Pending: Re-infected with Trojan Vundo

Mivaelianyn · 03-28-2009

Infected again with Trojun Vundo. This happened once before in January and was fixed but it has come back again. ):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:10:10 PM, on 3/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\mHotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Nexon\MapleStory\npkcmsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AlienAutopsy\TEKS_Service.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O1 - Hosts: 82.98.235.133 browser-security.microsoft.com
O1 - Hosts: 82.98.235.133 url.adtrgt.com
O1 - Hosts: 82.98.235.133 best-click-scanner.info
O1 - Hosts: 82.98.235.133 antivirus-xp-pro-2009.com
O1 - Hosts: 82.98.235.133 microsoft.infosecuritycenter.com
O1 - Hosts: 82.98.235.133 microsoft.softwaresecurityhelp.com
O1 - Hosts: 82.98.235.133 onlinenotifyq.net
O1 - Hosts: 82.98.235.133 antivirusxp-pro-2009.com
O1 - Hosts: 82.98.235.133 microsoft.browser-security-center.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {8873d2b9-530e-4431-873b-02aa7facce18} - C:\WINDOWS\system32\degipeme.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\sw g.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [sefuwasuya] Rundll32.exe "C:\WINDOWS\system32\zevihami.dll",s
O4 - HKLM\..\Run: [9cfa4f5d] rundll32.exe "C:\WINDOWS\system32\sekanawo.dll",b
O4 - HKLM\..\Run: [CPM9fc97cc1] Rundll32.exe "c:\windows\system32\sotugulu.dll",a
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Twain] C:\Documents and Settings\Crystal\Application Data\Twain\Twain.exe
O4 - HKCU\..\Run: [SpeedRunner] C:\Documents and Settings\Crystal\Application Data\SpeedRunner\SpeedRunner.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKUS\S-1-5-21-1629006583-3652679288-599142781-1005\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl (User '?')
O4 - HKUS\S-1-5-21-1629006583-3652679288-599142781-1005\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User '?')
O4 - HKUS\S-1-5-21-1629006583-3652679288-599142781-1005\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe (User '?')
O4 - HKUS\S-1-5-21-1629006583-3652679288-599142781-1005\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User '?')
O4 - HKUS\S-1-5-21-1629006583-3652679288-599142781-1005\..\Run: [Twain] C:\Documents and Settings\Crystal\Application Data\Twain\Twain.exe (User '?')
O4 - HKUS\S-1-5-21-1629006583-3652679288-599142781-1005\..\Run: [SpeedRunner] C:\Documents and Settings\Crystal\Application Data\SpeedRunner\SpeedRunner.exe (User '?')
O4 - HKUS\S-1-5-21-1629006583-3652679288-599142781-1005\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe" (User '?')
O4 - HKUS\S-1-5-21-1629006583-3652679288-599142781-1005\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - S-1-5-21-1629006583-3652679288-599142781-1005 Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe (User '?')
O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: wbsys.dll xufcxo.dll qlhnkp.dll C:\WINDOWS\system32\rahurite.dll c:\windows\system32\sotugulu.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\sotugulu.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\sotugulu.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\MapleStory\npkcmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProductivIT Service (ProductivITService) - DynTek, Inc. - C:\Program Files\AlienAutopsy\TEKS_Service.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 12740 bytes

Malwarebytes' Anti-Malware 1.32
Database version: 1629
Windows 5.1.2600 Service Pack 2

3/27/2009 10:03:59 PM
mbam-log-2009-03-27 (22-03-54).txt

Scan type: Full Scan (C:\|D:\|F:\|G:\|H:\|I:\|)
Objects scanned: 129288
Time elapsed: 56 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 4
Registry Keys Infected: 7
Registry Values Infected: 5
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\sekanawo.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\rahurite.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\sotugulu.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\degipeme.dll (Trojan.Vundo.H) -> No action taken.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{8873d2b9-530e-4431-873b-02aa7facce18} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{8873d2b9-530e-4431-873b-02aa7facce18} (Trojan.Vundo.H) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{8873d2b9-530e-4431-873b-02aa7facce18} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\9cfa4f5d (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\sefuwasuya (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\cpm9fc97cc1 (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\rahurite.dll -> No action taken.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\rahurite.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\rahurite.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\sotugulu.dll -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\sotugulu.dll -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\sekanawo.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\owanakes.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\zevihami.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\sotugulu.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\degipeme.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\rahurite.dll (Trojan.Vundo.H) -> No action taken.
C:\Documents and Settings\Crystal\Local Settings\Temp\e.exe (Trojan.Vundo.H) -> No action taken.
C:\Documents and Settings\Crystal\Local Settings\Temporary Internet Files\Content.IE5\AX9A7ETG\load[1].php (Trojan.Vundo.H) -> No action taken.

chiaz · 03-28-2009

Hello.

First let's have you download ComboFix.exe. Please visit this webpage for downloading and instructions for running the tool:

Go here ======> A guide and tutorial on using ComboFix <====== Go here

Please ensure you read this guide carefully and install the Recovery Console first. This applies to XP Pro and XP Home users only.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should get a prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review (copy and paste them, not attach), so that we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log

Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Misuse can cause serious computer problems.

Mivaelianyn · 03-29-2009

At the very end of running ComboFix, my computer screen went to a blue screen with the message "A problem has been detected and windows has been shutdown to prevent damage to your computer.
The problem seems to be caused by the following file: catchme.sys" and then gave some technical information. After rebooting, I didn't get any other errors on Windows.

ComboFix 09-03-28.04 - Crystal 2009-03-28 23:16:25.2 - NTFSx86
Running from: C:\Documents and Settings\Crystal\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Crystal\Local Settings\Temporary Internet Files\CPV.stt
C:\Documents and Settings\Crystal\Local Settings\Temporary Internet Files\fbk.sts
C:\WINDOWS\system32\degipeme.dll
c:\windows\system32\gunowini.dll
C:\WINDOWS\system32\ofikowoy.ini
C:\WINDOWS\system32\owanakes.ini
C:\WINDOWS\system32\rahurite.dll
C:\WINDOWS\system32\sekanawo.dll
C:\WINDOWS\system32\sotugulu.dll
C:\WINDOWS\system32\uejfetae.ini
C:\WINDOWS\system32\yowokifo.dll
C:\WINDOWS\system32\zevihami.dll
C:\WINDOWS\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-29 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-03-29 04:21 --------- d-----w C:\Program Files\DNA
2009-03-29 04:21 --------- d-----w C:\Documents and Settings\Crystal\Application Data\DNA
2009-03-28 17:48 --------- d-----w C:\Documents and Settings\Crystal\Application Data\AVG7
2009-03-27 00:51 --------- d-----w C:\Program Files\Windows Live Safety Center
2009-03-24 03:34 --------- d-----w C:\Documents and Settings\Crystal\Application Data\Skype
2009-03-24 02:36 --------- d-----w C:\Documents and Settings\Crystal\Application Data\skypePM
2009-02-17 08:33 --------- d-----w C:\Documents and Settings\Crystal\Application Data\uTorrent
2009-02-17 01:30 --------- d-----w C:\Program Files\uTorrent
2009-02-15 00:22 --------- d-----w C:\Program Files\Soulseek
2009-02-14 20:36 --------- d--h--r C:\Documents and Settings\Crystal\Application Data\yahoo!
2009-02-14 20:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2009-02-14 20:34 --------- d-----w C:\Program Files\Veoh Networks
2009-02-12 02:56 --------- d-----w C:\Program Files\Google
2008-12-20 09:12 67,688 ----a-w C:\Program Files\mozilla firefox\components\jar50.dll
2008-12-20 09:12 54,368 ----a-w C:\Program Files\mozilla firefox\components\jsd3250.dll
2008-12-20 09:12 34,944 ----a-w C:\Program Files\mozilla firefox\components\myspell.dll
2008-12-20 09:12 46,712 ----a-w C:\Program Files\mozilla firefox\components\spellchk.dll
2008-12-20 09:12 172,136 ----a-w C:\Program Files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-28_13.39.03.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-06-20 21:44:04 379,704 ----a-w C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
+ 2006-06-20 21:44:02 117,560 ----a-w C:\WINDOWS\Downloaded Program Files\PURen-us.dll
- 2005-10-21 02:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-21 01:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE
- 2005-10-21 02:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
+ 2005-10-21 01:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
- 2000-08-31 14:00:00 28,672 ----a-w C:\WINDOWS\NIRCMD.exe
+ 2000-08-31 13:00:00 29,696 ----a-w C:\WINDOWS\NIRCMD.exe
- 2000-08-31 14:00:00 161,792 ----a-w C:\WINDOWS\SWREG.exe
+ 2000-08-31 13:00:00 161,792 ----a-w C:\WINDOWS\SWREG.exe
- 2008-12-04 01:59:02 15,504 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
+ 2009-01-05 00:38:18 15,504 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
- 2008-12-04 01:59:06 38,496 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
+ 2009-01-05 00:38:22 38,496 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
+ 2009-03-28 16:36:21 61,440 --sha-w C:\WINDOWS\system32\kekasika.exe
+ 2004-05-14 22:53:08 57,344 ----a-w C:\WINDOWS\system32\lfbmp13n.dll
+ 2004-05-14 22:53:08 401,408 ----a-w C:\WINDOWS\system32\lfcmp13n.dll
+ 2003-11-04 21:10:40 69,632 ----a-w C:\WINDOWS\system32\lfgif13n.dll
+ 2003-11-04 21:11:04 159,744 ----a-w C:\WINDOWS\system32\lfpng13n.dll
+ 2003-05-22 22:31:56 55,808 ----a-w C:\WINDOWS\system32\lfpsd13n.dll
+ 2004-05-14 22:53:10 299,008 ----a-w C:\WINDOWS\system32\ltdis13n.dll
+ 2004-01-12 08:09:42 206,336 ----a-w C:\WINDOWS\system32\ltefx13n.dll
+ 2004-05-14 22:53:10 163,840 ----a-w C:\WINDOWS\system32\ltfil13n.dll
+ 2004-05-14 22:53:12 450,560 ----a-w C:\WINDOWS\system32\ltimg13n.dll
+ 2004-05-14 22:53:12 462,848 ----a-w C:\WINDOWS\system32\ltkrn13n.dll
+ 2009-03-28 01:54:33 61,440 --sha-w C:\WINDOWS\system32\rilihoki.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"AIM"="C:\Program Files\AIM\aim.exe" [2003-09-25 06:28 61440]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54 5674352]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-08-12 09:21 68856]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-03-01 17:11 4670968]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2009-01-09 00:39 342848]
"VeohPlugin"="C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-02-06 15:44 3572984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-05-05 20:33 102490]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-05-05 20:33 708698]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.e xe" [2001-07-09 13:50 155648]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-05-05 20:32 5898240]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2009-02-24 13:09 590848]
"AVG7_EMC"="C:\PROGRA~1\Grisoft\AVG7\avgemc.ex e" [2008-01-08 13:56 406528]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18 241664]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152]
"Share-to-Web Namespace Daemon"="C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 10:42 69632]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2006-11-21 12:38 35328]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 02:43 83608]
"PtiuPbmd"="ptipbm.dll" [2005-05-05 16:33 24576 C:\WINDOWS\system32\ptipbm.dll]
"CHotkey"="mHotkey.exe" [2001-12-26 03:12 472576 C:\WINDOWS\mHotkey.exe]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 19:45 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-05-05 20:33 77824 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-05-05 20:33 2748928 C:\WINDOWS\ALCWZRD.EXE]
"nwiz"="nwiz.exe" [2005-05-05 20:32 1519616 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-07 19:47 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-11-02 07:54:38 113664]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 06:44:06 29696]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-14 17:15:40 241664]
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-14 17:51:12 53248]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 01:34 24576 C:\Program Files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Nexon\\MapleStory\\Patcher.exe"=
"C:\\Nexon\\MapleStory\\MapleStory.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Documents and Settings\\Crystal\\Desktop\\slsk.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\Soulseek\\slsk.exe"=
"C:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jucheck.exe"=

R3 CBBCM43;BUFFALO WLI-CB-XXX Wireless LAN Adapter;C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2003-01-20 15:35 163712]
S1 TeksKernel;TeksKernel;C:\WINDOWS\system32\Drivers\ TeksKernel.sys [2004-07-08 16:14 9060]
S2 bwcdrv;BUFFALO Wireless Configuration;C:\WINDOWS\system32\DRIVERS\bwcdrv.s ys [2003-01-20 15:35 7680]
S2 ProductivITService;ProductivIT Service;C:\Program Files\AlienAutopsy\TEKS_Service.exe [2004-07-08 16:22 77824]
S3 Slazldrv;SmartLink AMR_PCI Driver;C:\WINDOWS\system32\DRIVERS\SLDRV\slazldrv. sys [2005-05-05 20:33 230448]

--- Other Services/Drivers In Memory ---

*Deregistered* - aawservice
*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - Arp1394
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - Avg7Alrt
*Deregistered* - Avg7Core
*Deregistered* - Avg7RsW
*Deregistered* - Avg7RsXP
*Deregistered* - Avg7UpdSvc
*Deregistered* - AvgClean
*Deregistered* - AvgTdi
*Deregistered* - Beep
*Deregistered* - BITS
*Deregistered* - Browser
*Deregistered* - bwcdrv
*Deregistered* - Cdfs
*Deregistered* - Compbatt
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - HTTP
*Deregistered* - HTTPFilter
*Deregistered* - ImapiService
*Deregistered* - InCDfs
*Deregistered* - InCDsrv
*Deregistered* - IntelIde
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - irda
*Deregistered* - Irmon
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - npkcmsvc
*Deregistered* - npkcrypt
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - NVSvc
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProductivITService
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasirda
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - RecAgent
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - SLService
*Deregistered* - SlWdmSup
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TeksKernel
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{0732a5c0-faa1-11db-b8dd-0090f53edbaf}]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{5c5c311e-cfc8-11dd-9fba-0090f53ed11c}]
\Shell\AutoRun\command - J:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-29 C:\WINDOWS\Tasks\lmkyhmjr.job
- C:\WINDOWS\system32\ssqNGVoP.dll []
.
- - - - ORPHANS REMOVED - - - -

BHO-{8873d2b9-530e-4431-873b-02aa7facce18} - C:\WINDOWS\system32\degipeme.dll

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.yahoo.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
Trusted Zone: unf.edu\mywings
DPF: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
FF - ProfilePath - C:\Documents and Settings\Crystal\Application Data\Mozilla\Firefox\Profiles\t95vmqwi.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - component: C:\Program Files\Mozilla Firefox\components\xpinstal.dll
FF - plugin: C:\Documents and Settings\Crystal\Application Data\Mozilla\Firefox\Profiles\t95vmqwi.default\ext ensions\moveplayer@movenetworks.com\platform\WINNT _x86-msvc\plugins\npmnqmp07075003.dll
FF - plugin: C:\PROGRA~1\Yahoo!\Common\npyaxmpb.dll
.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:34, on 2009-03-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\mHotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Nexon\MapleStory\npkcmsvc.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AlienAutopsy\TEKS_Service.exe
C:\Program Files\DNA\btdna.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {8873d2b9-530e-4431-873b-02aa7facce18} - C:\WINDOWS\system32\degipeme.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\sw g.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKUS\S-1-5-21-1629006583-3652679288-599142781-1005\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl (User '?')
O4 - HKUS\S-1-5-21-1629006583-3652679288-599142781-1005\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User '?')
O4 - HKUS\S-1-5-21-1629006583-3652679288-599142781-1005\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe (User '?')
O4 - HKUS\S-1-5-21-1629006583-3652679288-599142781-1005\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User '?')
O4 - HKUS\S-1-5-21-1629006583-3652679288-599142781-1005\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe" (User '?')
O4 - HKUS\S-1-5-21-1629006583-3652679288-599142781-1005\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - S-1-5-21-1629006583-3652679288-599142781-1005 Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe (User '?')
O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\MapleStory\npkcmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProductivIT Service (ProductivITService) - DynTek, Inc. - C:\Program Files\AlienAutopsy\TEKS_Service.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 10816 bytes

chiaz · 03-29-2009

Your computer is definitely infected.

I just realized that after you scanned with MBAM, you did not specify any action to be taken. Please re-run MBAM, and when you get to the results page, please delete everything found.

After that, reboot, and post a new ComboFix log. Thanks.

Mivaelianyn · 03-29-2009

ComboFix 09-03-28.06 - Crystal 2009-03-29 13:19:59.3 - NTFSx86
Running from: c:\documents and settings\Crystal\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\Crystal\Local Settings\Temporary Internet Files\CPV.stt
c:\documents and settings\Crystal\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\degipeme.dll
c:\windows\system32\gunowini.dll
c:\windows\system32\ofikowoy.ini
c:\windows\system32\owanakes.ini
c:\windows\system32\rahurite.dll
c:\windows\system32\sekanawo.dll
c:\windows\system32\sotugulu.dll
c:\windows\system32\uejfetae.ini
c:\windows\system32\yowokifo.dll
c:\windows\system32\zevihami.dll
c:\windows\wiaserviv.log

.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-29 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-03-29 18:16 --------- d-----w c:\program files\DNA
2009-03-29 18:16 --------- d-----w c:\documents and settings\Crystal\Application Data\DNA
2009-03-29 16:00 --------- d-----w c:\documents and settings\Crystal\Application Data\AVG7
2009-03-29 05:25 --------- d-----w c:\program files\Windows Live Safety Center
2009-03-28 16:36 61,440 --sha-w c:\windows\system32\kekasika.exe
2009-03-28 01:54 61,440 --sha-w c:\windows\system32\rilihoki.exe
2009-03-24 03:34 --------- d-----w c:\documents and settings\Crystal\Application Data\Skype
2009-03-24 02:36 --------- d-----w c:\documents and settings\Crystal\Application Data\skypePM
2009-02-17 08:33 --------- d-----w c:\documents and settings\Crystal\Application Data\uTorrent
2009-02-17 01:30 --------- d-----w c:\program files\uTorrent
2009-02-15 00:22 --------- d-----w c:\program files\Soulseek
2009-02-14 20:36 --------- d--h--r c:\documents and settings\Crystal\Application Data\yahoo!
2009-02-14 20:36 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-02-14 20:34 --------- d-----w c:\program files\Veoh Networks
2009-02-12 02:56 --------- d-----w c:\program files\Google
2008-12-20 09:12 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-20 09:12 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-20 09:12 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-20 09:12 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-20 09:12 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( snapshot@2008-12-28_13.39.03.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-05 06:41:26 144,896 ----a-w c:\windows\$hf_mig$\KB960225\SP2QFE\schannel.dll
+ 2008-12-05 06:54:55 144,896 ----a-w c:\windows\$hf_mig$\KB960225\SP3GDR\schannel.dll
+ 2008-12-05 06:58:08 144,896 ----a-w c:\windows\$hf_mig$\KB960225\SP3QFE\schannel.dll
+ 2007-11-30 11:18:51 17,272 ----a-w c:\windows\$hf_mig$\KB960225\spmsg.dll
+ 2007-11-30 11:18:51 231,288 ----a-w c:\windows\$hf_mig$\KB960225\spuninst.exe
+ 2007-11-30 11:18:51 26,488 ----a-w c:\windows\$hf_mig$\KB960225\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w c:\windows\$hf_mig$\KB960225\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w c:\windows\$hf_mig$\KB960225\update\updspapi.dll
+ 2006-06-20 21:44:04 379,704 ----a-w c:\windows\Downloaded Program Files\MsnPUpld.dll
+ 2006-06-20 21:44:02 117,560 ----a-w c:\windows\Downloaded Program Files\PURen-us.dll
- 2005-10-21 02:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
- 2005-10-21 02:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2000-08-31 14:00:00 28,672 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 13:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
- 2000-08-31 14:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 13:00:00 161,792 ----a-w c:\windows\SWREG.exe
- 2007-04-25 14:21:15 144,896 -c--a-w c:\windows\system32\dllcache\schannel.dll
+ 2008-12-05 07:12:45 144,896 -c--a-w c:\windows\system32\dllcache\schannel.dll
- 2008-08-28 10:04:17 333,056 -c--a-w c:\windows\system32\dllcache\srv.sys
+ 2008-12-11 11:57:21 333,184 -c--a-w c:\windows\system32\dllcache\srv.sys
- 2008-12-04 01:59:02 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
+ 2009-01-05 00:38:18 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
- 2008-12-04 01:59:06 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
+ 2009-01-05 00:38:22 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
- 2008-08-28 10:04:17 333,056 ----a-w c:\windows\system32\drivers\srv.sys
+ 2008-12-11 11:57:21 333,184 ----a-w c:\windows\system32\drivers\srv.sys
+ 2004-05-14 22:53:08 57,344 ----a-w c:\windows\system32\lfbmp13n.dll
+ 2004-05-14 22:53:08 401,408 ----a-w c:\windows\system32\lfcmp13n.dll
+ 2003-11-04 21:10:40 69,632 ----a-w c:\windows\system32\lfgif13n.dll
+ 2003-11-04 21:11:04 159,744 ----a-w c:\windows\system32\lfpng13n.dll
+ 2003-05-22 22:31:56 55,808 ----a-w c:\windows\system32\lfpsd13n.dll
+ 2004-05-14 22:53:10 299,008 ----a-w c:\windows\system32\ltdis13n.dll
+ 2004-01-12 08:09:42 206,336 ----a-w c:\windows\system32\ltefx13n.dll
+ 2004-05-14 22:53:10 163,840 ----a-w c:\windows\system32\ltfil13n.dll
+ 2004-05-14 22:53:12 450,560 ----a-w c:\windows\system32\ltimg13n.dll
+ 2004-05-14 22:53:12 462,848 ----a-w c:\windows\system32\ltkrn13n.dll
- 2007-04-25 14:21:15 144,896 ----a-w c:\windows\system32\schannel.dll
+ 2008-12-05 07:12:45 144,896 ----a-w c:\windows\system32\schannel.dll
- 2007-11-30 12:39:22 17,272 ----a-w c:\windows\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"AIM"="c:\program files\AIM\aim.exe" [2003-09-25 61440]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-08-12 68856]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-03-01 4670968]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-01-09 342848]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-02-06 3572984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-05-05 102490]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-05-05 708698]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.e xe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-05-05 5898240]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-02-24 590848]
"AVG7_EMC"="c:\progra~1\Grisoft\AVG7\avgemc.ex e" [2008-01-08 406528]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"Share-to-Web Namespace Daemon"="c:\program files\HP\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-11-21 35328]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608]
"PtiuPbmd"="ptipbm.dll" [2005-05-05 c:\windows\system32\ptipbm.dll]
"CHotkey"="mHotkey.exe" [2001-12-26 c:\windows\mHotkey.exe]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 c:\windows\system32\Hdaudpropshortcut.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-05-05 c:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-05-05 c:\windows\ALCWZRD.EXE]
"nwiz"="nwiz.exe" [2005-05-05 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-11-07 219136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-11-02 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-14 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-14 53248]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 01:34 24576 c:\program files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Nexon\\MapleStory\\Patcher.exe"=
"c:\\Nexon\\MapleStory\\MapleStory.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Documents and Settings\\Crystal\\Desktop\\slsk.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\jucheck.exe"=

R3 CBBCM43;BUFFALO WLI-CB-XXX Wireless LAN Adapter;c:\windows\system32\DRIVERS\bcmwl5.sys [2003-01-20 163712]
S1 TeksKernel;TeksKernel;c:\windows\system32\Drivers\ TeksKernel.sys [2004-07-08 9060]
S2 bwcdrv;BUFFALO Wireless Configuration;c:\windows\system32\DRIVERS\bwcdrv.s ys [2003-01-20 7680]
S2 ProductivITService;ProductivIT Service;c:\program files\AlienAutopsy\TEKS_Service.exe [2004-07-08 77824]
S3 Slazldrv;SmartLink AMR_PCI Driver;c:\windows\system32\DRIVERS\SLDRV\slazldrv. sys [2005-05-05 230448]

--- Other Services/Drivers In Memory ---

*Deregistered* - aawservice
*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - Arp1394
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - Avg7Alrt
*Deregistered* - Avg7Core
*Deregistered* - Avg7RsW
*Deregistered* - Avg7RsXP
*Deregistered* - Avg7UpdSvc
*Deregistered* - AvgClean
*Deregistered* - AvgTdi
*Deregistered* - Beep
*Deregistered* - Browser
*Deregistered* - bwcdrv
*Deregistered* - Cdfs
*Deregistered* - Compbatt
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - HTTP
*Deregistered* - HTTPFilter
*Deregistered* - ImapiService
*Deregistered* - InCDfs
*Deregistered* - InCDsrv
*Deregistered* - IntelIde
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - irda
*Deregistered* - Irmon
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - npkcmsvc
*Deregistered* - npkcrypt
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - NVSvc
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProductivITService
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasirda
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - RecAgent
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - SLService
*Deregistered* - SlWdmSup
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TeksKernel
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{0732a5c0-faa1-11db-b8dd-0090f53edbaf}]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{5c5c311e-cfc8-11dd-9fba-0090f53ed11c}]
\Shell\AutoRun\command - J:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-29 c:\windows\Tasks\lmkyhmjr.job
- c:\windows\system32\ssqNGVoP.dll []
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.yahoo.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Trusted Zone: unf.edu\mywings
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Crystal\Application Data\Mozilla\Firefox\Profiles\t95vmqwi.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

************************************************** ************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-29 13:22:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1629006583-3652679288-599142781-1005\Software\Microsoft\Windows\CurrentVersion\Exp lorer\CLSID]
@Denied: (Full) (LocalSystem)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(836)
c:\program files\AlienGUIse\fastload.dll
.
Completion time: 2009-03-29 13:23:46
ComboFix-quarantined-files.txt 2009-03-29 18:23:43
ComboFix2.txt 2008-12-28 19:39:30

Pre-Run: 51,366,928,384 bytes free
Post-Run: 51,400,859,648 bytes free

332 --- E O F --- 2009-03-29 06:45:50

chiaz · 03-30-2009

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad* and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\kekasika.exe
c:\windows\system32\rilihoki.exe
c:\windows\system32\ssqNGVoP.dll
C:\WINDOWS\Tasks\lmkyhmjr.job

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt
Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.

*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in any way could damage your computer*

Mivaelianyn · 04-10-2009

Sorry for the slow reply, I got a little busy and couldn't take care of things until now.

ComboFix 09-04-04.01 - Crystal 2009-04-10 0:34:48.4 - NTFSx86
Running from: c:\documents and settings\Crystal\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Crystal\Desktop\CFScript.txt

FILE ::
c:\windows\system32\kekasika.exe
c:\windows\system32\rilihoki.exe
c:\windows\system32\ssqNGVoP.dll
c:\windows\Tasks\lmkyhmjr.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\svcho.exe
c:\windows\sysguard.exe
c:\windows\syssvc.exe
c:\windows\system32\iehelper.dll
c:\windows\Tasks\lmkyhmjr.job

.
((((((((((((((((((((((((( Files Created from 2009-03-10 to 2009-04-10 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-04-10 05:29 --------- d-----w c:\documents and settings\Crystal\Application Data\DNA
2009-04-10 04:59 --------- d-----w c:\program files\DNA
2009-04-10 01:52 --------- d-----w c:\documents and settings\Crystal\Application Data\AVG7
2009-04-09 02:27 --------- d-----w c:\program files\Windows Live Safety Center
2009-04-08 17:13 --------- d-----w c:\documents and settings\Crystal\Application Data\Skype
2009-04-08 16:56 --------- d-----w c:\documents and settings\Crystal\Application Data\skypePM
2009-02-17 08:33 --------- d-----w c:\documents and settings\Crystal\Application Data\uTorrent
2009-02-17 01:30 --------- d-----w c:\program files\uTorrent
2009-02-15 00:22 --------- d-----w c:\program files\Soulseek
2009-02-14 20:36 --------- d--h--r c:\documents and settings\Crystal\Application Data\yahoo!
2009-02-14 20:36 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion
2009-02-14 20:34 --------- d-----w c:\program files\Veoh Networks
2009-02-12 02:56 --------- d-----w c:\program files\Google
2009-02-09 10:19 1,846,272 ----a-w c:\windows\system32\win32k.sys
2008-12-20 09:12 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2008-12-20 09:12 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-20 09:12 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2008-12-20 09:12 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2008-12-20 09:12 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-03-29_13.22.56.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-02-09 10:20:05 1,847,424 ----a-w c:\windows\$hf_mig$\KB958690\SP2QFE\win32k.sys
+ 2009-02-09 11:13:27 1,846,784 ----a-w c:\windows\$hf_mig$\KB958690\SP3GDR\win32k.sys
+ 2009-02-09 11:08:53 1,847,552 ----a-w c:\windows\$hf_mig$\KB958690\SP3QFE\win32k.sys
+ 2008-07-09 07:38:24 17,272 ----a-w c:\windows\$hf_mig$\KB958690\spmsg.dll
+ 2008-07-09 07:38:25 231,288 ----a-w c:\windows\$hf_mig$\KB958690\spuninst.exe
+ 2008-07-09 07:38:24 26,488 ----a-w c:\windows\$hf_mig$\KB958690\update\spcustom.dll
+ 2008-07-09 07:38:29 755,576 ----a-w c:\windows\$hf_mig$\KB958690\update\update.exe
+ 2008-07-09 07:38:37 382,840 ----a-w c:\windows\$hf_mig$\KB958690\update\updspapi.dll
+ 2008-07-03 13:03:29 8,460,800 ----a-w c:\windows\$hf_mig$\KB967715\SP2QFE\shell32.dll
+ 2008-02-15 09:06:21 351,744 ----a-w c:\windows\$hf_mig$\KB967715\SP2QFE\xpsp3res.dll
+ 2008-06-17 19:02:19 8,461,312 ----a-w c:\windows\$hf_mig$\KB967715\SP3GDR\shell32.dll
+ 2008-06-17 19:04:34 8,461,824 ----a-w c:\windows\$hf_mig$\KB967715\SP3QFE\shell32.dll
+ 2008-07-09 07:38:24 17,272 ----a-w c:\windows\$hf_mig$\KB967715\spmsg.dll
+ 2008-07-09 07:38:25 231,288 ----a-w c:\windows\$hf_mig$\KB967715\spuninst.exe
+ 2008-07-09 07:38:24 26,488 ----a-w c:\windows\$hf_mig$\KB967715\update\spcustom.dll
+ 2008-07-09 07:38:29 755,576 ----a-w c:\windows\$hf_mig$\KB967715\update\update.exe
+ 2008-07-09 07:38:37 382,840 ----a-w c:\windows\$hf_mig$\KB967715\update\updspapi.dll
- 2007-10-26 03:36:51 8,454,656 -c--a-w c:\windows\system32\dllcache\shell32.dll
+ 2008-07-03 13:16:57 8,454,656 -c--a-w c:\windows\system32\dllcache\shell32.dll
- 2008-09-15 11:57:41 1,846,016 -c--a-w c:\windows\system32\dllcache\win32k.sys
+ 2009-02-09 10:19:34 1,846,272 -c--a-w c:\windows\system32\dllcache\win32k.sys
- 2007-06-12 04:51:12 10,834,944 -c--a-w c:\windows\system32\dllcache\wmp.dll
+ 2008-11-11 23:34:42 10,838,016 -c--a-w c:\windows\system32\dllcache\wmp.dll
- 2008-10-15 03:51:44 289,296 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-03-29 21:03:30 289,296 ----a-w c:\windows\system32\FNTCACHE.DAT
- 2007-10-26 03:36:51 8,454,656 ----a-w c:\windows\system32\shell32.dll
+ 2008-07-03 13:16:57 8,454,656 ----a-w c:\windows\system32\shell32.dll
- 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll
+ 2008-07-09 07:38:24 17,272 ------w c:\windows\system32\spmsg.dll
- 2006-09-25 22:58:48 23,856 ----a-w c:\windows\system32\spupdsvc.exe
+ 2007-07-27 14:41:38 26,488 ----a-w c:\windows\system32\spupdsvc.exe
- 2007-06-12 04:51:12 10,834,944 ----a-w c:\windows\system32\wmp.dll
+ 2008-11-11 23:34:42 10,838,016 ----a-w c:\windows\system32\wmp.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"AIM"="c:\program files\AIM\aim.exe" [2003-09-25 61440]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-08-12 68856]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-03-01 4670968]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-01-09 342848]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-02-06 3572984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-05-05 102490]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-05-05 708698]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.e xe" [2001-07-09 155648]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-05-05 5898240]
"AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-02-24 590848]
"AVG7_EMC"="c:\progra~1\Grisoft\AVG7\avgemc.ex e" [2008-01-08 406528]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152]
"Share-to-Web Namespace Daemon"="c:\program files\HP\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-11-21 35328]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608]
"PtiuPbmd"="ptipbm.dll" [2005-05-05 c:\windows\system32\ptipbm.dll]
"CHotkey"="mHotkey.exe" [2001-12-26 c:\windows\mHotkey.exe]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 c:\windows\system32\Hdaudpropshortcut.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-05-05 c:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-05-05 c:\windows\ALCWZRD.EXE]
"nwiz"="nwiz.exe" [2005-05-05 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-11-07 219136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-11-02 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-14 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-14 53248]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
2001-12-21 01:34 24576 c:\program files\AlienGUIse\fastload.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Nexon\\MapleStory\\Patcher.exe"=
"c:\\Nexon\\MapleStory\\MapleStory.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Documents and Settings\\Crystal\\Desktop\\slsk.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Java\\jre1.6.0_01\\bin\\jucheck.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 CBBCM43;BUFFALO WLI-CB-XXX Wireless LAN Adapter;c:\windows\system32\DRIVERS\bcmwl5.sys [2003-01-20 163712]
S1 TeksKernel;TeksKernel;c:\windows\system32\Drivers\ TeksKernel.sys [2004-07-08 9060]
S2 bwcdrv;BUFFALO Wireless Configuration;c:\windows\system32\DRIVERS\bwcdrv.s ys [2003-01-20 7680]
S2 ProductivITService;ProductivIT Service;c:\program files\AlienAutopsy\TEKS_Service.exe [2004-07-08 77824]
S3 Slazldrv;SmartLink AMR_PCI Driver;c:\windows\system32\DRIVERS\SLDRV\slazldrv. sys [2005-05-05 230448]

--- Other Services/Drivers In Memory ---

*Deregistered* - aawservice
*Deregistered* - AFD
*Deregistered* - ALG
*Deregistered* - Arp1394
*Deregistered* - AudioSrv
*Deregistered* - audstub
*Deregistered* - Avg7Alrt
*Deregistered* - Avg7Core
*Deregistered* - Avg7RsW
*Deregistered* - Avg7RsXP
*Deregistered* - Avg7UpdSvc
*Deregistered* - AvgClean
*Deregistered* - AvgTdi
*Deregistered* - Beep
*Deregistered* - BITS
*Deregistered* - Browser
*Deregistered* - bwcdrv
*Deregistered* - Cdfs
*Deregistered* - Compbatt
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - Dnscache
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - Fips
*Deregistered* - FltMgr
*Deregistered* - Ftdisk
*Deregistered* - Gpc
*Deregistered* - helpsvc
*Deregistered* - HidServ
*Deregistered* - HTTP
*Deregistered* - HTTPFilter
*Deregistered* - ImapiService
*Deregistered* - InCDfs
*Deregistered* - InCDsrv
*Deregistered* - IntelIde
*Deregistered* - IpNat
*Deregistered* - IPSec
*Deregistered* - irda
*Deregistered* - Irmon
*Deregistered* - KSecDD
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - mnmdd
*Deregistered* - MountMgr
*Deregistered* - MRxDAV
*Deregistered* - MRxSmb
*Deregistered* - Msfs
*Deregistered* - mssmbios
*Deregistered* - Mup
*Deregistered* - NDIS
*Deregistered* - NdisTapi
*Deregistered* - Ndisuio
*Deregistered* - NdisWan
*Deregistered* - NDProxy
*Deregistered* - NetBIOS
*Deregistered* - NetBT
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - Npfs
*Deregistered* - npkcmsvc
*Deregistered* - npkcrypt
*Deregistered* - Ntfs
*Deregistered* - Null
*Deregistered* - NVSvc
*Deregistered* - PartMgr
*Deregistered* - ParVdm
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProductivITService
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasirda
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - RecAgent
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - SLService
*Deregistered* - SlWdmSup
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - stisvc
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - Tcpip
*Deregistered* - TeksKernel
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - usnjsvc
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{0732a5c0-faa1-11db-b8dd-0090f53edbaf}]
\Shell\AutoRun\command - E:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{5c5c311e-cfc8-11dd-9fba-0090f53ed11c}]
\Shell\AutoRun\command - J:\LaunchU3.exe
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-system tool - c:\windows\sysguard.exe

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mStart Page = hxxp://www.yahoo.com
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
Trusted Zone: unf.edu\mywings
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Crystal\Application Data\Mozilla\Firefox\Profiles\t95vmqwi.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
.

************************************************** ************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-10 00:37:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1629006583-3652679288-599142781-1005\Software\Microsoft\Windows\CurrentVersion\Exp lorer\CLSID]
@Denied: (Full) (LocalSystem)
@SACL=
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(844)
c:\program files\AlienGUIse\fastload.dll
.
Completion time: 2009-04-10 0:38:44
ComboFix-quarantined-files.txt 2009-04-10 05:38:40
ComboFix2.txt 2009-03-29 18:23:47
ComboFix3.txt 2008-12-28 19:39:30

Pre-Run: 51,157,630,976 bytes free
Post-Run: 51,300,335,616 bytes free

318 --- E O F --- 2009-03-29 19:04:35

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:46:24 AM, on 4/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\Nexon\MapleStory\npkcmsvc.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AlienAutopsy\TEKS_Service.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.65.127 browser-security.microsoft.com
O1 - Hosts: 91.212.65.127 spywareprotector-2009.com
O1 - Hosts: 91.212.65.127 http://www.spywareprotector-2009.com
O1 - Hosts: 91.212.65.127 secure.spywareprotector-2009.com
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\sw g.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKUS\S-1-5-21-1629006583-3652679288-599142781-1005\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl (User '?')
O4 - HKUS\S-1-5-21-1629006583-3652679288-599142781-1005\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User '?')
O4 - HKUS\S-1-5-21-1629006583-3652679288-599142781-1005\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe (User '?')
O4 - HKUS\S-1-5-21-1629006583-3652679288-599142781-1005\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User '?')
O4 - HKUS\S-1-5-21-1629006583-3652679288-599142781-1005\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe" (User '?')
O4 - HKUS\S-1-5-21-1629006583-3652679288-599142781-1005\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - S-1-5-21-1629006583-3652679288-599142781-1005 Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe (User '?')
O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\MapleStory\npkcmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ProductivIT Service (ProductivITService) - DynTek, Inc. - C:\Program Files\AlienAutopsy\TEKS_Service.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 11040 bytes

03-28-2009	#1
Mivaelianyn Bronze Member Join Date: Jan 2009 Posts: 10 PC Experience: PC Illiterate	Re-infected with Trojan Vundo Infected again with Trojun Vundo. This happened once before in January and was fixed but it has come back again. ): Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:10:10 PM, on 3/27/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\mHotkey.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\SOUNDMAN.EXE C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\Program Files\AIM\aim.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe C:\Nexon\MapleStory\npkcmsvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\AlienAutopsy\TEKS_Service.exe C:\Program Files\DNA\btdna.exe C:\WINDOWS\system32\slserv.exe C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Java\jre1.6.0_01\bin\jucheck.exe C:\Program Files\MSN Messenger\usnsvc.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\Program Files\Internet Explorer\iexplore.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo! R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Yahoo! R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo! R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo! R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O1 - Hosts: 82.98.235.133 browser-security.microsoft.com O1 - Hosts: 82.98.235.133 url.adtrgt.com O1 - Hosts: 82.98.235.133 best-click-scanner.info O1 - Hosts: 82.98.235.133 antivirus-xp-pro-2009.com O1 - Hosts: 82.98.235.133 microsoft.infosecuritycenter.com O1 - Hosts: 82.98.235.133 microsoft.softwaresecurityhelp.com O1 - Hosts: 82.98.235.133 onlinenotifyq.net O1 - Hosts: 82.98.235.133 antivirusxp-pro-2009.com O1 - Hosts: 82.98.235.133 microsoft.browser-security-center.com O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: (no name) - {8873d2b9-530e-4431-873b-02aa7facce18} - C:\WINDOWS\system32\degipeme.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\sw g.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack O4 - HKLM\..\Run: [CHotkey] mHotkey.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [sefuwasuya] Rundll32.exe "C:\WINDOWS\system32\zevihami.dll",s O4 - HKLM\..\Run: [9cfa4f5d] rundll32.exe "C:\WINDOWS\system32\sekanawo.dll",b O4 - HKLM\..\Run: [CPM9fc97cc1] Rundll32.exe "c:\windows\system32\sotugulu.dll",a O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [Twain] C:\Documents and Settings\Crystal\Application Data\Twain\Twain.exe O4 - HKCU\..\Run: [SpeedRunner] C:\Documents and Settings\Crystal\Application Data\SpeedRunner\SpeedRunner.exe O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe" O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" O4 - HKUS\S-1-5-21-1629006583-3652679288-599142781-1005\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl (User '?') O4 - HKUS\S-1-5-21-1629006583-3652679288-599142781-1005\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User '?') O4 - HKUS\S-1-5-21-1629006583-3652679288-599142781-1005\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe (User '?') O4 - HKUS\S-1-5-21-1629006583-3652679288-599142781-1005\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User '?') O4 - HKUS\S-1-5-21-1629006583-3652679288-599142781-1005\..\Run: [Twain] C:\Documents and Settings\Crystal\Application Data\Twain\Twain.exe (User '?') O4 - HKUS\S-1-5-21-1629006583-3652679288-599142781-1005\..\Run: [SpeedRunner] C:\Documents and Settings\Crystal\Application Data\SpeedRunner\SpeedRunner.exe (User '?') O4 - HKUS\S-1-5-21-1629006583-3652679288-599142781-1005\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe" (User '?') O4 - HKUS\S-1-5-21-1629006583-3652679288-599142781-1005\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" (User '?') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - S-1-5-21-1629006583-3652679288-599142781-1005 Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe (User '?') O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O20 - AppInit_DLLs: wbsys.dll xufcxo.dll qlhnkp.dll C:\WINDOWS\system32\rahurite.dll c:\windows\system32\sotugulu.dll O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\sotugulu.dll O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\sotugulu.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\MapleStory\npkcmsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: ProductivIT Service (ProductivITService) - DynTek, Inc. - C:\Program Files\AlienAutopsy\TEKS_Service.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe -- End of file - 12740 bytes Malwarebytes' Anti-Malware 1.32 Database version: 1629 Windows 5.1.2600 Service Pack 2 3/27/2009 10:03:59 PM mbam-log-2009-03-27 (22-03-54).txt Scan type: Full Scan (C:\\|D:\\|F:\\|G:\\|H:\\|I:\\|) Objects scanned: 129288 Time elapsed: 56 minute(s), 8 second(s) Memory Processes Infected: 0 Memory Modules Infected: 4 Registry Keys Infected: 7 Registry Values Infected: 5 Registry Data Items Infected: 5 Folders Infected: 0 Files Infected: 8 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\sekanawo.dll (Trojan.Vundo.H) -> No action taken. C:\WINDOWS\system32\rahurite.dll (Trojan.Vundo.H) -> No action taken. C:\WINDOWS\system32\sotugulu.dll (Trojan.Vundo.H) -> No action taken. C:\WINDOWS\system32\degipeme.dll (Trojan.Vundo.H) -> No action taken. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{8873d2b9-530e-4431-873b-02aa7facce18} (Trojan.Vundo.H) -> No action taken. HKEY_CLASSES_ROOT\CLSID\{8873d2b9-530e-4431-873b-02aa7facce18} (Trojan.Vundo.H) -> No action taken. HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Ext\Stats\{8873d2b9-530e-4431-873b-02aa7facce18} (Trojan.Vundo.H) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\9cfa4f5d (Trojan.Vundo.H) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\sefuwasuya (Trojan.Vundo.H) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\cpm9fc97cc1 (Trojan.Vundo.H) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> No action taken. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\rahurite.dll -> No action taken. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\rahurite.dll -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\rahurite.dll -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\sotugulu.dll -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\sotugulu.dll -> No action taken. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\sekanawo.dll (Trojan.Vundo.H) -> No action taken. C:\WINDOWS\system32\owanakes.ini (Trojan.Vundo.H) -> No action taken. C:\WINDOWS\system32\zevihami.dll (Trojan.Vundo.H) -> No action taken. C:\WINDOWS\system32\sotugulu.dll (Trojan.Vundo.H) -> No action taken. C:\WINDOWS\system32\degipeme.dll (Trojan.Vundo.H) -> No action taken. C:\WINDOWS\system32\rahurite.dll (Trojan.Vundo.H) -> No action taken. C:\Documents and Settings\Crystal\Local Settings\Temp\e.exe (Trojan.Vundo.H) -> No action taken. C:\Documents and Settings\Crystal\Local Settings\Temporary Internet Files\Content.IE5\AX9A7ETG\load[1].php (Trojan.Vundo.H) -> No action taken.

03-28-2009	#2
chiaz Senior Security Analyst Join Date: Jun 2006 Location: Singapore Posts: 5,177 PC Experience: PC Guru	Re: Re-infected with Trojan Vundo Hello. First let's have you download ComboFix.exe. Please visit this webpage for downloading and instructions for running the tool: Go here ======> A guide and tutorial on using ComboFix <====== Go here Please ensure you read this guide carefully and install the Recovery Console first. This applies to XP Pro and XP Home users only. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time. Once installed, you should get a prompt that says: The Recovery Console was successfully installed. Please continue as follows: (1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. (2) Click Yes to allow ComboFix to continue scanning for malware. When the tool is finished, it will produce a report for you. Please include the following reports for further review (copy and paste them, not attach), so that we may continue cleansing the system: C:\ComboFix.txt New HijackThis log Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Misuse can cause serious computer problems.

03-29-2009	#3
Mivaelianyn Bronze Member Join Date: Jan 2009 Posts: 10 PC Experience: PC Illiterate	Re: Re-infected with Trojan Vundo At the very end of running ComboFix, my computer screen went to a blue screen with the message "A problem has been detected and windows has been shutdown to prevent damage to your computer. The problem seems to be caused by the following file: catchme.sys" and then gave some technical information. After rebooting, I didn't get any other errors on Windows. ComboFix 09-03-28.04 - Crystal 2009-03-28 23:16:25.2 - NTFSx86 Running from: C:\Documents and Settings\Crystal\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Crystal\Local Settings\Temporary Internet Files\CPV.stt C:\Documents and Settings\Crystal\Local Settings\Temporary Internet Files\fbk.sts C:\WINDOWS\system32\degipeme.dll c:\windows\system32\gunowini.dll C:\WINDOWS\system32\ofikowoy.ini C:\WINDOWS\system32\owanakes.ini C:\WINDOWS\system32\rahurite.dll C:\WINDOWS\system32\sekanawo.dll C:\WINDOWS\system32\sotugulu.dll C:\WINDOWS\system32\uejfetae.ini C:\WINDOWS\system32\yowokifo.dll C:\WINDOWS\system32\zevihami.dll C:\WINDOWS\wiaserviv.log . ((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-29 ))))))))))))))))))))))))))))))) . No new files created in this timespan . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2009-03-29 04:21 --------- d-----w C:\Program Files\DNA 2009-03-29 04:21 --------- d-----w C:\Documents and Settings\Crystal\Application Data\DNA 2009-03-28 17:48 --------- d-----w C:\Documents and Settings\Crystal\Application Data\AVG7 2009-03-27 00:51 --------- d-----w C:\Program Files\Windows Live Safety Center 2009-03-24 03:34 --------- d-----w C:\Documents and Settings\Crystal\Application Data\Skype 2009-03-24 02:36 --------- d-----w C:\Documents and Settings\Crystal\Application Data\skypePM 2009-02-17 08:33 --------- d-----w C:\Documents and Settings\Crystal\Application Data\uTorrent 2009-02-17 01:30 --------- d-----w C:\Program Files\uTorrent 2009-02-15 00:22 --------- d-----w C:\Program Files\Soulseek 2009-02-14 20:36 --------- d--h--r C:\Documents and Settings\Crystal\Application Data\yahoo! 2009-02-14 20:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion 2009-02-14 20:34 --------- d-----w C:\Program Files\Veoh Networks 2009-02-12 02:56 --------- d-----w C:\Program Files\Google 2008-12-20 09:12 67,688 ----a-w C:\Program Files\mozilla firefox\components\jar50.dll 2008-12-20 09:12 54,368 ----a-w C:\Program Files\mozilla firefox\components\jsd3250.dll 2008-12-20 09:12 34,944 ----a-w C:\Program Files\mozilla firefox\components\myspell.dll 2008-12-20 09:12 46,712 ----a-w C:\Program Files\mozilla firefox\components\spellchk.dll 2008-12-20 09:12 172,136 ----a-w C:\Program Files\mozilla firefox\components\xpinstal.dll . ((((((((((((((((((((((((((((( snapshot@2008-12-28_13.39.03.54 ))))))))))))))))))))))))))))))))))))))))) . + 2006-06-20 21:44:04 379,704 ----a-w C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll + 2006-06-20 21:44:02 117,560 ----a-w C:\WINDOWS\Downloaded Program Files\PURen-us.dll - 2005-10-21 02:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE + 2005-10-21 01:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE - 2005-10-21 02:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE + 2005-10-21 01:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE - 2000-08-31 14:00:00 28,672 ----a-w C:\WINDOWS\NIRCMD.exe + 2000-08-31 13:00:00 29,696 ----a-w C:\WINDOWS\NIRCMD.exe - 2000-08-31 14:00:00 161,792 ----a-w C:\WINDOWS\SWREG.exe + 2000-08-31 13:00:00 161,792 ----a-w C:\WINDOWS\SWREG.exe - 2008-12-04 01:59:02 15,504 ----a-w C:\WINDOWS\system32\drivers\mbam.sys + 2009-01-05 00:38:18 15,504 ----a-w C:\WINDOWS\system32\drivers\mbam.sys - 2008-12-04 01:59:06 38,496 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys + 2009-01-05 00:38:22 38,496 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys + 2009-03-28 16:36:21 61,440 --sha-w C:\WINDOWS\system32\kekasika.exe + 2004-05-14 22:53:08 57,344 ----a-w C:\WINDOWS\system32\lfbmp13n.dll + 2004-05-14 22:53:08 401,408 ----a-w C:\WINDOWS\system32\lfcmp13n.dll + 2003-11-04 21:10:40 69,632 ----a-w C:\WINDOWS\system32\lfgif13n.dll + 2003-11-04 21:11:04 159,744 ----a-w C:\WINDOWS\system32\lfpng13n.dll + 2003-05-22 22:31:56 55,808 ----a-w C:\WINDOWS\system32\lfpsd13n.dll + 2004-05-14 22:53:10 299,008 ----a-w C:\WINDOWS\system32\ltdis13n.dll + 2004-01-12 08:09:42 206,336 ----a-w C:\WINDOWS\system32\ltefx13n.dll + 2004-05-14 22:53:10 163,840 ----a-w C:\WINDOWS\system32\ltfil13n.dll + 2004-05-14 22:53:12 450,560 ----a-w C:\WINDOWS\system32\ltimg13n.dll + 2004-05-14 22:53:12 462,848 ----a-w C:\WINDOWS\system32\ltkrn13n.dll + 2009-03-28 01:54:33 61,440 --sha-w C:\WINDOWS\system32\rilihoki.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "AIM"="C:\Program Files\AIM\aim.exe" [2003-09-25 06:28 61440] "MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54 5674352] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-08-12 09:21 68856] "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-03-01 17:11 4670968] "BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2009-01-09 00:39 342848] "VeohPlugin"="C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-02-06 15:44 3572984] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-05-05 20:33 102490] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-05-05 20:33 708698] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.e xe" [2001-07-09 13:50 155648] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-05-05 20:32 5898240] "AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2009-02-24 13:09 590848] "AVG7_EMC"="C:\PROGRA~1\Grisoft\AVG7\avgemc.ex e" [2008-01-08 13:56 406528] "HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 15:18 241664] "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152] "Share-to-Web Namespace Daemon"="C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 10:42 69632] "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2006-11-21 12:38 35328] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 02:43 83608] "PtiuPbmd"="ptipbm.dll" [2005-05-05 16:33 24576 C:\WINDOWS\system32\ptipbm.dll] "CHotkey"="mHotkey.exe" [2001-12-26 03:12 472576 C:\WINDOWS\mHotkey.exe] "High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 19:45 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe] "SoundMan"="SOUNDMAN.EXE" [2005-05-05 20:33 77824 C:\WINDOWS\SOUNDMAN.EXE] "AlcWzrd"="ALCWZRD.EXE" [2005-05-05 20:33 2748928 C:\WINDOWS\ALCWZRD.EXE] "nwiz"="nwiz.exe" [2005-05-05 20:32 1519616 C:\WINDOWS\system32\nwiz.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run] "AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-07 19:47 219136] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-11-02 07:54:38 113664] Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 06:44:06 29696] HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-14 17:15:40 241664] HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-14 17:51:12 53248] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56 65588] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB] 2001-12-21 01:34 24576 C:\Program Files\AlienGUIse\fastload.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.ffds"= ffdshow.ax [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Nexon\\MapleStory\\Patcher.exe"= "C:\\Nexon\\MapleStory\\MapleStory.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= "C:\\Program Files\\AIM\\aim.exe"= "C:\\Documents and Settings\\Crystal\\Desktop\\slsk.exe"= "C:\\Program Files\\DNA\\btdna.exe"= "C:\\Program Files\\Soulseek\\slsk.exe"= "C:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"= "C:\\Program Files\\uTorrent\\uTorrent.exe"= "C:\\Program Files\\Skype\\Phone\\Skype.exe"= "C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jucheck.exe"= R3 CBBCM43;BUFFALO WLI-CB-XXX Wireless LAN Adapter;C:\WINDOWS\system32\DRIVERS\bcmwl5.sys [2003-01-20 15:35 163712] S1 TeksKernel;TeksKernel;C:\WINDOWS\system32\Drivers\ TeksKernel.sys [2004-07-08 16:14 9060] S2 bwcdrv;BUFFALO Wireless Configuration;C:\WINDOWS\system32\DRIVERS\bwcdrv.s ys [2003-01-20 15:35 7680] S2 ProductivITService;ProductivIT Service;C:\Program Files\AlienAutopsy\TEKS_Service.exe [2004-07-08 16:22 77824] S3 Slazldrv;SmartLink AMR_PCI Driver;C:\WINDOWS\system32\DRIVERS\SLDRV\slazldrv. sys [2005-05-05 20:33 230448] --- Other Services/Drivers In Memory --- Deregistered - aawservice Deregistered - AFD Deregistered - ALG Deregistered - Arp1394 Deregistered - AudioSrv Deregistered - audstub Deregistered - Avg7Alrt Deregistered - Avg7Core Deregistered - Avg7RsW Deregistered - Avg7RsXP Deregistered - Avg7UpdSvc Deregistered - AvgClean Deregistered - AvgTdi Deregistered - Beep Deregistered - BITS Deregistered - Browser Deregistered - bwcdrv Deregistered - Cdfs Deregistered - Compbatt Deregistered - CryptSvc Deregistered - DcomLaunch Deregistered - Dhcp Deregistered - Dnscache Deregistered - ERSvc Deregistered - EventSystem Deregistered - FastUserSwitchingCompatibility Deregistered - Fips Deregistered - FltMgr Deregistered - Ftdisk Deregistered - Gpc Deregistered - helpsvc Deregistered - HidServ Deregistered - HTTP Deregistered - HTTPFilter Deregistered - ImapiService Deregistered - InCDfs Deregistered - InCDsrv Deregistered - IntelIde Deregistered - IpNat Deregistered - IPSec Deregistered - irda Deregistered - Irmon Deregistered - KSecDD Deregistered - lanmanserver Deregistered - lanmanworkstation Deregistered - LmHosts Deregistered - mnmdd Deregistered - MountMgr Deregistered - MRxDAV Deregistered - MRxSmb Deregistered - Msfs Deregistered - mssmbios Deregistered - Mup Deregistered - NDIS Deregistered - NdisTapi Deregistered - Ndisuio Deregistered - NdisWan Deregistered - NDProxy Deregistered - NetBIOS Deregistered - NetBT Deregistered - Netman Deregistered - Nla Deregistered - Npfs Deregistered - npkcmsvc Deregistered - npkcrypt Deregistered - Ntfs Deregistered - Null Deregistered - NVSvc Deregistered - PartMgr Deregistered - ParVdm Deregistered - PolicyAgent Deregistered - PptpMiniport Deregistered - ProductivITService Deregistered - ProtectedStorage Deregistered - PSched Deregistered - RasAcd Deregistered - Rasirda Deregistered - Rasl2tp Deregistered - RasMan Deregistered - RasPppoe Deregistered - Raspti Deregistered - Rdbss Deregistered - RDPCDD Deregistered - RecAgent Deregistered - RpcSs Deregistered - SamSs Deregistered - Schedule Deregistered - seclogon Deregistered - SENS Deregistered - SharedAccess Deregistered - ShellHWDetection Deregistered - SLService Deregistered - SlWdmSup Deregistered - Spooler Deregistered - sr Deregistered - srservice Deregistered - Srv Deregistered - SSDPSRV Deregistered - stisvc Deregistered - swenum Deregistered - TapiSrv Deregistered - Tcpip Deregistered - TeksKernel Deregistered - TermDD Deregistered - TermService Deregistered - Themes Deregistered - TrkWks Deregistered - Update Deregistered - VgaSave Deregistered - VolSnap Deregistered - W32Time Deregistered - Wanarp Deregistered - WebClient Deregistered - winmgmt Deregistered - wscsvc Deregistered - wuauserv Deregistered - WZCSVC [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\J] \Shell\AutoRun\command - J:\LaunchU3.exe [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{0732a5c0-faa1-11db-b8dd-0090f53edbaf}] \Shell\AutoRun\command - E:\LaunchU3.exe [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{5c5c311e-cfc8-11dd-9fba-0090f53ed11c}] \Shell\AutoRun\command - J:\LaunchU3.exe . Contents of the 'Scheduled Tasks' folder 2009-03-29 C:\WINDOWS\Tasks\lmkyhmjr.job - C:\WINDOWS\system32\ssqNGVoP.dll [] . - - - - ORPHANS REMOVED - - - - BHO-{8873d2b9-530e-4431-873b-02aa7facce18} - C:\WINDOWS\system32\degipeme.dll . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie mDefault_Search_URL = hxxp://www.google.com/ie mStart Page = hxxp://www.yahoo.com uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mSearchAssistant = hxxp://www.google.com/ie IE: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm IE: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm IE: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm IE: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm Trusted Zone: unf.edu\mywings DPF: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab FF - ProfilePath - C:\Documents and Settings\Crystal\Application Data\Mozilla\Firefox\Profiles\t95vmqwi.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - component: C:\Program Files\Mozilla Firefox\components\xpinstal.dll FF - plugin: C:\Documents and Settings\Crystal\Application Data\Mozilla\Firefox\Profiles\t95vmqwi.default\ext ensions\moveplayer@movenetworks.com\platform\WINNT _x86-msvc\plugins\npmnqmp07075003.dll FF - plugin: C:\PROGRA~1\Yahoo!\Common\npyaxmpb.dll . Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 23:34, on 2009-03-28 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\savedump.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\mHotkey.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe C:\Program Files\Winamp\winampa.exe C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\Nexon\MapleStory\npkcmsvc.exe C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\AlienAutopsy\TEKS_Service.exe C:\Program Files\DNA\btdna.exe C:\WINDOWS\system32\slserv.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo! R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo! R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O2 - BHO: (no name) - {8873d2b9-530e-4431-873b-02aa7facce18} - C:\WINDOWS\system32\degipeme.dll (file missing) O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\sw g.dll O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dll O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack O4 - HKLM\..\Run: [CHotkey] mHotkey.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe" O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" O4 - HKUS\S-1-5-21-1629006583-3652679288-599142781-1005\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl (User '?') O4 - HKUS\S-1-5-21-1629006583-3652679288-599142781-1005\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User '?') O4 - HKUS\S-1-5-21-1629006583-3652679288-599142781-1005\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe (User '?') O4 - HKUS\S-1-5-21-1629006583-3652679288-599142781-1005\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet (User '?') O4 - HKUS\S-1-5-21-1629006583-3652679288-599142781-1005\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe" (User '?') O4 - HKUS\S-1-5-21-1629006583-3652679288-599142781-1005\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" (User '?') O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?') O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user') O4 - S-1-5-21-1629006583-3652679288-599142781-1005 Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe (User '?') O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/resources/MSNPUpld.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: npkcmsvc - INCA Internet Co., Ltd. - C:\Nexon\MapleStory\npkcmsvc.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: ProductivIT Service (ProductivITService) - DynTek, Inc. - C:\Program Files\AlienAutopsy\TEKS_Service.exe O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe -- End of file - 10816 bytes

03-29-2009	#4
chiaz Senior Security Analyst Join Date: Jun 2006 Location: Singapore Posts: 5,177 PC Experience: PC Guru	Re: Re-infected with Trojan Vundo Your computer is definitely infected. I just realized that after you scanned with MBAM, you did not specify any action to be taken. Please re-run MBAM, and when you get to the results page, please delete everything found. After that, reboot, and post a new ComboFix log. Thanks.

03-29-2009	#5
Mivaelianyn Bronze Member Join Date: Jan 2009 Posts: 10 PC Experience: PC Illiterate	Re: Re-infected with Trojan Vundo ComboFix 09-03-28.06 - Crystal 2009-03-29 13:19:59.3 - NTFSx86 Running from: c:\documents and settings\Crystal\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . c:\documents and settings\Crystal\Local Settings\Temporary Internet Files\CPV.stt c:\documents and settings\Crystal\Local Settings\Temporary Internet Files\fbk.sts c:\windows\system32\degipeme.dll c:\windows\system32\gunowini.dll c:\windows\system32\ofikowoy.ini c:\windows\system32\owanakes.ini c:\windows\system32\rahurite.dll c:\windows\system32\sekanawo.dll c:\windows\system32\sotugulu.dll c:\windows\system32\uejfetae.ini c:\windows\system32\yowokifo.dll c:\windows\system32\zevihami.dll c:\windows\wiaserviv.log . ((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-29 ))))))))))))))))))))))))))))))) . No new files created in this timespan . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) )) . 2009-03-29 18:16 --------- d-----w c:\program files\DNA 2009-03-29 18:16 --------- d-----w c:\documents and settings\Crystal\Application Data\DNA 2009-03-29 16:00 --------- d-----w c:\documents and settings\Crystal\Application Data\AVG7 2009-03-29 05:25 --------- d-----w c:\program files\Windows Live Safety Center 2009-03-28 16:36 61,440 --sha-w c:\windows\system32\kekasika.exe 2009-03-28 01:54 61,440 --sha-w c:\windows\system32\rilihoki.exe 2009-03-24 03:34 --------- d-----w c:\documents and settings\Crystal\Application Data\Skype 2009-03-24 02:36 --------- d-----w c:\documents and settings\Crystal\Application Data\skypePM 2009-02-17 08:33 --------- d-----w c:\documents and settings\Crystal\Application Data\uTorrent 2009-02-17 01:30 --------- d-----w c:\program files\uTorrent 2009-02-15 00:22 --------- d-----w c:\program files\Soulseek 2009-02-14 20:36 --------- d--h--r c:\documents and settings\Crystal\Application Data\yahoo! 2009-02-14 20:36 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo! Companion 2009-02-14 20:34 --------- d-----w c:\program files\Veoh Networks 2009-02-12 02:56 --------- d-----w c:\program files\Google 2008-12-20 09:12 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll 2008-12-20 09:12 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll 2008-12-20 09:12 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll 2008-12-20 09:12 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll 2008-12-20 09:12 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll . ((((((((((((((((((((((((((((( snapshot@2008-12-28_13.39.03.54 ))))))))))))))))))))))))))))))))))))))))) . + 2008-12-05 06:41:26 144,896 ----a-w c:\windows\$hf_mig$\KB960225\SP2QFE\schannel.dll + 2008-12-05 06:54:55 144,896 ----a-w c:\windows\$hf_mig$\KB960225\SP3GDR\schannel.dll + 2008-12-05 06:58:08 144,896 ----a-w c:\windows\$hf_mig$\KB960225\SP3QFE\schannel.dll + 2007-11-30 11:18:51 17,272 ----a-w c:\windows\$hf_mig$\KB960225\spmsg.dll + 2007-11-30 11:18:51 231,288 ----a-w c:\windows\$hf_mig$\KB960225\spuninst.exe + 2007-11-30 11:18:51 26,488 ----a-w c:\windows\$hf_mig$\KB960225\update\spcustom.dll + 2007-11-30 12:39:22 755,576 ----a-w c:\windows\$hf_mig$\KB960225\update\update.exe + 2007-11-30 12:39:22 382,840 ----a-w c:\windows\$hf_mig$\KB960225\update\updspapi.dll + 2006-06-20 21:44:04 379,704 ----a-w c:\windows\Downloaded Program Files\MsnPUpld.dll + 2006-06-20 21:44:02 117,560 ----a-w c:\windows\Downloaded Program Files\PURen-us.dll - 2005-10-21 02:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE + 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE - 2005-10-21 02:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE + 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE - 2000-08-31 14:00:00 28,672 ----a-w c:\windows\NIRCMD.exe + 2000-08-31 13:00:00 29,696 ----a-w c:\windows\NIRCMD.exe - 2000-08-31 14:00:00 161,792 ----a-w c:\windows\SWREG.exe + 2000-08-31 13:00:00 161,792 ----a-w c:\windows\SWREG.exe - 2007-04-25 14:21:15 144,896 -c--a-w c:\windows\system32\dllcache\schannel.dll + 2008-12-05 07:12:45 144,896 -c--a-w c:\windows\system32\dllcache\schannel.dll - 2008-08-28 10:04:17 333,056 -c--a-w c:\windows\system32\dllcache\srv.sys + 2008-12-11 11:57:21 333,184 -c--a-w c:\windows\system32\dllcache\srv.sys - 2008-12-04 01:59:02 15,504 ----a-w c:\windows\system32\drivers\mbam.sys + 2009-01-05 00:38:18 15,504 ----a-w c:\windows\system32\drivers\mbam.sys - 2008-12-04 01:59:06 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys + 2009-01-05 00:38:22 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys - 2008-08-28 10:04:17 333,056 ----a-w c:\windows\system32\drivers\srv.sys + 2008-12-11 11:57:21 333,184 ----a-w c:\windows\system32\drivers\srv.sys + 2004-05-14 22:53:08 57,344 ----a-w c:\windows\system32\lfbmp13n.dll + 2004-05-14 22:53:08 401,408 ----a-w c:\windows\system32\lfcmp13n.dll + 2003-11-04 21:10:40 69,632 ----a-w c:\windows\system32\lfgif13n.dll + 2003-11-04 21:11:04 159,744 ----a-w c:\windows\system32\lfpng13n.dll + 2003-05-22 22:31:56 55,808 ----a-w c:\windows\system32\lfpsd13n.dll + 2004-05-14 22:53:10 299,008 ----a-w c:\windows\system32\ltdis13n.dll + 2004-01-12 08:09:42 206,336 ----a-w c:\windows\system32\ltefx13n.dll + 2004-05-14 22:53:10 163,840 ----a-w c:\windows\system32\ltfil13n.dll + 2004-05-14 22:53:12 450,560 ----a-w c:\windows\system32\ltimg13n.dll + 2004-05-14 22:53:12 462,848 ----a-w c:\windows\system32\ltkrn13n.dll - 2007-04-25 14:21:15 144,896 ----a-w c:\windows\system32\schannel.dll + 2008-12-05 07:12:45 144,896 ----a-w c:\windows\system32\schannel.dll - 2007-11-30 12:39:22 17,272 ----a-w c:\windows\system32\spmsg.dll + 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run] "AIM"="c:\program files\AIM\aim.exe" [2003-09-25 61440] "MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe" [2007-08-12 68856] "Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-03-01 4670968] "BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-01-09 342848] "VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2009-02-06 3572984] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-05-05 102490] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-05-05 708698] "NeroFilterCheck"="c:\windows\system32\NeroCheck.e xe" [2001-07-09 155648] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-05-05 5898240] "AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2009-02-24 590848] "AVG7_EMC"="c:\progra~1\Grisoft\AVG7\avgemc.ex e" [2008-01-08 406528] "HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-16 49152] "Share-to-Web Namespace Daemon"="c:\program files\HP\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 69632] "WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-11-21 35328] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 83608] "PtiuPbmd"="ptipbm.dll" [2005-05-05 c:\windows\system32\ptipbm.dll] "CHotkey"="mHotkey.exe" [2001-12-26 c:\windows\mHotkey.exe] "High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-08-12 c:\windows\system32\Hdaudpropshortcut.exe] "SoundMan"="SOUNDMAN.EXE" [2005-05-05 c:\windows\SOUNDMAN.EXE] "AlcWzrd"="ALCWZRD.EXE" [2005-05-05 c:\windows\ALCWZRD.EXE] "nwiz"="nwiz.exe" [2005-05-05 c:\windows\system32\nwiz.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run] "AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-11-07 219136] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-11-02 113664] Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-14 241664] HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-14 53248] Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB] 2001-12-21 01:34 24576 c:\program files\AlienGUIse\fastload.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.ffds"= ffdshow.ax [HKEY_LOCAL_MACHINE\software\microsoft\security center] "UpdatesDisableNotify"=dword:00000001 "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Nexon\\MapleStory\\Patcher.exe"= "c:\\Nexon\\MapleStory\\MapleStory.exe"= "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "c:\\Program Files\\MSN Messenger\\livecall.exe"= "c:\\Program Files\\AIM\\aim.exe"= "c:\\Documents and Settings\\Crystal\\Desktop\\slsk.exe"= "c:\\Program Files\\DNA\\btdna.exe"= "c:\\Program Files\\Soulseek\\slsk.exe"= "c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Java\\jre1.6.0_01\\bin\\jucheck.exe"= R3 CBBCM43;BUFFALO WLI-CB-XXX Wireless LAN Adapter;c:\windows\system32\DRIVERS\bcmwl5.sys [2003-01-20 163712] S1 TeksKernel;TeksKernel;c:\windows\system32\Drivers\ TeksKernel.sys [2004-07-08 9060] S2 bwcdrv;BUFFALO Wireless Configuration;c:\windows\system32\DRIVERS\bwcdrv.s ys [2003-01-20 7680] S2 ProductivITService;ProductivIT Service;c:\program files\AlienAutopsy\TEKS_Service.exe [2004-07-08 77824] S3 Slazldrv;SmartLink AMR_PCI Driver;c:\windows\system32\DRIVERS\SLDRV\slazldrv. sys [2005-05-05 230448] --- Other Services/Drivers In Memory --- Deregistered - aawservice Deregistered - AFD Deregistered - ALG Deregistered - Arp1394 Deregistered - AudioSrv Deregistered - audstub Deregistered - Avg7Alrt Deregistered - Avg7Core Deregistered - Avg7RsW Deregistered - Avg7RsXP Deregistered - Avg7UpdSvc Deregistered - AvgClean Deregistered - AvgTdi Deregistered - Beep Deregistered - Browser Deregistered - bwcdrv Deregistered - Cdfs Deregistered - Compbatt Deregistered - CryptSvc Deregistered - DcomLaunch Deregistered - Dhcp Deregistered - Dnscache Deregistered - ERSvc Deregistered - EventSystem Deregistered - FastUserSwitchingCompatibility Deregistered - Fips Deregistered - FltMgr Deregistered - Ftdisk Deregistered - Gpc Deregistered - helpsvc Deregistered - HidServ Deregistered - HTTP Deregistered - HTTPFilter Deregistered - ImapiService Deregistered - InCDfs Deregistered - InCDsrv Deregistered - IntelIde Deregistered - IpNat Deregistered - IPSec Deregistered - irda Deregistered - Irmon Deregistered - KSecDD Deregistered - lanmanserver Deregistered - lanmanworkstation Deregistered - LmHosts Deregistered - mnmdd Deregistered - MountMgr Deregistered - MRxDAV Deregistered - MRxSmb Deregistered - Msfs Deregistered - mssmbios Deregistered - Mup Deregistered - NDIS Deregistered - NdisTapi Deregistered - Ndisuio Deregistered - NdisWan Deregistered - NDProxy Deregistered - NetBIOS Deregistered - NetBT Deregistered - Netman Deregistered - Nla Deregistered - Npfs Deregistered - npkcmsvc Deregistered - npkcrypt Deregistered - Ntfs Deregistered - Null Deregistered - NVSvc Deregistered - PartMgr Deregistered - ParVdm Deregistered - PolicyAgent Deregistered - PptpMiniport Deregistered - ProductivITService Deregistered - ProtectedStorage Deregistered - PSched Deregistered - RasAcd Deregistered - Rasirda Deregistered - Rasl2tp Deregistered - RasMan Deregistered - RasPppoe Deregistered - Raspti Deregistered - Rdbss Deregistered - RDPCDD Deregistered - RecAgent Deregistered - RpcSs Deregistered - SamSs Deregistered - Schedule Deregistered - seclogon Deregistered - SENS Deregistered - SharedAccess Deregistered - ShellHWDetection Deregistered - SLService Deregistered - SlWdmSup Deregistered - Spooler Deregistered - sr Deregistered - srservice Deregistered - Srv Deregistered - SSDPSRV Deregistered - stisvc Deregistered - swenum Deregistered - TapiSrv Deregistered - Tcpip Deregistered - TeksKernel Deregistered - TermDD Deregistered - TermService Deregistered - Themes Deregistered - TrkWks Deregistered - Update Deregistered - VgaSave Deregistered - VolSnap Deregistered - W32Time Deregistered - Wanarp Deregistered - WebClient Deregistered - winmgmt Deregistered - wscsvc Deregistered - wuauserv Deregistered - WZCSVC [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\J] \Shell\AutoRun\command - J:\LaunchU3.exe [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{0732a5c0-faa1-11db-b8dd-0090f53edbaf}] \Shell\AutoRun\command - E:\LaunchU3.exe [HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{5c5c311e-cfc8-11dd-9fba-0090f53ed11c}] \Shell\AutoRun\command - J:\LaunchU3.exe . Contents of the 'Scheduled Tasks' folder 2009-03-29 c:\windows\Tasks\lmkyhmjr.job - c:\windows\system32\ssqNGVoP.dll [] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://www.google.com/ie mStart Page = hxxp://www.yahoo.com uSearchURL,(Default) = hxxp://www.google.com/search?q=%s IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000 IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm Trusted Zone: unf.edu\mywings DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab FF - ProfilePath - c:\documents and settings\Crystal\Application Data\Mozilla\Firefox\Profiles\t95vmqwi.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll . ************************************************ ******************** catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-03-29 13:22:36 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************** ********************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-1629006583-3652679288-599142781-1005\Software\Microsoft\Windows\CurrentVersion\Exp lorer\CLSID] @Denied: (Full) (LocalSystem) @SACL= . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(836) c:\program files\AlienGUIse\fastload.dll . Completion time: 2009-03-29 13:23:46 ComboFix-quarantined-files.txt 2009-03-29 18:23:43 ComboFix2.txt 2008-12-28 19:39:30 Pre-Run: 51,366,928,384 bytes free Post-Run: 51,400,859,648 bytes free 332 --- E O F --- 2009-03-29 06:45:50

03-30-2009	#6
chiaz Senior Security Analyst Join Date: Jun 2006 Location: Singapore Posts: 5,177 PC Experience: PC Guru	Re: Re-infected with Trojan Vundo Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. It's IMPORTANT to carry out the instructions in the sequence listed below. 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Open notepad and copy/paste the text in the quotebox below into it: File:: c:\windows\system32\kekasika.exe c:\windows\system32\rilihoki.exe c:\windows\system32\ssqNGVoP.dll C:\WINDOWS\Tasks\lmkyhmjr.job Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop. Refering to the picture above, drag CFScript.txt into ComboFix.exe When finished, it shall produce a log for you at C:\ComboFix.txt Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please. Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in any way could damage your computer

Similar discussions...
Thread	Thread Starter	Forum	Replies	Last Post
Trojan Vundo.BVV	crazyrocker	[Pending] HJT Logs	5	04-03-2009 04:51 AM
Fixed: Infected with Vundo please help...	dreamer.	[Fixed] Hijackthis! Logs	6	06-21-2008 11:34 PM
Vundo is killing me! Symantic infected too?	Iguana Man	[Fixed] Hijackthis! Logs	21	12-30-2007 10:27 PM
Vundo Infected - need help !!	smijovincent	[Fixed] Hijackthis! Logs	6	08-06-2007 01:39 PM
Pending: Vundo.dll Trojan	Rob2K6	Spyware / AdWare	8	06-18-2007 06:13 AM

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode