Virus Time[INACTIVE]

keenankern · January 4, 2009

Here's the log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:14:17 PM, on 1/4/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\Program Files\AlienGUIse\wbload.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Search Settings\SearchSettings.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\Program Files\AIM6\aim6.exe

C:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe

C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe

C:\WINDOWS\system32\mdm.exe

C:\Program Files\AIM6\aolsoftware.exe

C:\Program Files\AIM6\anotify.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://centurytel.myway.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR

R3 - URLSearchHook: (no name) - {2ba521ac-b9b9-4433-ba45-dba2f02cba5a} - (no file)

O3 - Toolbar: (no name) - {2ba521ac-b9b9-4433-ba45-dba2f02cba5a} - (no file)

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [searchSettings] C:\Program Files\Search Settings\SearchSettings.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"

O4 - HKLM\..\Run: [Nnixupadewiyohu] rundll32.exe "C:\WINDOWS\Jtihuwaq.dll",e

O4 - HKLM\..\Run: [10f7a49b] rundll32.exe "C:\WINDOWS\system32\swcqmcyw.dll",b

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"

O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - S-1-5-18 Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'SYSTEM')

O4 - .DEFAULT Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'Default user')

O4 - Startup: Alienware Dock.lnk = C:\Program Files\AlienGUIse\AlienwareDock\ObjectDock.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: *.antimalwareguard.com

O15 - Trusted Zone: *.gomyhit.com

O15 - Trusted Zone: *.antimalwareguard.com (HKLM)

O15 - Trusted Zone: *.gomyhit.com (HKLM)

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...83/mcinsctl.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab

O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v5.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jin...ows-i586-jc.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab

O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: wbsys.dll ecxbwv.dll

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 8893 bytes

sarahw · January 4, 2009

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

keenankern · January 4, 2009

Problem, the virus does something funky to the internet, making every web page undisplayable.

sarahw · January 4, 2009

ok,

Download this:

http://subs.geekstogo.com/ComboFix.exe

run it.

Do not use the comuter while it is scanning, it will produce a log in notepad when it is finnished.

So not mouse-click anything while it is scanning either.

Post the log in a reply when you have finnished.

keenankern · January 4, 2009

Can't download anything because if I go to the link, the webpage is unable to connect.

sarahw · January 5, 2009

Write down that link.

Reboot the computer.

When the computer starts to boot, keep tapping F8 untill you see a list of options. Choose Safe Mode with Networking. (Do not stay on Safe Mode with Networking longer than neccessary). Open Internet explorer and go to that website to download Combofix.

keenankern · January 5, 2009

ComboFix 09-01-05.02 - Keeno 2009-01-05 16:50:48.1 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1735 [GMT -6:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

C:\bold.log

c:\program files\Rapid Antivirus

c:\program files\Rapid Antivirus\Uninstall.exe

c:\windows\Downloaded Program Files\setup.inf

c:\windows\system32\20ae0f0.dll

c:\windows\system32\2KPeLX26.exe.a_a

c:\windows\system32\config\systemprofile\Desktop\Rapid Antivirus.lnk

c:\windows\system32\drivers\seneka.sys

c:\windows\system32\drivers\senekawswwqjnt.sys

c:\windows\system32\ecxbwv.dll

c:\windows\system32\ijmTvyay.ini

c:\windows\system32\ijmTvyay.ini2

c:\windows\system32\kvlniyhp.ini

c:\windows\system32\M0XQnlgP.exe.a_a

c:\windows\system32\mdm.exe

c:\windows\system32\O6ASpniR.dll

c:\windows\system32\prunnet.exe

c:\windows\system32\seneka.dat

c:\windows\system32\senekadf.dat

c:\windows\system32\senekalog.dat

c:\windows\system32\senekaplrdlypu.dll

c:\windows\system32\senekatfmqhtiv.dll

c:\windows\system32\senekayqjhipjo.dll

c:\windows\system32\sjrkcqax.dll

c:\windows\system32\swcqmcyw.dll

c:\windows\system32\vghazx.dll

c:\windows\system32\voxrquii.dll

c:\windows\system32\wycmqcws.ini

c:\windows\system32\xaqckrjs.ini

c:\windows\system32\xwdmbbgv.ini

c:\windows\system32\xywuaify.dll

c:\windows\system32\yayvTmji.dll

c:\windows\system32\yvihegve.dll

c:\windows\system32\zyuoue.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_SENEKA

-------\Legacy_ONESTEP_SEARCH_SERVICE

((((((((((((((((((((((((( Files Created from 2008-12-05 to 2009-01-05 )))))))))))))))))))))))))))))))

.

2009-01-05 16:20 . 2009-01-05 16:20 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Search Settings

2009-01-02 22:06 . 2009-01-02 22:06 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\s_4610_fHx8fHx8fDEyNDM1ODUwMTN8_

2009-01-02 22:06 . 2009-01-02 22:11 <DIR> d-------- c:\windows\system32\config\systemprofile\Application Data\Rapid Antivirus

2009-01-02 21:44 . 2009-01-02 21:44 72,192 --a------ c:\windows\system32\hgGwXOFX.dll

2009-01-02 21:44 . 2009-01-02 21:44 40,448 --a------ c:\windows\system32\k9261108.exe

2008-12-30 00:17 . 2008-12-30 00:17 268 --ah----- C:\sqmdata15.sqm

2008-12-30 00:17 . 2008-12-30 00:17 268 --ah----- C:\sqmdata14.sqm

2008-12-30 00:17 . 2008-12-30 00:17 244 --ah----- C:\sqmnoopt15.sqm

2008-12-30 00:17 . 2008-12-30 00:17 244 --ah----- C:\sqmnoopt14.sqm

2008-12-28 17:55 . 2008-12-28 17:55 268 --ah----- C:\sqmdata13.sqm

2008-12-28 17:55 . 2008-12-28 17:55 244 --ah----- C:\sqmnoopt13.sqm

2008-12-24 18:07 . 2005-02-01 14:20 5,760,056 --a------ c:\windows\Darkstar.bmp

2008-12-24 18:06 . 2008-12-24 18:06 5,760,054 --a------ c:\windows\ALX_1600x1200.bmp

2008-12-24 18:04 . 2008-12-24 18:10 3,932,214 --a------ c:\windows\AW_XenoMorph1280.bmp

2008-12-24 18:03 . 2008-12-24 18:03 <DIR> d-------- c:\program files\Common Files\Stardock

2008-12-24 18:03 . 2008-12-24 18:07 <DIR> d-------- c:\program files\AlienGUIse

2008-12-24 18:03 . 2003-02-26 22:27 36,864 --a------ c:\windows\system32\wbsys.dll

2008-12-24 18:03 . 2008-12-24 18:03 56 --a------ c:\windows\wb.ini

2008-12-24 15:45 . 2008-04-13 13:47 25,856 --a------ c:\windows\system32\drivers\usbprint.sys

2008-12-24 15:45 . 2008-04-13 13:47 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys

2008-12-11 22:07 . 2008-12-11 22:07 268 --ah----- C:\sqmdata12.sqm

2008-12-11 22:07 . 2008-12-11 22:07 244 --ah----- C:\sqmnoopt12.sqm

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-03 04:44 --------- d-----w c:\program files\Bots

2008-12-27 03:17 --------- d-----w c:\program files\AIM6

2008-12-27 03:17 --------- d-----w c:\documents and settings\All Users\Application Data\AOL Downloads

2008-12-21 20:34 --------- d-----w c:\program files\Workspace Macro Pro 6.5

2008-12-21 20:33 --------- d-----w c:\program files\Total Video Converter

2008-12-21 20:31 --------- d-----w c:\program files\Cheat Engine

2008-12-21 20:29 --------- d-----w c:\program files\Starcraft

2008-12-21 20:28 --------- d-----w c:\program files\SwiftSwitch

2008-12-21 20:28 --------- d-----w c:\program files\SwiftKit

2008-12-21 01:10 --------- d-----w c:\program files\Dofus

2008-12-19 03:53 --------- d-----w c:\program files\WarRock

2008-11-07 23:37 --------- d-----w c:\program files\Alwil Software

2008-10-27 23:22 121,396 -c--a-w c:\program files\lalalala.exe

2008-07-25 03:19 23 -c--a-w c:\documents and settings\Keeno\jagex_runescape_preferences.dat

2008-03-18 20:43 32 -c--a-w c:\documents and settings\All Users\Application Data\ezsid.dat

2007-10-12 20:02 121 -c--a-w c:\documents and settings\Keeno\Install_WLMessenger.exe

2007-09-22 05:26 9,870,032 -c--a-w c:\documents and settings\Keeno\fp2006-final-3.00-setup.zip

2007-09-22 04:07 241,664 -c--a-w c:\program files\Uninstall Ask Toolbar.dll

2008-12-21 03:47 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll

2008-12-21 03:47 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll

2008-12-21 03:47 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll

2008-12-21 03:47 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll

2008-12-21 03:47 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll

2008-08-21 15:22 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008082120080822\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

"Aim6"="c:\program files\AIM6\aim6.exe" [2008-01-03 50528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 39792]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-11 185896]

"SearchSettings"="c:\program files\Search Settings\SearchSettings.exe" [2007-12-06 1069920]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13529088]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-02 86016]

"nwiz"="nwiz.exe" [2008-05-02 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-06-27 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]

2001-12-20 23:34 24576 c:\program files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=wbsys.dll ecxbwv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.XFR1"= xfcodec.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Workspace Macro Pro Hotkeys.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Workspace Macro Pro Hotkeys.lnk

backup=c:\windows\pss\Workspace Macro Pro Hotkeys.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Keeno^Start Menu^Programs^Startup^Xfire.lnk]

path=c:\documents and settings\Keeno\Start Menu\Programs\Startup\Xfire.lnk

backup=c:\windows\pss\Xfire.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2007-10-10 18:51 39792 c:\program files\Adobe\Reader 8.0\Reader\Reader_SL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

--a------ 2008-01-03 10:15 50528 c:\program files\AIM6\aim6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]

--a------ 2008-04-13 18:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]

--a--c--- 2007-03-15 11:09 460784 c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]

--a--c--- 2005-09-08 04:20 122940 c:\windows\system32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]

-----c--- 2005-02-23 15:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]

--a--c--- 2005-09-20 08:32 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]

--a--c--- 2005-09-20 08:36 114688 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]

--a--c--- 2005-09-20 08:35 94208 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

--a--c--- 2004-07-27 15:50 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]

--a--c--- 2004-07-27 15:50 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MP10_EnsureFileVer]

--a------ 2007-06-26 21:10 317440 c:\windows\inf\unregmp2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--a------ 2008-04-13 18:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]

--a------ 2007-10-18 10:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

-ra------ 2008-09-29 16:57 21755688 c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]

--a--c--- 2004-10-14 13:42 1404928 c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a--c--- 2007-07-12 03:00 132496 c:\program files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\WINDOWS\\system32\\java.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Xfire\\xfire.exe"=

"c:\\Program Files\\Bots\\bots.dat"=

"c:\\Documents and Settings\\All Users\\Application Data\\Nexon\\NGM\\NGM.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\Nexon\\Common\\NMService.exe"=

"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=

"\\\\Mah-pc\\Combat Arms\\NMService.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe

"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe

"c:\\Nexon\\Combat Arms\\NMService.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"43594:TCP"= 43594:TCP:RSPS

R4 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-12-30 24652]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1d20604e-75f2-11dc-ae36-001676aa3570}]

\Shell\AutoRun\command - F:\setupSNK.exe

.

Contents of the 'Scheduled Tasks' folder

2009-01-05 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job

- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-01-05 c:\windows\Tasks\tujvdgkg.job

- c:\windows\system32\rundll32.exe [2008-04-13 18:12]

.

- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{2ba521ac-b9b9-4433-ba45-dba2f02cba5a} - (no file)

BHO-{1C1B8A44-61FE-411E-8F33-813A4E2E2984} - c:\windows\system32\avgsafe.dll

BHO-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\ljJDWOiH.dll

BHO-{8c3e2c42-3fbb-435d-b10b-840e79462b1b} - c:\windows\system32\ecxbwv.dll

BHO-{DFBD8876-9F2E-418C-99A9-9215D3704519} - c:\windows\system32\yayvTmji.dll

Toolbar-{2ba521ac-b9b9-4433-ba45-dba2f02cba5a} - (no file)

WebBrowser-{2BA521AC-B9B9-4433-BA45-DBA2F02CBA5A} - (no file)

HKCU-Run-prunnet - c:\windows\system32\prunnet.exe

HKLM-Run-NapsterShell - c:\program files\Napster\napster.exe

HKLM-Run-prunnet - c:\windows\system32\prunnet.exe

HKLM-Run-Nnixupadewiyohu - c:\windows\Jtihuwaq.dll

ShellExecuteHooks-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - c:\windows\system32\ljJDWOiH.dll

Notify-ljJDWOiH - ljJDWOiH.dll

MSConfigStartUp-DownloadAccelerator - c:\program files\DAP\DAP.EXE

MSConfigStartUp-NexonPlug - c:\documents and settings\Keeno\Desktop\NexonPlug\NexonPlug.exe

MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

.

------- Supplementary Scan -------

.

uStart Page = hxxp://centurytel.myway.com

IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm

Trusted Zone: *.antimalwareguard.com

Trusted Zone: *.gomyhit.com

Trusted Zone: *.antimalwareguard.com

Trusted Zone: *.gomyhit.com

O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab

c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\Downloaded Program Files\GoPetsWeb.ocx - O16 -: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8}

hxxps://secure.gopetslive.com/dev/GoPetsWeb.cab

c:\windows\Downloaded Program Files\GoPetsWeb.inf

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\w0nnx40o.default\

FF - prefs.js: browser.search.selectedEngine - Yahoo

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=vmn&type=vendio&p=

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

FF - component: c:\program files\Mozilla Firefox\extensions\[email protected]\components\SearchSettingsFF.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-05 17:07:39

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(600)

c:\program files\AlienGUIse\fastload.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvsvc32.exe

c:\windows\system32\PnkBstrA.exe

.

**************************************************************************

.

Completion time: 2009-01-05 17:14:18 - machine was rebooted

ComboFix-quarantined-files.txt 2009-01-05 23:14:15

Pre-Run: 33,827,475,456 bytes free

Post-Run: 33,917,235,200 bytes free

267 --- E O F --- 2008-12-18 04:32:44

sarahw · January 6, 2009

1.

Go to this link, fill in your username and the link to this thread, then click on browse and locate this file on your computer (if you cant find it, copy and paste it into the right field), then click on "send file".

c:\program files\lalalala.exe

2.

Right click Here and select Save As to download WinHelp2002's DelDomains.inf. Please save the file somewhere you can find it like on the desktop. To run the inf file, right click on it and select Install.

3.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\sqmdata15.sqm
C:\sqmdata14.sqm
C:\sqmnoopt15.sqm
C:\sqmnoopt14.sqm
C:\sqmdata13.sqm
C:\sqmnoopt13.sqm
C:\sqmdata12.sqm
C:\sqmnoopt12.sqm
C:\windows\system32\ecxbwv.dll
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"appinit_dlls"=""

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Can you boot into normal mode now?

keenankern · January 6, 2009

I can now use my browser, the internet is working.

Here's the log:

ComboFix 09-01-05.03 - Keeno 2009-01-05 21:39:05.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1657 [GMT -6:00]

Running from: c:\documents and settings\Keeno\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Keeno\Desktop\CFScript.txt

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2008-12-06 to 2009-01-06 )))))))))))))))))))))))))))))))

.

2009-01-05 21:28 . 2008-04-13 18:12 82,432 ---h---t- c:\windows\system32\27840fb0.dll

2009-01-05 21:28 . 2008-04-13 18:12 82,432 ---h---t- c:\windows\system32\1ece69a.dll