21:56 -------- d-----w- c:\users\kd\AppData\Local\temp
2009-06-13 14:24 . 2008-08-13 13:10 262144 ----a-w- c:\program files\Uninstall Ask Toolbar.dll
2009-06-11 22:03 . 2009-06-12 05:56 -------- d-----w- C:\rsit
2009-06-11 21:30 . 2009-06-11 21:30 -------- d-----w- c:\users\kd\AppData\Roaming\Malwarebytes
2009-06-11 21:27 . 2009-05-26 18:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-11 21:27 . 2009-06-11 21:27 -------- d-----w- c:\programdata\Malwarebytes
2009-06-11 21:27 . 2009-05-26 18:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-11 21:27 . 2009-06-11 21:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-09 04:04 . 2009-06-09 05:00 -------- d-----w- c:\program files\Windows Live Safety Center
2009-06-09 00:04 . 2009-06-09 00:04 -------- d-----w- c:\program files\Trend Micro
2009-06-08 23:56 . 2009-06-09 05:15 -------- d-----w- C:\32788R22FWJFW.2.tmp
2009-06-08 23:50 . 2009-06-09 05:15 -------- d-----w- C:\32788R22FWJFW.1.tmp
2009-06-08 23:49 . 2009-06-09 05:15 -------- d-----w- C:\32788R22FWJFW.0.tmp
2009-06-08 22:42 . 2009-06-08 23:34 -------- d-----w- C:\vcs5BGEffects
2009-06-08 21:06 . 2009-06-08 21:06 272 ----a-w- c:\windows\system32\drivers\sfi.dat
2009-06-07 20:38 . 2009-06-08 22:42 -------- d-----w- c:\program files\AV Vcs 6.0 DIAMOND
2009-06-05 04:31 . 2009-06-05 04:32 -------- d-----w- C:\AV_LOGS
2009-06-05 04:29 . 2009-06-05 04:29 -------- d-----w- c:\users\kd\{ac2e2b8c-c423-4baa-a0a1-d154ebcab39c}
2009-06-05 04:29 . 2008-12-10 21:56 17792 ----a-w- c:\windows\system32\drivers\vcsvad.sys
2009-06-04 15:07 . 2009-06-04 15:07 -------- d-----w- c:\users\kd\AppData\Local\NCSoft
2009-06-04 14:47 . 2009-06-04 14:47 -------- d-----w- c:\users\kd\AppData\Local\assembly
2009-06-04 14:47 . 2009-06-04 14:48 -------- d-----w- c:\program files\NCSoft
2009-06-04 14:45 . 2009-06-04 14:45 -------- d-----w- c:\users\kd\AppData\Roaming\GetRightToGo
2009-06-03 21:06 . 2009-06-03 21:06 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-05-21 21:39 . 2009-05-21 21:39 -------- d-----w- c:\users\kd\AppData\Local\CCP
2009-05-21 21:37 . 2007-07-19 23:14 3727720 ----a-w- c:\windows\system32\d3dx9_35.dll
2009-05-21 20:37 . 2009-05-21 20:37 -------- d-----w- c:\program files\CCP
2009-05-20 13:12 . 2009-05-20 13:12 -------- d-----w- c:\programdata\CCP
2009-05-15 22:44 . 2009-05-15 22:44 -------- d-sh--w- C:\found.000
2009-05-15 03:55 . 2009-05-15 03:55 -------- d-----w- C:\GamersFirst

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-04 14:47 . 2008-08-06 23:21 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-03 21:07 . 2008-08-13 15:24 -------- d-----w- c:\program files\DivX
2009-05-27 13:05 . 2008-08-13 13:07 68640 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-05-27 13:04 . 2008-08-13 13:07 168208 ----a-w- c:\windows\system32\guard32.dll
2009-05-27 13:04 . 2008-08-13 13:07 28704 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-05-27 13:04 . 2008-08-13 13:07 130080 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-05-13 08:01 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-05-01 21:02 . 2009-05-01 21:02 90112 ----a-w- c:\windows\system32\dpl100.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-05-01 21:02 . 2009-05-01 21:02 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-05-01 21:02 . 2009-05-01 21:02 811008 ----a-w- c:\windows\system32\divx_xx16.dll
2009-05-01 21:02 . 2009-05-01 21:02 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-05-01 21:02 . 2009-05-01 21:02 685056 ----a-w- c:\windows\system32\DivX.dll
2009-04-30 04:53 . 2009-01-16 23:52 -------- d-----w- c:\users\kd\AppData\Roaming\DivX
2009-04-24 16:05 . 2009-06-11 23:57 827904 ----a-w- c:\windows\system32\wininet.dll
2009-04-24 16:02 . 2009-06-11 23:57 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-24 13:44 . 2009-06-11 23:57 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-04-23 12:43 . 2009-06-11 23:57 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-23 12:42 . 2009-06-11 23:57 636928 ----a-w- c:\windows\system32\localspl.dll
2009-04-21 11:55 . 2009-06-11 23:57 2033152 ----a-w- c:\windows\system32\win32k.sys
2009-03-17 03:38 . 2009-04-16 22:27 13824 ----a-w- c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-16 22:27 24064 ----a-w- c:\windows\system32\amxread.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-12_22.16.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-04 21:27 . 2009-06-13 21:41 37006 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:02 . 2009-06-13 21:41 47964 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2006-11-02 13:02 . 2009-06-12 22:07 47964 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-08-04 20:03 . 2009-06-13 21:39 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-08-04 20:03 . 2009-06-12 22:05 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-08-04 20:03 . 2009-06-13 21:39 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-08-04 20:03 . 2009-06-12 22:05 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-04 20:03 . 2009-06-13 21:39 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-08-04 20:03 . 2009-06-12 22:05 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-08-05 08:06 . 2009-06-12 06:11 2526 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-08-05 08:06 . 2009-06-13 05:52 2526 c:\windows\System32\WDI\ERCQueuedResolutions.dat
+ 2008-08-04 21:27 . 2009-06-13 21:41 9894 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-687904369-1910372425-1874226365-1000_UserData.bin
- 2009-06-12 22:05 . 2009-06-12 22:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-06-13 21:39 . 2009-06-13 21:39 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-06-13 21:39 . 2009-06-13 21:39 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-06-12 22:05 . 2009-06-12 22:05 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Fraps"="c:\fraps\FRAPS.EXE" [2006-12-21 2842624]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"COMODO Firewall Pro"="c:\program files\COMODO\Firewall\cfp.exe" [2009-05-27 1794320]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-09-12 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-12 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-12 81920]
"COMODO Internet Security"="c:\program files\COMODO\Firewall\cfp.exe" [2009-05-27 1794320]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\cssdll32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{1778FE0B-BF96-4953-B935-179B7437D69D}c:\\users\\kd\\desktop\\server files1\\server files\\login server\\mystver.exe"= UDP:c:\users\kd\desktop\server files1\server files\login server\mystver.exe:mystver.exe
"UDP Query User{88F53694-E69A-454D-8FC6-4FB53CE28DD4}c:\\users\\kd\\desktop\\server files1\\server files\\login server\\mystver.exe"= TCP:c:\users\kd\desktop\server files1\server files\login server\mystver.exe:mystver.exe
"{8A302BCB-7AFB-4200-97E6-8C9660DE6A03}"= UDP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe
"{A0ECFA77-2627-4D41-B6B0-9F180AA475DF}"= TCP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe
"{CBB11CC8-C1DD-481E-B77B-CF858B12FD68}"= UDP:c:\programdata\NexonUS\NGM\NGM.exe:Nexon Game Manager
"{285EE04E-04BF-4A16-AF72-80B442943410}"= TCP:c:\programdata\NexonUS\NGM\NGM.exe:Nexon Game Manager
"{E51A6262-A416-477C-B778-BE7BEA1385D8}"= UDP:c:\program files\Microsoft Games\SpiderSolitaire\Combat Arms\NMService.exe:Nexon Messenger Core
"{04173EB3-F8AB-4A3C-BD23-645DFCA487CE}"= TCP:c:\program files\Microsoft Games\SpiderSolitaire\Combat Arms\NMService.exe:Nexon Messenger Core
"{7F3C589C-C0A7-4BCE-B8D8-2ABD50B61FDD}"= UDP:e:\combat arms\NMService.exe:Nexon Messenger Core
"{66C4B3AD-9EEE-48E1-B0D5-DFF0D14D98FC}"= TCP:e:\combat arms\NMService.exe:Nexon Messenger Core
"{9AED4EB8-F38C-4D7C-AA66-896FC8DF1BA2}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{6D70F1C7-135B-49F7-ACD9-AAC12CC8AF27}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\System32\drivers\cmdguard.sys [8/13/2008 8:07 AM 130080]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\System32\drivers\cmdhlp.sys [8/13/2008 8:07 AM 28704]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\apache.exe [6/14/2008 12:02 PM 17408]
R2 TeamViewer4;TeamViewer 4;c:\program files\TeamViewer\Version4\TeamViewer_Service.exe [1/22/2009 4:31 AM 185640]
S3 VCSVADHWSer;Avnex Virtual Audio Device (WDM);c:\windows\System32\drivers\vcsvad.sys [6/4/2009 11:29 PM 17792]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/def ... earch.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
FF - ProfilePath - c:\users\kd\AppData\Roaming\Mozilla\Firefox\Profiles\5yd86hid.default\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-13 16:56
Windows 6.0.6001 Service Pack 1 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(968)
c:\windows\System32\cssdll32.dll

- - - - - - - > 'lsass.exe'(712)
c:\windows\System32\cssdll32.dll
c:\windows\system32\guard32.dll
.
Completion time: 2009-06-13 16:58
ComboFix-quarantined-files.txt 2009-06-13 21:58
ComboFix2.txt 2009-06-12 22:18

Pre-Run: 122,823,475,200 bytes free
Post-Run: 122,795,212,800 bytes free

183 --- E O F --- 2009-06-13 13:57

[Shaba]

Delete this:

c:\program files\Uninstall Ask Toolbar.dll

Empty Recycle Bin.

Please go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   Spyware, Adware, Dialers, and other potentially dangerous programs
   Archives
   
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
9. Please post this log in your next reply along with a fresh HijackThis log.

[rattrap1337]

Delete this:

c:\program files\Uninstall Ask Toolbar.dll

"Uninstall Ask Toolbar.dll" could not be found.




--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, June 15, 2009
Operating System: Microsoft Windows Vista Home Basic Edition, 32-bit Service Pack 1

(build 6001)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Monday, June 15, 2009 12:27:39
Records in database: 2345167
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 127104
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 02:23:45


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\Windows\System32\gxvxcjocihqtnonolbyrgrqxlyyeirqmwnjkt.dll.vir Infected: Trojan.Win32.Agent2.kny 1
C:\Qoobox\Quarantine\C\Windows\System32\gxvxcnttfsxdfuiecibnhvrppaviostlttrmx.dll.vir Infected: Trojan.Win32.Agent2.kit 1

The selected area was scanned.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:24:45 PM, on 6/15/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18248)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Fraps\fraps.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Trend Micro\HijackThis\umpalumpa.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [Fraps] C:\FRAPS\FRAPS.EXE
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O13 - Gopher Prefix:
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resour ... cctrl2.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O20 - AppInit_DLLs: C:\Windows\System32\cssdll32.dll
O23 - Service: Apache2.2 - Apache Software Foundation - C:\xampp\apache\bin\apache.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: TeamViewer 4 (TeamViewer4) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe

--
End of file - 4596 bytes

[Shaba]

Empty this folder:

C:\Qoobox\Quarantine

Empty Recycle Bin.

Still problems?

[rattrap1337]

Nope, everything is running smoothly.



I just want to thank you for all of your help.

[Shaba]

Good

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these excellent vendors NOW:

1) Antivir PersonalEdition Classic- Free anti-virus software for Windows. Free support.
2) avast! 4 Home Edition - Anti-virus program for Windows. The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition - Free edition of the AVG anti-virus program for Windows.

You should run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and results in program conflicts and false virus alerts.

Next we remove all used tools.

Please download OTCleanIt and save it to desktop.

• Double-click OTC.exe.
• Click the CleanUp! button.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

• Disable and Enable System Restore. - If you are using Windows Vista then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
  
  You can find instructions on how to enable and re-enable system restore here:
  
  Windows Vista System Restore Guide

Re-enable system restore with instructions from tutorial above

• Make your Internet Explorer more secure - This can be done by following these simple instructions:
• From within Internet Explorer click on the Tools menu and then click on Options.
• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
• Change the Download signed ActiveX controls to Prompt
  
• Change the Download unsigned ActiveX controls to Disable
  
• Change the Initialize and script ActiveX controls not marked as safe to Disable
  
• Change the Installation of desktop items to Prompt
  
• Change the Launching programs and files in an IFRAME to Prompt
  
• Change the Navigate sub-frames across different domains to Prompt
  
• When all these settings have been made, click on the OK button.
  
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
• Next press the Apply button and then the OK to exit the Internet Properties page.

• Update your AntiVirus Software and keep your other programs up-to-date
  Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
  You can use one of these sites to check if any updates are needed for your pc.
  Secunia Software Inspector
  F-secure Health Check
  
• Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
• Install Malwarebytes' Anti-Malware - Malwarebytes''Anti-Malware is a new and powerful anti-malware tool. It is
  totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:
  
  Malwarebytes' Anti-Malware Setup Guide
  
  Malwarebytes' Anti-Malware Scanning Guide
  
• Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
  
  A tutorial on installing & using this product can be found here:
  
  Using SpywareBlaster to protect your computer from Spyware and Malware
  
  
• Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean!

[Shaba]

rattrap1337 this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.