Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Got some type of virus

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Got some type of virus

Unread postby Bjorn420 » December 5th, 2008, 7:28 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:08:58 PM, on 12/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Pristy Utils\Tray Agent.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\Pristy Utils\CD Hotkey F9.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13657780-c0a6-4146-88e6-0a8d4dadfe2a} - C:\WINDOWS\system32\zerejuhu.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [CPMf79bdba9] Rundll32.exe "c:\windows\system32\fidebage.dll",a
O4 - HKLM\..\Run: [vesufemowi] Rundll32.exe "C:\WINDOWS\system32\molukoza.dll",s
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [vesufemowi] Rundll32.exe "C:\WINDOWS\system32\molukoza.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [vesufemowi] Rundll32.exe "C:\WINDOWS\system32\molukoza.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-73586283-920026266-839522115-1006\..\Run: [vesufemowi] Rundll32.exe "C:\WINDOWS\system32\molukoza.dll",s (User 'postgres')
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Startup: Æô¶¯·ÉËÙÍÁ¶¹.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Tray Agent.lnk = C:\Program Files\Pristy Utils\Tray Agent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) -
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-U ... E_UNO1.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll C:\WINDOWS\system32\nevihezu.dll c:\windows\system32\fidebage.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fidebage.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fidebage.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kerberos Key Distribution Centers (kkdc) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9842 bytes
Bjorn420
Active Member
 
Posts: 8
Joined: December 5th, 2008, 7:14 pm
Advertisement
Register to Remove

Re: Got some type of virus

Unread postby Bv202 » December 6th, 2008, 11:01 am

Hi Bjorn420

Welcome to Malware Removal!
My name is Bjorn (yes, Bjorn), known as Bv202 on this forum and I'll be happy to assist you with all your malware problems you have on your computer.

Before we start fixing your computer, there are a few points you need to know:
  • Please don't start a new topic, but reply on this one.
  • If you don't understand something, please ask!
  • If you find any new problems and/or details, please post them!
  • As I'm still in training here at Malware Removal, all my posts needs to be checked by an expert first.

Remember: absence of symptoms does not mean your computer is clean!!
Please reply to this topic until I say your computer is clean.

I'm now researching your log. Once it's done, I'll be back to you.

In the meantime, please do this:
  • Open HijackThis.
  • Look under System tools.
  • Click on the Open Uninstall Manager... button.
  • Click on the Save list... button.
  • It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
  • Notepad will open. Please copy and paste the contents of this log in your next reply.
See in this link details.
http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
Bv202
Regular Member
 
Posts: 1732
Joined: May 3rd, 2008, 10:46 am
Location: Belgium (GMT +1)

Re: Got some type of virus

Unread postby Bjorn420 » December 7th, 2008, 12:59 am

·ÉËÙÍÁ¶¹ 1.11
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.0
Adobe Shockwave Player
Apple Mobile Device Support
Apple Software Update
Arena 10.0 (CPR 7)
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Audiosurf Demo
AVG Free 8.0
AVS DVD Player version 2.4
BitPim 1.0.1
Broadcom 440x 10/100 Integrated Controller
Bullfighter 1.2
Conexant HDA D110 MDC V.92 Modem
Counter-Strike
CutePDF Writer 2.7
DC++ 0.699
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
EPSON Printer Software
Frets On Fire
Google Earth
Google Toolbar for Firefox
Google Updater
Graboid Video 1.2
Guitar Hero III
High Definition Audio Driver Package - KB835221
HighGrow
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB926239)
Intel(R) PROSet/Wireless Software
iTunes
J2SE Runtime Environment 5.0 Update 7
Jahplayer
Jahshaka
leafdigital leafDrums 2.1
Logitech QuickCam Software
Logitech® Camera Driver
Magic ISO Maker v5.4 (build 0251)
MagicHoldem Calculator
mCore
mDriver
mDrWiFi
MediaDirect
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office XP Professional with FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
mIWA
mLogView
mMHouse
Mozilla ActiveX Control v1.7.12
Mozilla Firefox (3.0.4)
mPfMgr
mPfWiz
mProSafe
mSSO
MSXML 4.0 SP2 (KB936181)
msxml4
mWlsSafe
mWMI
mXML
mZConfig
OpenLibraries
OpenOffice.org 2.2
OutlookAddinSetup
PartyPoker
PCFriendly
PitchPerfect Uninstall
PLAYSTATION(R)Network Downloader
PokerStars
PokerTracker 3 (remove only)
PostgreSQL 8.3
Pristy Utils 2009
Pro Media Director Version 2.0.0.1
PS3 Video 9 2.25
PSP Video 9 2.25
QuickPar 0.9
QuickTime
RealPlayer
Rhapsody Player Engine
SecureW2 TTLS Client 3.3.1 for Windows
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
SigmaTel Audio
SMS-it!
Songbird 0.4 (20071226)
SoulSeek Client 156c
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Steam
Synaptics Pointing Device Driver
System Requirements Lab
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
VideoLAN VLC media player 0.8.6d
Viewpoint Media Player
Virtual Grow 2
Virtual Grow 2 (C:\Program Files\VG\)
Warcraft III 1.20
Winamp (remove only)
Windows Driver Package - Ricoh Company Memorystick Host Controller (07/09/2005 1.00.01.12)
Windows Driver Package - Ricoh Company MMC Host Controller (07/14/2005 1.00.00.06)
Windows Driver Package - Ricoh Company xD-Picture Card/SmartMedia Host Controller (07/14/2005 1.00.02.04)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
Xbox 360 Controller for Windows
Yahoo! ¤u¨ã¦C
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Messenger
Bjorn420
Active Member
 
Posts: 8
Joined: December 5th, 2008, 7:14 pm

Re: Got some type of virus

Unread postby Bv202 » December 7th, 2008, 8:44 am

Hi Bjorn

Backdoor warning
Your computer has multiple infections, including signs of a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

You are strongly advised to do the following:

  • Disconnect the computer from the Internet and from any networked computers until it is cleaned.
  • Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
  • Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
  • From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).

Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.

Due to its backdoor functionality, your computer is very likely to have been compromised and there is no way that it can be trusted again. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be to do a reformat and reinstallation of the operating system (OS). However, in this case, there is no proof the backdoor was even active on this computer. Most likely it was blocked by Teatimer.

Because of this, I recommend to not reformat yet. If we find any proof it was/is active on your system, I will warn you about this. For now, please continue with the instructions.


Disable Spybot's TeaTimer. This is a two step process.
Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.
Don't forget to re-enable it, when your computer is clean.


Remove p2p software
IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

SoulSeek Client
DC++ 0.699
ares
Shareaza


Please read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

Go to Control Panel > Add/Remove Programs and uninstall these programs NOW:
SoulSeek Client
DC++ 0.699


The other 2 programs will not be there, so they need an alternative deletion. Please navigate to these folders and delete them:
C:\Program Files\Ares
C:\Program Files\Shareaza
Please empty your recycle bin.

After you have done that, please open HijackThis and do a new system scan. Then check these lines:
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Shareaza] "C:\Program Files\Shareaza\Shareaza.exe" -tray

Close all windows (including your browser) and click fix checked.

Reboot the computer now

Please post a new HijackThis log and a new uninstall list after you deleted these programs so we can continue cleaning.
Bv202
Regular Member
 
Posts: 1732
Joined: May 3rd, 2008, 10:46 am
Location: Belgium (GMT +1)

Re: Got some type of virus

Unread postby Bjorn420 » December 7th, 2008, 2:59 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:59:47 PM, on 12/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Pristy Utils\Tray Agent.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\Pristy Utils\CD Hotkey F9.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\notepad.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13657780-c0a6-4146-88e6-0a8d4dadfe2a} - C:\WINDOWS\system32\zerejuhu.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKLM\..\Run: [CPMf79bdba9] Rundll32.exe "c:\windows\system32\zujahuti.dll",a
O4 - HKLM\..\Run: [vesufemowi] Rundll32.exe "C:\WINDOWS\system32\molukoza.dll",s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [vesufemowi] Rundll32.exe "C:\WINDOWS\system32\molukoza.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [vesufemowi] Rundll32.exe "C:\WINDOWS\system32\molukoza.dll",s (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-73586283-920026266-839522115-1006\..\Run: [vesufemowi] Rundll32.exe "C:\WINDOWS\system32\molukoza.dll",s (User 'postgres')
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Tray Agent.lnk = C:\Program Files\Pristy Utils\Tray Agent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) -
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-U ... E_UNO1.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll C:\WINDOWS\system32\nevihezu.dll c:\windows\system32\zujahuti.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\zujahuti.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\zujahuti.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kerberos Key Distribution Centers (kkdc) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 9221 bytes

Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.0
Adobe Shockwave Player
Apple Mobile Device Support
Apple Software Update
Arena 10.0 (CPR 7)
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Audiosurf Demo
AVG Free 8.0
AVS DVD Player version 2.4
BitPim 1.0.1
Broadcom 440x 10/100 Integrated Controller
Bullfighter 1.2
Conexant HDA D110 MDC V.92 Modem
Counter-Strike
CutePDF Writer 2.7
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
EPSON Printer Software
Frets On Fire
Google Earth
Google Toolbar for Firefox
Google Updater
Graboid Video 1.2
Guitar Hero III
High Definition Audio Driver Package - KB835221
HighGrow
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB926239)
Intel(R) PROSet/Wireless Software
iTunes
J2SE Runtime Environment 5.0 Update 7
Jahplayer
Jahshaka
leafdigital leafDrums 2.1
Logitech QuickCam Software
Logitech® Camera Driver
Magic ISO Maker v5.4 (build 0251)
MagicHoldem Calculator
mCore
mDriver
mDrWiFi
MediaDirect
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office XP Professional with FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
mIWA
mLogView
mMHouse
Mozilla ActiveX Control v1.7.12
Mozilla Firefox (3.0.4)
mPfMgr
mPfWiz
mProSafe
mSSO
MSXML 4.0 SP2 (KB936181)
msxml4
mWlsSafe
mWMI
mXML
mZConfig
OpenLibraries
OpenOffice.org 2.2
OutlookAddinSetup
PartyPoker
PCFriendly
PitchPerfect Uninstall
PLAYSTATION(R)Network Downloader
PokerStars
PokerTracker 3 (remove only)
PostgreSQL 8.3
Pristy Utils 2009
Pro Media Director Version 2.0.0.1
PS3 Video 9 2.25
PSP Video 9 2.25
QuickPar 0.9
QuickTime
RealPlayer
Rhapsody Player Engine
SecureW2 TTLS Client 3.3.1 for Windows
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
SigmaTel Audio
SMS-it!
Songbird 0.4 (20071226)
Spybot - Search & Destroy
Spybot - Search & Destroy 1.5.2.20
Steam
Synaptics Pointing Device Driver
System Requirements Lab
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
VideoLAN VLC media player 0.8.6d
Viewpoint Media Player
Virtual Grow 2
Virtual Grow 2 (C:\Program Files\VG\)
Warcraft III 1.20
Winamp (remove only)
Windows Driver Package - Ricoh Company Memorystick Host Controller (07/09/2005 1.00.01.12)
Windows Driver Package - Ricoh Company MMC Host Controller (07/14/2005 1.00.00.06)
Windows Driver Package - Ricoh Company xD-Picture Card/SmartMedia Host Controller (07/14/2005 1.00.02.04)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
Xbox 360 Controller for Windows
Yahoo! ¤u¨ã¦C
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Messenger
Bjorn420
Active Member
 
Posts: 8
Joined: December 5th, 2008, 7:14 pm

Re: Got some type of virus

Unread postby Bv202 » December 7th, 2008, 3:25 pm

Hi Bjorn

Thank you for deleting these programs :)

Download and run Combofix
Please visit this webpage for download links, and instructions for running the tool:
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
* IMPORTANT !!! Save ComboFix.exe to your Desktop

http://www.bleepingcomputer.com/combofix/how-to-use-combofix
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this topic if you need help to disable your protection programs.
Please include the C:\ComboFix.txt in your next reply for further review.
Bv202
Regular Member
 
Posts: 1732
Joined: May 3rd, 2008, 10:46 am
Location: Belgium (GMT +1)

Re: Got some type of virus

Unread postby Bjorn420 » December 7th, 2008, 5:27 pm

ComboFix 08-12-06.06 - Matt 2008-12-07 16:09:46.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.367 [GMT -5:00]
Running from: c:\documents and settings\Matt\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Matt\Application Data\NI.GSCNS
c:\documents and settings\Matt\Application Data\NI.GSCNS\dl.ini
c:\documents and settings\Matt\Application Data\NI.GSCNS\settings.ini
c:\windows\system32\_000003_.tmp.dll
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\_000007_.tmp.dll
c:\windows\system32\_000008_.tmp.dll
c:\windows\system32\_000009_.tmp.dll
c:\windows\system32\_000010_.tmp.dll
c:\windows\system32\_000011_.tmp.dll
c:\windows\system32\_000012_.tmp.dll
c:\windows\system32\_000015_.tmp.dll
c:\windows\system32\_000016_.tmp.dll
c:\windows\system32\8fJPfpps.exe.a_a
c:\windows\system32\adelosov.ini
c:\windows\system32\azilegij.ini
c:\windows\system32\ekelaput.ini
c:\windows\system32\epidijez.ini
c:\windows\system32\eterawop.ini
c:\windows\system32\fidebage.dll
c:\windows\system32\jigeliza.dll
c:\windows\system32\kogafere.dll
c:\windows\system32\molukoza.dll
c:\windows\system32\momawufo.dll
c:\windows\system32\nevihezu.dll
c:\windows\system32\nIPItf6p.exe.a_a
c:\windows\system32\oyomilup.ini
c:\windows\system32\pomeziya.dll
c:\windows\system32\powarete.dll
c:\windows\system32\pulimoyo.dll
c:\windows\system32\sefosunu.dll
c:\windows\system32\sevabija.dll
c:\windows\system32\tupaleke.dll
c:\windows\system32\vosoleda.dll
c:\windows\system32\vumehito.dll
c:\windows\system32\yunewoti.dll
c:\windows\system32\zayisevi.dll
c:\windows\system32\zejidipe.dll
c:\windows\system32\zerejuhu.dll
c:\windows\system32\zujahuti.dll

.
((((((((((((((((((((((((( Files Created from 2008-11-07 to 2008-12-07 )))))))))))))))))))))))))))))))
.

2008-12-05 18:07 . 2008-12-05 18:07 <DIR> d-------- c:\program files\Trend Micro
2008-12-03 02:13 . 2008-12-05 17:32 <DIR> d-------- c:\program files\Magic Holdem
2008-11-30 21:45 . 2007-08-27 10:41 <DIR> d-------- c:\documents and settings\postgres\Application Data\Intel
2008-11-30 21:45 . 2008-11-30 21:45 <DIR> d-------- c:\documents and settings\postgres
2008-11-30 21:39 . 2008-11-30 21:39 <DIR> d-------- c:\program files\PostgreSQL
2008-11-30 21:34 . 2008-12-05 01:20 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-30 21:33 . 2008-11-30 22:13 <DIR> d-------- c:\program files\PokerTracker 3
2008-11-30 21:02 . 2008-12-07 04:47 <DIR> d-------- c:\program files\PokerStars
2008-11-25 23:53 . 2008-11-25 23:53 <DIR> d-------- C:\QTP
2008-11-25 04:58 . 2008-12-07 13:51 <DIR> d-------- c:\program files\Tudou
2008-11-23 14:58 . 2008-12-07 00:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater
2008-11-21 15:03 . 2008-11-21 15:38 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-21 14:57 . 2008-12-07 13:40 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-11-21 14:57 . 2008-11-21 14:57 <DIR> d-------- c:\program files\AVG
2008-11-21 14:57 . 2008-11-21 14:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-21 14:57 . 2008-11-21 14:57 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-21 14:57 . 2008-11-21 14:57 10,520 --a------ c:\windows\system32\avgrsstx.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-07 21:18 --------- d-----w c:\program files\Steam
2008-12-07 20:47 --------- d-----w c:\documents and settings\Matt\Application Data\OpenOffice.org2
2008-12-07 20:15 --------- d-----w c:\program files\Songbird
2008-12-07 19:10 --------- d-----w c:\program files\Bullfighter
2008-12-07 18:52 --------- d-----w c:\documents and settings\Matt\Application Data\Shareaza
2008-11-23 19:59 --------- d-----w c:\program files\Google
2008-11-22 07:29 --------- d-----w c:\program files\PartyGaming
2008-11-12 20:44 --------- d-----w c:\program files\dl_Cats
2008-11-08 00:33 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-08 00:32 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-06 05:59 --------- d-----w c:\documents and settings\NetworkService\Application Data\Yahoo!
2008-10-31 18:08 --------- d-----w c:\program files\HP
2008-10-08 04:50 102,400 ----a-w c:\windows\DUMPf210.tmp
2008-07-14 04:13 20,288 ----a-w c:\documents and settings\Matt\Application Data\GDIPFONTCACHEV1.DAT
2008-02-09 19:05 247,608 ----a-w c:\documents and settings\Matt\jre-1_5_0_07-windows-i586-p-iftw.exe
2007-08-28 17:58 36 ----a-w c:\documents and settings\Matt\klextlock.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-09-18 171464]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2007-12-21 3481600]
"Steam"="c:\program files\Steam\Steam.exe" [2008-10-08 1410296]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"Google Update"="c:\documents and settings\Matt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2006-10-13 184320]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]

c:\documents and settings\Matt\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - c:\program files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Tray Agent.lnk - c:\program files\Pristy Utils\Tray Agent.exe [2008-09-30 12288]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dlcccoms.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\WINDOWS\\system32\\services.exe"=
"c:\\Program Files\\Pristy Utils\\CD Hotkey F9.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8623:TCP"= 8623:TCP:BitComet 8623 TCP
"8623:UDP"= 8623:UDP:BitComet 8623 UDP
"27417:TCP"= 27417:TCP:BitComet 27417 TCP
"27417:UDP"= 27417:UDP:BitComet 27417 UDP
"25357:TCP"= 25357:TCP:BitComet 25357 TCP
"25357:UDP"= 25357:UDP:BitComet 25357 UDP
"6346:TCP"= 6346:TCP:Shareaza
"6346:UDP"= 6346:UDP:Shareaza
"23693:TCP"= 23693:TCP:Soulseek
"23693:UDP"= 23693:UDP:Soulseek

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-21 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-21 231704]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;"c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe" runservice -w -N "pgsql-8.3" -D "c:\program files\PostgreSQL\8.3\data\" []
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-06-19 24652]
S2 kkdc;Kerberos Key Distribution Centers;c:\windows\lsass.exe -netsvcs []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d79199be-53d0-11dc-a263-806d6172696f}]
\Shell\AutoRun\command - d:\dellkit\MD3Recovery.exe "DellKit\DellKit.exe"
.
Contents of the 'Scheduled Tasks' folder

2008-11-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-12-07 c:\windows\Tasks\At1.job
- c:\windows\system32\nIPItf6p.exe []

2008-12-07 c:\windows\Tasks\At10.job
- c:\windows\system32\nIPItf6p.exe []

2008-12-07 c:\windows\Tasks\At11.job
- c:\windows\system32\nIPItf6p.exe []

2008-12-07 c:\windows\Tasks\At12.job
- c:\windows\system32\nIPItf6p.exe []

2008-12-07 c:\windows\Tasks\At13.job
- c:\windows\system32\nIPItf6p.exe []

2008-12-07 c:\windows\Tasks\At14.job
- c:\windows\system32\nIPItf6p.exe []

2008-12-07 c:\windows\Tasks\At15.job
- c:\windows\system32\nIPItf6p.exe []

2008-12-07 c:\windows\Tasks\At16.job
- c:\windows\system32\nIPItf6p.exe []

2008-12-07 c:\windows\Tasks\At17.job
- c:\windows\system32\nIPItf6p.exe []

2008-12-06 c:\windows\Tasks\At18.job
- c:\windows\system32\nIPItf6p.exe []

2008-12-06 c:\windows\Tasks\At19.job
- c:\windows\system32\nIPItf6p.exe []

2008-12-07 c:\windows\Tasks\At2.job
- c:\windows\system32\nIPItf6p.exe []

2008-12-07 c:\windows\Tasks\At20.job
- c:\windows\system32\nIPItf6p.exe []

2008-12-07 c:\windows\Tasks\At21.job
- c:\windows\system32\nIPItf6p.exe []

2008-12-07 c:\windows\Tasks\At22.job
- c:\windows\system32\nIPItf6p.exe []

2008-12-07 c:\windows\Tasks\At23.job
- c:\windows\system32\nIPItf6p.exe []

2008-12-07 c:\windows\Tasks\At24.job
- c:\windows\system32\nIPItf6p.exe []

2008-12-07 c:\windows\Tasks\At25.job
- c:\windows\system32\8fJPfpps.exe []

2008-12-07 c:\windows\Tasks\At26.job
- c:\windows\system32\8fJPfpps.exe []

2008-12-07 c:\windows\Tasks\At27.job
- c:\windows\system32\8fJPfpps.exe []

2008-12-07 c:\windows\Tasks\At28.job
- c:\windows\system32\8fJPfpps.exe []

2008-12-07 c:\windows\Tasks\At29.job
- c:\windows\system32\8fJPfpps.exe []

2008-12-07 c:\windows\Tasks\At3.job
- c:\windows\system32\nIPItf6p.exe []

2008-12-07 c:\windows\Tasks\At30.job
- c:\windows\system32\8fJPfpps.exe []

2008-12-07 c:\windows\Tasks\At31.job
- c:\windows\system32\8fJPfpps.exe []

2008-12-07 c:\windows\Tasks\At32.job
- c:\windows\system32\8fJPfpps.exe []

2008-12-07 c:\windows\Tasks\At33.job
- c:\windows\system32\8fJPfpps.exe []

2008-12-07 c:\windows\Tasks\At34.job
- c:\windows\system32\8fJPfpps.exe []

2008-12-07 c:\windows\Tasks\At35.job
- c:\windows\system32\8fJPfpps.exe []

2008-12-07 c:\windows\Tasks\At36.job
- c:\windows\system32\8fJPfpps.exe []

2008-12-07 c:\windows\Tasks\At37.job
- c:\windows\system32\8fJPfpps.exe []

2008-12-07 c:\windows\Tasks\At38.job
- c:\windows\system32\8fJPfpps.exe []

2008-12-07 c:\windows\Tasks\At39.job
- c:\windows\system32\8fJPfpps.exe []

2008-12-07 c:\windows\Tasks\At4.job
- c:\windows\system32\nIPItf6p.exe []

2008-12-07 c:\windows\Tasks\At40.job
- c:\windows\system32\8fJPfpps.exe []

2008-12-07 c:\windows\Tasks\At41.job
- c:\windows\system32\8fJPfpps.exe []

2008-12-06 c:\windows\Tasks\At42.job
- c:\windows\system32\8fJPfpps.exe []

2008-12-06 c:\windows\Tasks\At43.job
- c:\windows\system32\8fJPfpps.exe []

2008-12-07 c:\windows\Tasks\At44.job
- c:\windows\system32\8fJPfpps.exe []

2008-12-07 c:\windows\Tasks\At45.job
- c:\windows\system32\8fJPfpps.exe []

2008-12-07 c:\windows\Tasks\At46.job
- c:\windows\system32\8fJPfpps.exe []

2008-12-07 c:\windows\Tasks\At47.job
- c:\windows\system32\8fJPfpps.exe []

2008-12-07 c:\windows\Tasks\At48.job
- c:\windows\system32\8fJPfpps.exe []

2008-12-07 c:\windows\Tasks\At5.job
- c:\windows\system32\nIPItf6p.exe []

2008-12-07 c:\windows\Tasks\At6.job
- c:\windows\system32\nIPItf6p.exe []

2008-12-07 c:\windows\Tasks\At7.job
- c:\windows\system32\nIPItf6p.exe []

2008-12-07 c:\windows\Tasks\At8.job
- c:\windows\system32\nIPItf6p.exe []

2008-12-07 c:\windows\Tasks\At9.job
- c:\windows\system32\nIPItf6p.exe []

2008-12-07 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Matt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 11:16]
.
- - - - ORPHANS REMOVED - - - -

BHO-{13657780-c0a6-4146-88e6-0a8d4dadfe2a} - c:\windows\system32\zerejuhu.dll


.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FireFox -: Profile - c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\lbk5yubm.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF -: plugin - c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\lbk5yubm.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF -: plugin - c:\documents and settings\Matt\Local Settings\Application Data\Google\Update\1.2.131.27\npGoogleOneClick6.dll
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Google\Google Updater\2.4.1399.3742\npCIDetect13.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Java\jre1.5.0_07\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_07\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\jre1.5.0_07\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_07\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\jre1.5.0_07\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_07\bin\NPJPI150_07.dll
FF -: plugin - c:\program files\Java\jre1.5.0_07\bin\NPOJI610.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - c:\program files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-07 16:17:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(864)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\dlcccoms.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\windows\system32\wscntfy.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Pristy Utils\CD Hotkey F9.exe
c:\program files\OpenOffice.org 2.2\program\soffice.exe
c:\program files\OpenOffice.org 2.2\program\soffice.bin
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-12-07 16:22:50 - machine was rebooted [Matt]
ComboFix-quarantined-files.txt 2008-12-07 21:22:19

Pre-Run: 20,703,842,304 bytes free
Post-Run: 27,286,286,336 bytes free

330 --- E O F --- 2007-09-18 21:38:30
Bjorn420
Active Member
 
Posts: 8
Joined: December 5th, 2008, 7:14 pm

Re: Got some type of virus

Unread postby Bv202 » December 8th, 2008, 8:19 am

Hi Bjorn

Do you have BitComet on your computer installed? If so, please remove it's folder as it's a P2P program :)


RECOVERY CONSOLE
You didn't install the recovery console. As this is really important, please install it now!
Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System

Image

Download the file & save it as it's originally named, next to ComboFix.exe.

Image

Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  • At the next prompt, click 'No' as you don't need a new scan now.

    Image


COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    File::
    c:\windows\Tasks\At1.job
    c:\windows\Tasks\At10.job
    c:\windows\Tasks\At11.job
    c:\windows\Tasks\At12.job
    c:\windows\Tasks\At13.job
    c:\windows\Tasks\At14.job
    c:\windows\Tasks\At15.job
    c:\windows\Tasks\At16.job
    c:\windows\Tasks\At17.job
    c:\windows\Tasks\At18.job
    c:\windows\Tasks\At19.job
    c:\windows\Tasks\At2.job
    c:\windows\Tasks\At20.job
    c:\windows\Tasks\At21.job
    c:\windows\Tasks\At22.job
    c:\windows\Tasks\At23.job
    c:\windows\Tasks\At24.job
    c:\windows\Tasks\At25.job
    c:\windows\Tasks\At26.job
    c:\windows\Tasks\At27.job
    c:\windows\Tasks\At28.job
    c:\windows\Tasks\At29.job
    c:\windows\Tasks\At3.job
    c:\windows\Tasks\At30.job
    c:\windows\Tasks\At31.job
    c:\windows\Tasks\At32.job
    c:\windows\Tasks\At33.job
    c:\windows\Tasks\At34.job
    c:\windows\Tasks\At35.job
    c:\windows\Tasks\At36.job
    c:\windows\Tasks\At37.job
    c:\windows\Tasks\At38.job
    c:\windows\Tasks\At39.job
    c:\windows\Tasks\At4.job
    c:\windows\Tasks\At40.job
    c:\windows\Tasks\At41.job
    c:\windows\Tasks\At42.job
    c:\windows\Tasks\At43.job
    c:\windows\Tasks\At44.job
    c:\windows\Tasks\At45.job
    c:\windows\Tasks\At46.job
    c:\windows\Tasks\At47.job
    c:\windows\Tasks\At48.job
    c:\windows\Tasks\At5.job
    c:\windows\Tasks\At6.job
    c:\windows\Tasks\At7.job
    c:\windows\Tasks\At8.job
    c:\windows\Tasks\At9.job
    
    Folder::
    c:\documents and settings\Matt\Application Data\Shareaza
    
    Driver::
    kkdc
    
    Registry::
    [HKEY_LOCAL_MACHINE\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "8623:TCP"=- 
    "8623:UDP"=- 
    "27417:TCP"=- 
    "27417:UDP"=- 
    "25357:TCP"=-
    "25357:UDP"=- 
    "6346:TCP"=- 
    "6346:UDP"=- 
    "23693:TCP"=- 
    "23693:UDP"=- 
    
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

In your next reply, please post:
1) The Combofix log
2) A new HijackThis log
Bv202
Regular Member
 
Posts: 1732
Joined: May 3rd, 2008, 10:46 am
Location: Belgium (GMT +1)

Re: Got some type of virus

Unread postby Bjorn420 » December 9th, 2008, 1:43 am

Hey Bjorn,
I found a BitComet folder and deleted it, but could not find it in the Add/Remove Program or Hijack. Thanks for your help so far.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:26:43 AM, on 12/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Steam\Steam.exe
C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-21-73586283-920026266-839522115-1006\..\Run: [vesufemowi] Rundll32.exe "C:\WINDOWS\system32\molukoza.dll",s (User 'postgres')
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Tray Agent.lnk = C:\Program Files\Pristy Utils\Tray Agent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) -
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-U ... E_UNO1.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8478 bytes

ComboFix 08-12-07.04 - Matt 2008-12-09 0:10:22.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.531 [GMT -5:00]
Running from: c:\documents and settings\Matt\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Matt\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Matt\Application Data\Shareaza
c:\documents and settings\Matt\Application Data\Shareaza\Torrents\Slacker [Richard Linklater 1991].torrent
c:\documents and settings\Matt\Application Data\Shareaza\Torrents\South.Park.s12e03.Major_Boobage-TVEps.rm.torrent
c:\documents and settings\Matt\Application Data\Shareaza\Torrents\South.Park.s12e05.Eak,_a_Penis!-TVEps.rm.torrent
c:\documents and settings\Matt\Application Data\Shareaza\Torrents\South.Park.S12E06.DSR.XviD-0TV.avi.torrent
c:\documents and settings\Matt\Application Data\Shareaza\Torrents\South.Park.s12e06.Over_Logging-TVEps.rm.torrent
c:\documents and settings\Matt\Application Data\Shareaza\Torrents\South.Park.s12e07.Super_Fun_Time-TVEps.rm.torrent
c:\documents and settings\Matt\Application Data\Shareaza\Torrents\South.Park.s12e10.Pandemic-TVEps.rm.torrent
c:\documents and settings\Matt\Application Data\Shareaza\Torrents\South.Park.s12e14.The_Ungroundable-TVEps.rm.torrent
c:\documents and settings\Matt\Application Data\Shareaza\Torrents\Southpark - 1209 - Breast Cancer Show Ever {C_P}.avi.torrent
c:\documents and settings\Matt\Application Data\Shareaza\Torrents\Super.High.Me.2007.DVDSRC.XViD-TRG.torrent
c:\documents and settings\Matt\Application Data\Shareaza\Torrents\texasholdem.torrent
c:\documents and settings\Matt\Application Data\Shareaza\Torrents\The Big Lebowski (Ipod).mp4.torrent
c:\documents and settings\Matt\Application Data\Shareaza\Torrents\The Office S04E10 HDTV XviD-XOR.torrent
c:\documents and settings\Matt\Application Data\Shareaza\Torrents\The.King.of.Kong.LIMITED.DOCU.DVDRip.XviD-SAPHiRE.torrent
c:\documents and settings\Matt\Application Data\Shareaza\Torrents\The.Office.US.S04E09.HDTV.XviD-LOL.[VTV].avi.torrent
c:\documents and settings\Matt\Application Data\Shareaza\Torrents\The.Office.US.S04E10.HDTV.XviD-LOL.[VTV].avi.torrent
c:\documents and settings\Matt\Application Data\Shareaza\Torrents\The_Office.4x11.Night_Out.HDTV_XviD-FoV.[VTV].avi.torrent
c:\documents and settings\Matt\Application Data\Shareaza\Torrents\Undeclared.torrent
c:\documents and settings\Matt\Application Data\Shareaza\Torrents\Warcraft III and The Frozen Throne.torrent
c:\documents and settings\Matt\Application Data\Shareaza\Torrents\Warcraft III.exe.torrent
c:\documents and settings\Matt\Application Data\Shareaza\Torrents\We Can Be Heroes - DVDrip.torrent
c:\documents and settings\Matt\Application Data\Shareaza\Torrents\yam-win.zip.torrent
c:\documents and settings\Matt\Application Data\Shareaza\Torrents\Zach Galifianakis.torrent
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_KKDC
-------\Service_kkdc


((((((((((((((((((((((((( Files Created from 2008-11-09 to 2008-12-09 )))))))))))))))))))))))))))))))
.

2008-12-05 18:07 . 2008-12-05 18:07 <DIR> d-------- c:\program files\Trend Micro
2008-12-03 02:13 . 2008-12-05 17:32 <DIR> d-------- c:\program files\Magic Holdem
2008-11-30 21:45 . 2007-08-27 10:41 <DIR> d-------- c:\documents and settings\postgres\Application Data\Intel
2008-11-30 21:45 . 2008-11-30 21:45 <DIR> d-------- c:\documents and settings\postgres
2008-11-30 21:39 . 2008-11-30 21:39 <DIR> d-------- c:\program files\PostgreSQL
2008-11-30 21:34 . 2008-12-05 01:20 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-30 21:33 . 2008-11-30 22:13 <DIR> d-------- c:\program files\PokerTracker 3
2008-11-30 21:02 . 2008-12-07 04:47 <DIR> d-------- c:\program files\PokerStars
2008-11-25 23:53 . 2008-11-25 23:53 <DIR> d-------- C:\QTP
2008-11-25 04:58 . 2008-12-07 13:51 <DIR> d-------- c:\program files\Tudou
2008-11-23 14:58 . 2008-12-08 01:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater
2008-11-21 15:03 . 2008-11-21 15:38 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-21 14:57 . 2008-12-08 20:33 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-11-21 14:57 . 2008-11-21 14:57 <DIR> d-------- c:\program files\AVG
2008-11-21 14:57 . 2008-11-21 14:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-21 14:57 . 2008-11-21 14:57 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-21 14:57 . 2008-11-21 14:57 10,520 --a------ c:\windows\system32\avgrsstx.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-09 05:18 --------- d-----w c:\program files\Steam
2008-12-08 21:19 --------- d-----w c:\program files\Bullfighter
2008-12-08 18:55 --------- d-----w c:\program files\Songbird
2008-12-08 02:14 --------- d-----w c:\documents and settings\Matt\Application Data\OpenOffice.org2
2008-11-23 19:59 --------- d-----w c:\program files\Google
2008-11-22 07:29 --------- d-----w c:\program files\PartyGaming
2008-11-12 20:44 --------- d-----w c:\program files\dl_Cats
2008-11-08 00:33 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-08 00:32 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-06 05:59 --------- d-----w c:\documents and settings\NetworkService\Application Data\Yahoo!
2008-10-31 18:08 --------- d-----w c:\program files\HP
2008-10-08 04:50 102,400 ----a-w c:\windows\DUMPf210.tmp
2008-07-14 04:13 20,288 ----a-w c:\documents and settings\Matt\Application Data\GDIPFONTCACHEV1.DAT
2008-02-09 19:05 247,608 ----a-w c:\documents and settings\Matt\jre-1_5_0_07-windows-i586-p-iftw.exe
2007-08-28 17:58 36 ----a-w c:\documents and settings\Matt\klextlock.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-07_16.21.08.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-07 18:42:15 62,746 ----a-w c:\windows\system32\perfc009.dat
+ 2008-12-07 21:21:46 62,746 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-07 18:42:15 401,632 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-07 21:21:46 401,632 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-09-18 171464]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2007-12-21 3481600]
"Steam"="c:\program files\Steam\Steam.exe" [2008-10-08 1410296]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"Google Update"="c:\documents and settings\Matt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2006-10-13 184320]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]

c:\documents and settings\Matt\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - c:\program files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Tray Agent.lnk - c:\program files\Pristy Utils\Tray Agent.exe [2008-09-30 12288]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dlcccoms.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\WINDOWS\\system32\\services.exe"=
"c:\\Program Files\\Pristy Utils\\CD Hotkey F9.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8623:TCP"= 8623:TCP:BitComet 8623 TCP
"8623:UDP"= 8623:UDP:BitComet 8623 UDP
"27417:TCP"= 27417:TCP:BitComet 27417 TCP
"27417:UDP"= 27417:UDP:BitComet 27417 UDP
"25357:TCP"= 25357:TCP:BitComet 25357 TCP
"25357:UDP"= 25357:UDP:BitComet 25357 UDP
"6346:TCP"= 6346:TCP:Shareaza
"6346:UDP"= 6346:UDP:Shareaza
"23693:TCP"= 23693:TCP:Soulseek
"23693:UDP"= 23693:UDP:Soulseek

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-21 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-21 231704]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;"c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe" runservice -w -N "pgsql-8.3" -D "c:\program files\PostgreSQL\8.3\data\" []
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-06-19 24652]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d79199be-53d0-11dc-a263-806d6172696f}]
\Shell\AutoRun\command - d:\dellkit\MD3Recovery.exe "DellKit\DellKit.exe"
.
Contents of the 'Scheduled Tasks' folder

2008-11-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-12-08 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Matt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 11:16]
.
- - - - ORPHANS REMOVED - - - -

SSODL-SSODL-{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)


.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FireFox -: Profile - c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\lbk5yubm.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF -: plugin - c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\lbk5yubm.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF -: plugin - c:\documents and settings\Matt\Local Settings\Application Data\Google\Update\1.2.131.27\npGoogleOneClick6.dll
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Google\Google Updater\2.4.1399.3742\npCIDetect13.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Java\jre1.5.0_07\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_07\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\jre1.5.0_07\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_07\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\jre1.5.0_07\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_07\bin\NPJPI150_07.dll
FF -: plugin - c:\program files\Java\jre1.5.0_07\bin\NPOJI610.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - c:\program files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-09 00:17:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(864)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\dlcccoms.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\PostgreSQL\8.3\bin\postgres.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\combofix\hidec.exe
c:\windows\system32\wscntfy.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\program files\iPod\bin\iPodService.exe
c:\combofix\Catchme.tmp
.
**************************************************************************
.
Completion time: 2008-12-09 0:22:02 - machine was rebooted [Matt]
ComboFix-quarantined-files.txt 2008-12-09 05:20:44
ComboFix2.txt 2008-12-07 21:22:52

Pre-Run: 26,942,427,136 bytes free
Post-Run: 27,141,804,032 bytes free

364 --- E O F --- 2007-09-18 21:38:30
Bjorn420
Active Member
 
Posts: 8
Joined: December 5th, 2008, 7:14 pm

Re: Got some type of virus

Unread postby Bv202 » December 9th, 2008, 1:00 pm

Hi Bjorn

Thank you for deleting Bitcomet. Don't worry, it's normal you didn't find it in add/remove or HijackThis.
Something went wrong with the Combofix-Script, we need to try it again.

COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "8623:TCP"=-
    "8623:UDP"=-
    "27417:TCP"=-
    "27417:UDP"=-
    "25357:TCP"=-
    "25357:UDP"=-
    "6346:TCP"=-
    "6346:UDP"=-
    "23693:TCP"=-
    "23693:UDP"=-
    
    [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"="avgrsstx.dll"
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


FIX HIJACKTHIS ENTRIES
Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

O4 - HKUS\S-1-5-21-73586283-920026266-839522115-1006\..\Run: [vesufemowi] Rundll32.exe "C:\WINDOWS\system32\molukoza.dll",s (User 'postgres')
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)


Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.

Reboot the computer

In your next reply, please post the ComboFix log and a new HijackThis log.
Bv202
Regular Member
 
Posts: 1732
Joined: May 3rd, 2008, 10:46 am
Location: Belgium (GMT +1)

Re: Got some type of virus

Unread postby Bjorn420 » December 10th, 2008, 2:03 am

ComboFix 08-12-07.04 - Matt 2008-12-10 0:55:07.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.583 [GMT -5:00]
Running from: c:\documents and settings\Matt\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Matt\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-11-10 to 2008-12-10 )))))))))))))))))))))))))))))))
.

2008-12-05 18:07 . 2008-12-05 18:07 <DIR> d-------- c:\program files\Trend Micro
2008-12-03 02:13 . 2008-12-05 17:32 <DIR> d-------- c:\program files\Magic Holdem
2008-11-30 21:45 . 2007-08-27 10:41 <DIR> d-------- c:\documents and settings\postgres\Application Data\Intel
2008-11-30 21:45 . 2008-11-30 21:45 <DIR> d-------- c:\documents and settings\postgres
2008-11-30 21:39 . 2008-11-30 21:39 <DIR> d-------- c:\program files\PostgreSQL
2008-11-30 21:34 . 2008-12-05 01:20 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-11-30 21:33 . 2008-11-30 22:13 <DIR> d-------- c:\program files\PokerTracker 3
2008-11-30 21:02 . 2008-12-09 00:45 <DIR> d-------- c:\program files\PokerStars
2008-11-25 23:53 . 2008-11-25 23:53 <DIR> d-------- C:\QTP
2008-11-25 04:58 . 2008-12-07 13:51 <DIR> d-------- c:\program files\Tudou
2008-11-23 14:58 . 2008-12-09 02:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater
2008-11-21 15:03 . 2008-12-09 14:07 <DIR> d--h----- C:\$AVG8.VAULT$
2008-11-21 14:57 . 2008-12-09 14:21 <DIR> d-------- c:\windows\system32\drivers\Avg
2008-11-21 14:57 . 2008-11-21 14:57 <DIR> d-------- c:\program files\AVG
2008-11-21 14:57 . 2008-11-21 14:57 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2008-11-21 14:57 . 2008-11-21 14:57 97,928 --a------ c:\windows\system32\drivers\avgldx86.sys
2008-11-21 14:57 . 2008-11-21 14:57 10,520 --a------ c:\windows\system32\avgrsstx.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-10 05:44 --------- d-----w c:\documents and settings\Matt\Application Data\OpenOffice.org2
2008-12-10 05:43 --------- d-----w c:\program files\Steam
2008-12-09 21:18 --------- d-----w c:\program files\Bullfighter
2008-12-08 18:55 --------- d-----w c:\program files\Songbird
2008-11-23 19:59 --------- d-----w c:\program files\Google
2008-11-22 07:29 --------- d-----w c:\program files\PartyGaming
2008-11-12 20:44 --------- d-----w c:\program files\dl_Cats
2008-11-08 00:33 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-08 00:32 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-11-06 05:59 --------- d-----w c:\documents and settings\NetworkService\Application Data\Yahoo!
2008-10-31 18:08 --------- d-----w c:\program files\HP
2008-10-08 04:50 102,400 ----a-w c:\windows\DUMPf210.tmp
2008-07-14 04:13 20,288 ----a-w c:\documents and settings\Matt\Application Data\GDIPFONTCACHEV1.DAT
2008-02-09 19:05 247,608 ----a-w c:\documents and settings\Matt\jre-1_5_0_07-windows-i586-p-iftw.exe
2007-08-28 17:58 36 ----a-w c:\documents and settings\Matt\klextlock.dat
.

((((((((((((((((((((((((((((( snapshot@2008-12-07_16.21.08.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-07 18:42:15 62,746 ----a-w c:\windows\system32\perfc009.dat
+ 2008-12-07 21:21:46 62,746 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-07 18:42:15 401,632 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-07 21:21:46 401,632 ----a-w c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13657780-c0a6-4146-88e6-0a8d4dadfe2a}]
c:\windows\system32\zerejuhu.dll [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-09-18 171464]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"Veoh"="c:\program files\Veoh Networks\Veoh\VeohClient.exe" [2007-12-21 3481600]
"Steam"="c:\program files\Steam\Steam.exe" [2008-10-08 1410296]
"LogitechSoftwareUpdate"="c:\program files\Logitech\Video\ManifestEngine.exe" [2005-06-08 196608]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"Google Update"="c:\documents and settings\Matt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2006-10-13 184320]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-11-15 267048]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]

c:\documents and settings\Matt\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - c:\program files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
Tray Agent.lnk - c:\program files\Pristy Utils\Tray Agent.exe [2008-09-30 12288]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dlcccoms.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\WINDOWS\\system32\\services.exe"=
"c:\\Program Files\\Pristy Utils\\CD Hotkey F9.exe"=
"c:\\Program Files\\SigmaTel\\C-Major Audio\\WDM\\stsystra.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-21 97928]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-21 231704]
R2 pgsql-8.3;PostgreSQL Database Server 8.3;"c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe" runservice -w -N "pgsql-8.3" -D "c:\program files\PostgreSQL\8.3\data\" []
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-06-19 24652]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d79199be-53d0-11dc-a263-806d6172696f}]
\Shell\AutoRun\command - d:\dellkit\MD3Recovery.exe "DellKit\DellKit.exe"
.
Contents of the 'Scheduled Tasks' folder

2008-11-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2008-12-10 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Matt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 11:16]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
FireFox -: Profile - c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\lbk5yubm.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF -: plugin - c:\documents and settings\Matt\Application Data\Mozilla\Firefox\Profiles\lbk5yubm.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF -: plugin - c:\documents and settings\Matt\Local Settings\Application Data\Google\Update\1.2.131.27\npGoogleOneClick6.dll
FF -: plugin - c:\program files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - c:\program files\Google\Google Updater\2.4.1399.3742\npCIDetect13.dll
FF -: plugin - c:\program files\iTunes\Mozilla Plugins\npitunes.dll
FF -: plugin - c:\program files\Java\jre1.5.0_07\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_07\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\jre1.5.0_07\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_07\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\jre1.5.0_07\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_07\bin\NPJPI150_07.dll
FF -: plugin - c:\program files\Java\jre1.5.0_07\bin\NPOJI610.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - c:\program files\Real\RhapsodyPlayerEngine\nprhapengine.dll
FF -: plugin - c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-10 00:57:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(860)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-12-10 0:59:42
ComboFix-quarantined-files.txt 2008-12-10 05:58:24
ComboFix2.txt 2008-12-09 19:24:12
ComboFix3.txt 2008-12-09 05:22:04
ComboFix4.txt 2008-12-07 21:22:52

Pre-Run: 27,096,219,648 bytes free
Post-Run: 27,091,922,944 bytes free

158 --- E O F --- 2007-09-18 21:38:30



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:00:51 AM, on 12/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Pristy Utils\Tray Agent.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Pristy Utils\CD Hotkey F9.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13657780-c0a6-4146-88e6-0a8d4dadfe2a} - C:\WINDOWS\system32\zerejuhu.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Tray Agent.lnk = C:\Program Files\Pristy Utils\Tray Agent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) -
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-U ... E_UNO1.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8691 bytes
Bjorn420
Active Member
 
Posts: 8
Joined: December 5th, 2008, 7:14 pm

Re: Got some type of virus

Unread postby Bv202 » December 10th, 2008, 8:47 am

Hi again :)

Disable Spybot's TeaTimer. This is a two step process.
Spybot S&D's tea timer normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

First step:
  • Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
  • If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
  • If you have Version 1.4, Click on Exit Spybot S&D Resident
Second step, For Either Version :
  • Open Spybot S&D
  • Click Mode, choose Advanced Mode
  • Go To the bottom of the Vertical Panel on the Left, Click Tools
  • then, also in left panel, click Resident shows a red/white shield.
  • If your firewall raises a question, say OK
  • In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
  • OK any prompts.
  • Use File, Exit to terminate Spybot
  • Reboot your machine for the changes to take effect.
Don't forget to re-enable it, when your computer is clean.


Backup Your Registry with ERUNT
  • Please use the following link to download ERUNT
  • Use the setup program to install ERUNT on your computer
Click Erunt.exe to backup your registry to the folder of your choice.

Note:to restore your registry, go to the folder and start ERDNT.exe

Open Notepad!
Copy and Paste everything from the Quote box into Notepad:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="avgrsstx.dll"



Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Go to File > Save As
Save File name as Fix.reg
Change Save as Type to All Files and save the file to your desktop.

Close Notepad, and double-click Fix.reg on your Desktop. When it asks if you want to merge the info to the registry, hit YES/OK.

HijackThis
Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

O2 - BHO: (no name) - {13657780-c0a6-4146-88e6-0a8d4dadfe2a} - C:\WINDOWS\system32\zerejuhu.dll (file missing)
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - (no file)


Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.

Reboot the computer

Please post a new HijackThis log now :)
Bv202
Regular Member
 
Posts: 1732
Joined: May 3rd, 2008, 10:46 am
Location: Belgium (GMT +1)

Re: Got some type of virus

Unread postby Bjorn420 » December 10th, 2008, 1:51 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:46:25 PM, on 12/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\Steam\Steam.exe
C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Pristy Utils\Tray Agent.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Pristy Utils\CD Hotkey F9.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Veoh] "C:\Program Files\Veoh Networks\Veoh\VeohClient.exe" /VeohHide
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Matt\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Tray Agent.lnk = C:\Program Files\Pristy Utils\Tray Agent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) -
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-CA/a-U ... E_UNO1.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/s ... DEXAXO.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 8608 bytes
Bjorn420
Active Member
 
Posts: 8
Joined: December 5th, 2008, 7:14 pm

Re: Got some type of virus

Unread postby Bv202 » December 10th, 2008, 1:59 pm

Hi Bjorn, logs looks better now :)

Run Kaspersky Online AV Scanner
Note: Internet Explorer should be used.

Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computer under Scan and then put the kettle on!
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.
Bv202
Regular Member
 
Posts: 1732
Joined: May 3rd, 2008, 10:46 am
Location: Belgium (GMT +1)

Re: Got some type of virus

Unread postby Bv202 » December 13th, 2008, 1:10 pm

Hello,

It's been 3 days since my last reply. Do you still require help? If not, please tell us so this thread can get closed.

If you do not reply in 48 hours, we'll close this thread.
Bv202
Regular Member
 
Posts: 1732
Joined: May 3rd, 2008, 10:46 am
Location: Belgium (GMT +1)
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 268 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware