Click the ccsetup???_slim.exe...icon on your desktop. (??? = version #'s)
Press the "Run"...(Security prompt). Select a language...Press "OK" ...button.
Click "Next"...(Welcome screen). Click "I Agree"...(License Agreement).
Click "Next" for default install location. The default is set to C:\Program Files\CCleaner. Unless you want it installed elsewhere, just leave it.
Check the "Install Options", you want.
Click "Install". Click "Finish" when prompted.
To Run CCleaner:
Click CCleaner desktop icon or Start Menu item...(depending on install options)
Before first use, check under Options, Advanced, and UNCHECK "Only delete files in Windows Temp folder older than 48 hours".
A pop up box will appear advising this process will permanently delete files from your system.
Select the items to clean up.
In the
Windows Tab:
Clean all entries in the "Internet Explorer". Note: "Cookies"...box. If checked will require re-entry of user names, passwords on "next" visit to sites that require users log in.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section...except"Start Menu Shortcuts" and "Desktop Shortcuts" uncheck these 2 items.
*Uncheck* the "Advanced" section.
In the
Applications Tab:
[*]Clean all in the "Firefox/Mozilla" section. (if you use it) Firefox Caution: "Saved Form Information"...box. If checked will remove all your saved passwords, if you use that feature.
[*]Clean all in the "Opera" section. (if you use it)
[*]Clean all in the "Applications" section.
[*]Clean all in the "Internet" Section.
[*]Clean all in the "Multimedia" section. (if you use them)
[*]Clean all in the "Utilities" section. (if you use them)
[*]Clean all in the "Windows" section.
[*]Then click the "Run Cleaner" button and it will scan and clean your system.
[*]Close CCleaner when finished.
FYI...You may see some files "marked" for deletion when Windows restarts...this is because they are "in use" by the system and can't be removed until restart. CAUTION: Please do NOT use the "Issues" button in the left pane.
This is a built-in registry cleaner. Removing certain entries can render your computer inoperable!
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, December 17, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, December 17, 2008 20:42:06
Records in database: 1472279
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
Scan statistics:
Files scanned: 204386
Threat name: 3
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 05:10:04
File name / Threat name / Threats count
C:\Documents and Settings\Edwin T\Desktop\Downloads\Kaspersky_Anti-Virus_2009_v8.0.0.454_FINAL__FULL___ENG_\Kaspersky_Anti-Virus_2009_v8.0.0.454_FINAL__FULL___ENG_\kav8.0.0.454en.EXE Infected: Trojan.Win32.Small.xtm 1
C:\Documents and Settings\Edwin T\Desktop\Downloads\Kaspersky_Anti-Virus_2009_v8.0.0.454_FINAL__FULL___ENG_.rar Infected: Trojan.Win32.Small.xtm 1
C:\Documents and Settings\Edwin T\Desktop\Downloads\Limewire_Turbo_5.4.1.rar Infected: not-a-virus:WebToolbar.Win32.WhenU.a 1
C:\OLD HARD DRIVE\Incomplete\Preview-T-3515162-over there al jolson.wma Infected: Trojan-Downloader.WMA.Wimad.n 1
C:\OLD HARD DRIVE\Incomplete\T-3515162-over there al jolson.wma Infected: Trojan-Downloader.WMA.Wimad.n 1
The selected area was scanned.
ComboFix 08-12-20.03 - Edwin T 2008-12-20 16:30:00.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1438 [GMT -8:00]
Running from: c:\documents and settings\Edwin T\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Edwin T\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Edwin T\nah_log.dat
c:\windows\system32\adrnln.bin
c:\windows\system32\evitosan.ini
c:\windows\system32\huyavamu.dll
c:\windows\system32\ozukayof.ini
c:\windows\system32\ubalajal.ini
c:\windows\system32\ulemopib.ini
c:\windows\system32\uligihal.ini
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
\Legacy_MSVTCH
ok something is up, my Safari browser keeps crashing now out of no where. Right when you open it it gives the send report or dont send error and crashes within 5 seconds of it opening.
and now when i get an IM from someone on AIM it takes about 3 seconds to recieve it and if i get lets say 2-3 ims in a row it freezes ev reything else until it loads the message then it goes again.
ok something is up, my Safari browser keeps crashing now out of no where. Right when you open it it gives the send report or dont send error and crashes within 5 seconds of it opening.
and now when i get an IM from someone on AIM it takes about 3 seconds to recieve it and if i get lets say 2-3 ims in a row it freezes ev reything else until it loads the message then it goes again.
whats going on?
You got many infection which are affect our browser.
Open Hijackthis click Do system scan only and mark these lines.
ComboFix 08-12-20.03 - Edwin T 2008-12-21 20:39:39.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1280 [GMT -8:00]
Running from: c:\documents and settings\Edwin T\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Edwin T\Desktop\CFScript..txt
* Created a new restore point
* Resident AV is active
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-20 21:17
d
w c:\documents and settings\Edwin T\Application Data\SlimBrowser
2008-12-16 23:10
d
w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-14 07:31
d
w c:\documents and settings\Edwin T\Application Data\LimeWire
2008-12-12 00:32
d
w c:\program files\SlimBrowser
2008-12-05 02:56
d
w c:\documents and settings\Edwin T\Application Data\iolo
2008-12-04 06:03
d
w c:\documents and settings\All Users\Application Data\ESET
2008-11-30 23:04
d
w c:\program files\Common Files\Real
2008-11-25 20:05
d
w c:\documents and settings\All Users\Application Data\Norton
2008-11-20 23:58
d
w c:\documents and settings\Edwin T\Application Data\Viewpoint
2008-11-19 01:10
d
w c:\program files\Viewpoint
2008-11-19 01:10
d
w c:\program files\AIM6
2008-11-19 01:09
d
w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-19 01:09
d
w c:\documents and settings\All Users\Application Data\acccore
2008-11-18 20:52
d
w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-07 02:45
d
w c:\program files\SopCast
2008-11-06 06:26
d
w c:\program files\LimeWire Turbo
2008-11-06 06:19
d
w c:\program files\LimeWire
2008-11-06 05:42
d
w c:\documents and settings\All Users\Application Data\NortonInstaller
2008-11-06 05:12
d
w c:\documents and settings\Edwin T\Application Data\LimeWireTurbo
2008-11-01 19:09
d
w c:\program files\Opera
2008-10-24 20:26
d--h--r c:\documents and settings\Edwin T\Application Data\SecuROM
2008-10-24 19:34
d
w c:\documents and settings\Edwin T\Application Data\gnupg
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
.
hey I keep getting the Portcyls.sys Blue screen of death.
I googled and its apparently the audio driver. how the hell can i fix this? i thought i already fixed this issue before. : /
Comments
Open Hijackthis click Do system scan only and mark these lines.
O20 - Winlogon Notify: mt49hub - mt49hub.dll (file missing)
After you have marked lines press Fix checked.
CCleaner
Please download CCleaner ... © Piriform Ltd. (slim version) and save it to your desktop. CCleaner guide can be found here...if needed.
To Install CCleaner:
The default is set to C:\Program Files\CCleaner. Unless you want it installed elsewhere, just leave it.
To Run CCleaner:
In the
Windows Tab:Note: "Cookies"...box. If checked will require re-entry of user names, passwords on "next" visit to sites that require users log in.
In the
Applications Tab:[*]Clean all in the "Firefox/Mozilla" section. (if you use it)
Firefox Caution: "Saved Form Information"...box. If checked will remove all your saved passwords, if you use that feature.
[*]Clean all in the "Opera" section. (if you use it)
[*]Clean all in the "Applications" section.
[*]Clean all in the "Internet" Section.
[*]Clean all in the "Multimedia" section. (if you use them)
[*]Clean all in the "Utilities" section. (if you use them)
[*]Clean all in the "Windows" section.
[*]Then click the "Run Cleaner" button and it will scan and clean your system.
[*]Close CCleaner when finished.
FYI...You may see some files "marked" for deletion when Windows restarts...this is because they are "in use" by the system and can't be removed until restart.
CAUTION: Please do NOT use the "Issues" button in the left pane.
This is a built-in registry cleaner. Removing certain entries can render your computer inoperable!
Please do a scan with Kaspersky Online Scanner
Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.
Click on the Accept button and install any components it needs.
Please send following log files in your next post.
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, December 17, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, December 17, 2008 20:42:06
Records in database: 1472279
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
Scan statistics:
Files scanned: 204386
Threat name: 3
Infected objects: 5
Suspicious objects: 0
Duration of the scan: 05:10:04
File name / Threat name / Threats count
C:\Documents and Settings\Edwin T\Desktop\Downloads\Kaspersky_Anti-Virus_2009_v8.0.0.454_FINAL__FULL___ENG_\Kaspersky_Anti-Virus_2009_v8.0.0.454_FINAL__FULL___ENG_\kav8.0.0.454en.EXE Infected: Trojan.Win32.Small.xtm 1
C:\Documents and Settings\Edwin T\Desktop\Downloads\Kaspersky_Anti-Virus_2009_v8.0.0.454_FINAL__FULL___ENG_.rar Infected: Trojan.Win32.Small.xtm 1
C:\Documents and Settings\Edwin T\Desktop\Downloads\Limewire_Turbo_5.4.1.rar Infected: not-a-virus:WebToolbar.Win32.WhenU.a 1
C:\OLD HARD DRIVE\Incomplete\Preview-T-3515162-over there al jolson.wma Infected: Trojan-Downloader.WMA.Wimad.n 1
C:\OLD HARD DRIVE\Incomplete\T-3515162-over there al jolson.wma Infected: Trojan-Downloader.WMA.Wimad.n 1
The selected area was scanned.
Scan saved at 10:21:33 PM, on 12/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [DiscWizardMonitor.exe] "C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe"
O4 - HKLM\..\Run: [AcronisTimounterMonitor] "C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] "RunDLL32.exe" NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [userinit] C:\WINDOWS\system32\twext.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [userinit] C:\WINDOWS\system32\twext.exe (User 'Default user')
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204188025250
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 8376 bytes
Open Hijackthis click Do system scan only and mark these lines.
O4 - HKUS\S-1-5-18\..\Run: [userinit] C:\WINDOWS\system32\twext.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [userinit] C:\WINDOWS\system32\twext.exe (User 'Default user')
After you have marked lines press Fix checked.
Run combofix.exe again and send combofixs log and new hijackthis log in your next post.
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1438 [GMT -8:00]
Running from: c:\documents and settings\Edwin T\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Edwin T\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Edwin T\nah_log.dat
c:\windows\system32\adrnln.bin
c:\windows\system32\evitosan.ini
c:\windows\system32\huyavamu.dll
c:\windows\system32\ozukayof.ini
c:\windows\system32\ubalajal.ini
c:\windows\system32\ulemopib.ini
c:\windows\system32\uligihal.ini
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
\Legacy_MSVTCH
((((((((((((((((((((((((( Files Created from 2008-11-21 to 2008-12-21 )))))))))))))))))))))))))))))))
.
2008-12-20 16:50 . 2008-12-20 16:51 120 ---hs---- c:\windows\system32\ozukayof.ini
2008-12-20 13:20 . 2008-12-20 14:23 <DIR> d
c:\documents and settings\Edwin T\Application Data\vlc
2008-12-20 13:17 . 2008-12-20 13:17 <DIR> d
c:\program files\VideoLAN
2008-12-18 14:18 . 2008-12-18 14:20 <DIR> d
c:\program files\DivX
2008-12-16 15:36 . 2008-12-16 15:36 <DIR> d
c:\program files\CCleaner
2008-12-15 18:28 . 2008-12-15 18:28 57,060 --ah
c:\windows\system32\mlfcache.dat
2008-12-04 00:53 . 2008-12-04 00:53 <DIR> d
c:\program files\PSTRUH
2008-12-04 00:21 . 2008-12-04 00:21 <DIR> d
c:\documents and settings\NetworkService\Application Data\Webroot
2008-12-03 22:09 . 2008-12-03 22:09 <DIR> d
c:\documents and settings\Edwin T\Application Data\ESET
2008-12-03 22:03 . 2008-12-03 22:03 <DIR> d
c:\program files\ESET
2008-12-03 17:48 . 2008-12-03 17:48 0 --a
c:\windows\system32\a9xt.bin
2008-12-03 01:22 . 2008-12-03 01:22 268 --ah
C:\sqmdata19.sqm
2008-12-03 01:22 . 2008-12-03 01:22 244 --ah
C:\sqmnoopt19.sqm
2008-11-30 20:01 . 2008-11-30 20:01 244 --ah
C:\sqmnoopt18.sqm
2008-11-30 20:01 . 2008-11-30 20:01 232 --ah
C:\sqmdata18.sqm
2008-11-30 15:04 . 2008-11-30 15:04 <DIR> d
c:\program files\Common Files\xing shared
2008-11-29 20:39 . 2008-11-29 20:39 43,520 --a
c:\windows\system32\CmdLineExt03.dll
2008-11-25 10:38 . 2008-11-25 10:38 <DIR> d
c:\documents and settings\All Users\Application Data\Symantec
2008-11-25 10:37 . 2008-11-25 10:37 <DIR> d
c:\program files\Symantec
2008-11-25 10:37 . 2008-11-25 10:37 <DIR> d
c:\program files\Common Files\Symantec Shared
2008-11-25 10:37 . 2008-11-25 10:37 124,464 --a
c:\windows\system32\drivers\SYMEVENT.SYS
2008-11-25 10:37 . 2008-11-25 10:37 60,808 --a
c:\windows\system32\S32EVNT1.DLL
2008-11-25 10:37 . 2008-11-25 10:37 10,635 --a
c:\windows\system32\drivers\SYMEVENT.CAT
2008-11-25 10:37 . 2008-11-25 10:37 806 --a
c:\windows\system32\drivers\SYMEVENT.INF
2008-11-25 10:36 . 2008-11-25 10:36 <DIR> d
c:\windows\system32\drivers\NAV
2008-11-21 13:47 . 2008-11-21 13:47 3,596,288 --a
c:\windows\system32\qt-dx331.dll
2008-11-21 13:47 . 2008-11-21 13:47 524,288 --a
c:\windows\system32\DivXsm.exe
2008-11-21 13:47 . 2008-11-21 13:47 4,816 --a
c:\windows\system32\divxsm.tlb
2008-11-21 13:46 . 2008-11-21 13:46 1,044,480 --a
c:\windows\system32\libdivx.dll
2008-11-21 13:46 . 2008-11-21 13:46 200,704 --a
c:\windows\system32\ssldivx.dll
2008-11-21 13:44 . 2008-11-21 13:44 161,096 --a
c:\windows\system32\DivXCodecVersionChecker.exe
2008-11-21 13:44 . 2008-11-21 13:44 12,288 --a
c:\windows\system32\DivXWMPExtType.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-20 21:17
d
w c:\documents and settings\Edwin T\Application Data\SlimBrowser
2008-12-20 19:11 97,345 --sha-w c:\windows\system32\sahuyana.dll
2008-12-20 19:11 87,156 --sha-w c:\windows\system32\foyakuzo.dll
2008-12-20 19:06 98,015 --sha-w c:\windows\system32\wunebiwe.dll
2008-12-20 19:06 83,052 --sha-w c:\windows\system32\bipomelu.dll
2008-12-20 06:37 97,388 --sha-w c:\windows\system32\begopena.dll
2008-12-19 18:37 96,827 --sha-w c:\windows\system32\wahemoyu.dll
2008-12-19 18:37 87,226
w c:\windows\system32\lajalabu.dll
2008-12-19 06:37 94,886 --sha-w c:\windows\system32\tozomodo.dll
2008-12-19 06:37 83,218
w c:\windows\system32\nasotive.dll
2008-12-16 23:10
d
w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-16 01:01
d
w c:\program files\Safari
2008-12-14 07:31
d
w c:\documents and settings\Edwin T\Application Data\LimeWire
2008-12-12 00:32
d
w c:\program files\SlimBrowser
2008-12-05 02:56
d
w c:\documents and settings\Edwin T\Application Data\iolo
2008-12-05 00:44 935,776 ----a-w c:\windows\system32\Incinerator.dll
2008-12-04 06:03
d
w c:\documents and settings\All Users\Application Data\ESET
2008-11-30 23:04
d
w c:\program files\Common Files\Real
2008-11-25 20:05
d
w c:\documents and settings\All Users\Application Data\Norton
2008-11-25 03:34 295,424 ----a-w c:\windows\system32\termsrv.dll
2008-11-20 23:58
d
w c:\documents and settings\Edwin T\Application Data\Viewpoint
2008-11-19 01:10
d
w c:\program files\Viewpoint
2008-11-19 01:10
d
w c:\program files\AIM6
2008-11-19 01:09
d
w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-19 01:09
d
w c:\documents and settings\All Users\Application Data\acccore
2008-11-18 20:52
d
w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-18 19:51 8,192 ----a-w c:\windows\system32\smrgdf.exe
2008-11-07 02:45
d
w c:\program files\SopCast
2008-11-06 06:26
d
w c:\program files\LimeWire Turbo
2008-11-06 06:19
d
w c:\program files\LimeWire
2008-11-06 05:42
d
w c:\documents and settings\All Users\Application Data\NortonInstaller
2008-11-06 05:12
d
w c:\documents and settings\Edwin T\Application Data\LimeWireTurbo
2008-11-01 19:09
d
w c:\program files\Opera
2008-10-24 20:26 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
2008-10-24 20:26
d--h--r c:\documents and settings\Edwin T\Application Data\SecuROM
2008-10-24 19:34
d
w c:\documents and settings\Edwin T\Application Data\gnupg
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 22:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 22:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 22:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 22:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 22:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 22:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 22:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 22:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 22:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 22:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 20:38 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-03 10:15 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-10-01 00:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-24 17:32 28,672 ----a-w c:\windows\system32\iolobtdfg.exe
2008-09-19 06:30 60,416 --sha-w c:\windows\system32\mejejaza.dll
2008-09-19 06:30 60,416 --sha-w c:\windows\system32\pigirayo.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f29e4e0b-d2e2-4985-b6b1-bef467418fb1}]
2008-09-18 22:30 60416 --ahs---- c:\windows\system32\mejejaza.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"Aim6"="" [BU]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2007-04-19 1169744]
"AcronisTimounterMonitor"="c:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2007-04-19 1945688]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-04-19 149024]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7618560]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 813912]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 153136]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-30 185872]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-03-01 1443072]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"zigugezama"="c:\windows\system32\pigirayo.dll" [2008-09-18 60416]
"d4cb738f"="c:\windows\system32\foyakuzo.dll" [2008-12-20 87156]
"CPMd7f84013"="c:\windows\system32\sahuyana.dll" [2008-12-20 97345]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 5367664]
"nwiz"="nwiz.exe" [2006-08-23 c:\windows\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-08-23 c:\windows\system32\nvmctray.dll]
"RTHDCPL"="RTHDCPL.EXE" [2008-09-09 c:\windows\RTHDCPL.EXE]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4}"= "c:\windows\system32\sahuyana.dll" [2008-12-20 97345]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"SSODL"= {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\sahuyana.dll [2008-12-20 97345]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\windows\system32\huyavamu.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX5400]
--a
2003-05-26 19:00 99840 c:\windows\system32\spool\drivers\w32x86\3\E_S4I2G1.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a
2004-10-13 08:24 1694208 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a
2007-01-19 11:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Documents and Settings\\Edwin T\\Desktop\\Downloads\\WoW-BurningCrusade-Trial-enUS-Installer-downloader.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Java\\jre1.6.0_07\\bin\\javaw.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\iTunes\\iTunesHelper.exe"=
R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2007-11-08 30728]
R2 ekrn;Eset Service;"c:\program files\ESET\ESET Smart Security\ekrn.exe" [2007-12-21 468224]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-09-09 596336]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-09-09 596336]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-11-18 24652]
.
Contents of the 'Scheduled Tasks' folder
2008-11-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-msvtch.sys
.
Supplementary Scan
.
uInternet Settings,ProxyOverride = *.local
O16 -: DirectAnimation Java Classes - [URL]file://c:\windows\Java\classes\dajava.cab[/URL]
O16 -: Microsoft XML Parser for Java - [URL]file://c:\windows\Java\classes\xmldso.cab[/URL]
FF - ProfilePath - c:\documents and settings\Edwin T\Application Data\Mozilla\Firefox\Profiles\2ng5ejc2.default\
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.
.
File Associations
.
JSEFile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-20 16:50:07
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\ozukayof.ini 1603449 bytes
**************************************************************************
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(1068)
c:\windows\system32\WRLogonNTF.dll
- - - - - - - > 'lsass.exe'(1124)
c:\windows\system32\relog_ap.dll
- - - - - - - > 'explorer.exe'(1420)
c:\windows\system32\foyakuzo.dll
c:\windows\system32\sahuyana.dll
c:\windows\system32\pigirayo.dll
.
Other Running Processes
.
c:\program files\Common Files\Seagate\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Webroot\Spy Sweeper\ssu.exe
.
**************************************************************************
.
Completion time: 2008-12-20 16:58:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-21 00:57:21
ComboFix2.txt 2008-12-02 21:10:27
ComboFix3.txt 2008-12-02 02:18:42
ComboFix4.txt 2008-11-29 00:15:12
ComboFix5.txt 2008-12-21 00:27:17
Pre-Run: 182,141,505,536 bytes free
Post-Run: 182,238,097,408 bytes free
265 --- E O F --- 2008-12-16 23:10:17
Scan saved at 5:04:14 PM, on 12/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {f29e4e0b-d2e2-4985-b6b1-bef467418fb1} - C:\WINDOWS\system32\mejejaza.dll
O4 - HKLM\..\Run: [DiscWizardMonitor.exe] "C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe"
O4 - HKLM\..\Run: [AcronisTimounterMonitor] "C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] "RunDLL32.exe" NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [zigugezama] Rundll32.exe "C:\WINDOWS\system32\pigirayo.dll",s
O4 - HKLM\..\Run: [d4cb738f] rundll32.exe "C:\WINDOWS\system32\foyakuzo.dll",b
O4 - HKLM\..\Run: [CPMd7f84013] Rundll32.exe "c:\windows\system32\sahuyana.dll",a
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204188025250
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\huyavamu.dll c:\windows\system32\sahuyana.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\sahuyana.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\sahuyana.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 8524 bytes
and now when i get an IM from someone on AIM it takes about 3 seconds to recieve it and if i get lets say 2-3 ims in a row it freezes ev reything else until it loads the message then it goes again.
whats going on?
You got many infection which are affect our browser.
Open Hijackthis click Do system scan only and mark these lines.
O2 - BHO: (no name) - {f29e4e0b-d2e2-4985-b6b1-bef467418fb1} - C:\WINDOWS\system32\mejejaza.dll
O4 - HKLM\..\Run: [zigugezama] Rundll32.exe "C:\WINDOWS\system32\pigirayo.dll",s
O4 - HKLM\..\Run: [d4cb738f] rundll32.exe "C:\WINDOWS\system32\foyakuzo.dll",b
O4 - HKLM\..\Run: [CPMd7f84013] Rundll32.exe "c:\windows\system32\sahuyana.dll",a
O20 - AppInit_DLLs: C:\WINDOWS\system32\huyavamu.dll c:\windows\system32\sahuyana.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\sahuyana.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\sahuyana.dll
After you have marked lines press Fix checked.
Open Notepad and copy & paste Quoteboxs content to notepad: Save As CFScript.
The drag & drop CFScript to ComboFix.exe like in sample picture.
Restart computer if needed and send combofix.txt content and fresh Hijackthis log.
Please Start and update Malwarebyte's anti-malware
After update Perform full scan.
Please send these log files in your next post.
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\sahuyana.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\sahuyana.dll
those 3 werent on the list when i did the scan only so i can remove them.
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1280 [GMT -8:00]
Running from: c:\documents and settings\Edwin T\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Edwin T\Desktop\CFScript..txt
* Created a new restore point
* Resident AV is active
FILE ::
c:\windows\system32\begopena.dll
c:\windows\system32\bipomelu.dll
c:\windows\system32\foyakuzo.dll
c:\windows\system32\iolobtdfg.exe
c:\windows\system32\lajalabu.dll
c:\windows\system32\mejejaza.dll
c:\windows\system32\nasotive.dll
c:\windows\system32\ozukayof.ini
c:\windows\system32\pigirayo.dll
c:\windows\system32\sahuyana.dll
c:\windows\system32\smrgdf.exe
c:\windows\system32\tozomodo.dll
c:\windows\system32\wahemoyu.dll
c:\windows\system32\wunebiwe.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\begopena.dll
c:\windows\system32\bipomelu.dll
c:\windows\system32\ebudufoz.ini
c:\windows\system32\foyakuzo.dll
c:\windows\system32\iolobtdfg.exe
c:\windows\system32\ipayojok.ini
c:\windows\system32\lajalabu.dll
c:\windows\system32\mejejaza.dll
c:\windows\system32\nasotive.dll
c:\windows\system32\ozukayof.ini
c:\windows\system32\pigirayo.dll
c:\windows\system32\sahuyana.dll
c:\windows\system32\smrgdf.exe
c:\windows\system32\tozomodo.dll
c:\windows\system32\wahemoyu.dll
c:\windows\system32\wunebiwe.dll
.
((((((((((((((((((((((((( Files Created from 2008-11-22 to 2008-12-22 )))))))))))))))))))))))))))))))
.
2008-12-20 17:22 . 2008-12-20 17:23 <DIR> d
c:\program files\Safari
2008-12-20 13:20 . 2008-12-20 14:23 <DIR> d
c:\documents and settings\Edwin T\Application Data\vlc
2008-12-20 13:17 . 2008-12-20 13:17 <DIR> d
c:\program files\VideoLAN
2008-12-18 14:18 . 2008-12-18 14:20 <DIR> d
c:\program files\DivX
2008-12-16 15:36 . 2008-12-16 15:36 <DIR> d
c:\program files\CCleaner
2008-12-15 18:28 . 2008-12-15 18:28 57,060 --ah
c:\windows\system32\mlfcache.dat
2008-12-04 00:53 . 2008-12-04 00:53 <DIR> d
c:\program files\PSTRUH
2008-12-04 00:21 . 2008-12-04 00:21 <DIR> d
c:\documents and settings\NetworkService\Application Data\Webroot
2008-12-03 22:09 . 2008-12-03 22:09 <DIR> d
c:\documents and settings\Edwin T\Application Data\ESET
2008-12-03 22:03 . 2008-12-03 22:03 <DIR> d
c:\program files\ESET
2008-12-03 17:48 . 2008-12-03 17:48 0 --a
c:\windows\system32\a9xt.bin
2008-12-03 01:22 . 2008-12-03 01:22 268 --ah
C:\sqmdata19.sqm
2008-12-03 01:22 . 2008-12-03 01:22 244 --ah
C:\sqmnoopt19.sqm
2008-11-30 20:01 . 2008-11-30 20:01 244 --ah
C:\sqmnoopt18.sqm
2008-11-30 20:01 . 2008-11-30 20:01 232 --ah
C:\sqmdata18.sqm
2008-11-30 15:04 . 2008-11-30 15:04 <DIR> d
c:\program files\Common Files\xing shared
2008-11-29 20:39 . 2008-11-29 20:39 43,520 --a
c:\windows\system32\CmdLineExt03.dll
2008-11-25 10:38 . 2008-11-25 10:38 <DIR> d
c:\documents and settings\All Users\Application Data\Symantec
2008-11-25 10:37 . 2008-11-25 10:37 <DIR> d
c:\program files\Symantec
2008-11-25 10:37 . 2008-11-25 10:37 <DIR> d
c:\program files\Common Files\Symantec Shared
2008-11-25 10:37 . 2008-11-25 10:37 124,464 --a
c:\windows\system32\drivers\SYMEVENT.SYS
2008-11-25 10:37 . 2008-11-25 10:37 60,808 --a
c:\windows\system32\S32EVNT1.DLL
2008-11-25 10:37 . 2008-11-25 10:37 10,635 --a
c:\windows\system32\drivers\SYMEVENT.CAT
2008-11-25 10:37 . 2008-11-25 10:37 806 --a
c:\windows\system32\drivers\SYMEVENT.INF
2008-11-25 10:36 . 2008-11-25 10:36 <DIR> d
c:\windows\system32\drivers\NAV
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-20 21:17
d
w c:\documents and settings\Edwin T\Application Data\SlimBrowser
2008-12-16 23:10
d
w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-12-14 07:31
d
w c:\documents and settings\Edwin T\Application Data\LimeWire
2008-12-12 00:32
d
w c:\program files\SlimBrowser
2008-12-05 02:56
d
w c:\documents and settings\Edwin T\Application Data\iolo
2008-12-04 06:03
d
w c:\documents and settings\All Users\Application Data\ESET
2008-11-30 23:04
d
w c:\program files\Common Files\Real
2008-11-25 20:05
d
w c:\documents and settings\All Users\Application Data\Norton
2008-11-20 23:58
d
w c:\documents and settings\Edwin T\Application Data\Viewpoint
2008-11-19 01:10
d
w c:\program files\Viewpoint
2008-11-19 01:10
d
w c:\program files\AIM6
2008-11-19 01:09
d
w c:\documents and settings\All Users\Application Data\Viewpoint
2008-11-19 01:09
d
w c:\documents and settings\All Users\Application Data\acccore
2008-11-18 20:52
d
w c:\documents and settings\All Users\Application Data\AOL Downloads
2008-11-07 02:45
d
w c:\program files\SopCast
2008-11-06 06:26
d
w c:\program files\LimeWire Turbo
2008-11-06 06:19
d
w c:\program files\LimeWire
2008-11-06 05:42
d
w c:\documents and settings\All Users\Application Data\NortonInstaller
2008-11-06 05:12
d
w c:\documents and settings\Edwin T\Application Data\LimeWireTurbo
2008-11-01 19:09
d
w c:\program files\Opera
2008-10-24 20:26
d--h--r c:\documents and settings\Edwin T\Application Data\SecuROM
2008-10-24 19:34
d
w c:\documents and settings\Edwin T\Application Data\gnupg
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
.
((((((((((((((((((((((((((((( snapshot@2008-12-20_16.55.22.52 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-16 01:01:28 307,200 ----a-r c:\windows\Installer\{582D2A53-F426-4C5E-A2E6-43C1AB36B907}\SafariIco.exe
+ 2008-12-21 01:23:24 307,200 ----a-r c:\windows\Installer\{582D2A53-F426-4C5E-A2E6-43C1AB36B907}\SafariIco.exe
+ 2008-12-21 11:11:30 94,852 --sha-w c:\windows\system32\biravoja.dll
+ 2008-12-21 23:11:44 83,040 --sha-w c:\windows\system32\kojoyapi.dll
+ 2008-12-21 23:11:44 96,923 --sha-w c:\windows\system32\rowisofi.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 153136]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"Aim6"="" [BU]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DiscWizardMonitor.exe"="c:\program files\Seagate\DiscWizard\DiscWizardMonitor.exe" [2007-04-19 1169744]
"AcronisTimounterMonitor"="c:\program files\Seagate\DiscWizard\TimounterMonitor.exe" [2007-04-19 1945688]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Seagate\Schedule2\schedhlp.exe" [2007-04-19 149024]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-08-23 7618560]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-21 813912]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 153136]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-30 185872]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-03-01 1443072]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"d4cb738f"="c:\windows\system32\kojoyapi.dll" [2008-12-21 83040]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 5367664]
"nwiz"="nwiz.exe" [2006-08-23 c:\windows\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-08-23 c:\windows\system32\nvmctray.dll]
"RTHDCPL"="RTHDCPL.EXE" [2008-09-09 c:\windows\RTHDCPL.EXE]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\huyavamu.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX5400]
--a
2003-05-26 19:00 99840 c:\windows\system32\spool\drivers\w32x86\3\E_S4I2G1.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a
2004-10-13 08:24 1694208 c:\program files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a
2007-01-19 11:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ares\\Ares.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Documents and Settings\\Edwin T\\Desktop\\Downloads\\WoW-BurningCrusade-Trial-enUS-Installer-downloader.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Java\\jre1.6.0_07\\bin\\javaw.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\iTunes\\iTunesHelper.exe"=
"c:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe"=
"c:\\Program Files\\Microsoft IntelliPoint\\ipoint.exe"=
"c:\\Program Files\\Common Files\\Ahead\\Lib\\NMIndexStoreSvr.exe"=
R1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2007-11-08 30728]
R2 ekrn;Eset Service;"c:\program files\ESET\ESET Smart Security\ekrn.exe" [2007-12-21 468224]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-09-09 596336]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2008-09-09 596336]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\Viewpoint\Common\ViewpointService.exe" [2008-11-18 24652]
.
Contents of the 'Scheduled Tasks' folder
2008-11-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -
BHO-{f29e4e0b-d2e2-4985-b6b1-bef467418fb1} - c:\windows\system32\mejejaza.dll
HKLM-Run-zigugezama - c:\windows\system32\pigirayo.dll
.
Supplementary Scan
.
uInternet Settings,ProxyOverride = *.local
O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Edwin T\Application Data\Mozilla\Firefox\Profiles\2ng5ejc2.default\
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\program files\Yahoo!\Shared\npYState.dll
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-21 20:57:04
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\ipayojok.ini 1603449 bytes
**************************************************************************
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(1112)
c:\windows\system32\WRLogonNTF.dll
- - - - - - - > 'lsass.exe'(1168)
c:\windows\system32\relog_ap.dll
- - - - - - - > 'explorer.exe'(3780)
c:\windows\system32\kojoyapi.dll
.
Other Running Processes
.
c:\program files\Common Files\Seagate\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
c:\program files\Common Files\Ahead\Lib\NMIndexingService.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Webroot\Spy Sweeper\ssu.exe
.
**************************************************************************
.
Completion time: 2008-12-21 21:05:30 - machine was rebooted [Edwin T]
ComboFix-quarantined-files.txt 2008-12-22 05:04:04
ComboFix2.txt 2008-12-21 00:58:58
ComboFix3.txt 2008-12-02 21:10:27
ComboFix4.txt 2008-12-02 02:18:42
ComboFix5.txt 2008-12-22 04:38:00
Pre-Run: 181,891,543,040 bytes free
Post-Run: 181,999,677,440 bytes free
242 --- E O F --- 2008-12-16 23:10:17
Database version: 1456
Windows 5.1.2600 Service Pack 2
12/22/2008 10:01:33 AM
mbam-log-2008-12-22 (10-01-28).txt
Scan type: Full Scan (C:\|F:\|G:\|)
Objects scanned: 268854
Time elapsed: 4 hour(s), 51 minute(s), 19 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\kojoyapi.dll (Trojan.Vundo.H) -> No action taken.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d4cb738f (Trojan.Agent) -> No action taken.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\kojoyapi.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\ipayojok.ini (Trojan.Vundo.H) -> No action taken.
Scan saved at 10:02:58 AM, on 12/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe
C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
c:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\iolo\common\lib\ioloServiceManager.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [DiscWizardMonitor.exe] "C:\Program Files\Seagate\DiscWizard\DiscWizardMonitor.exe"
O4 - HKLM\..\Run: [AcronisTimounterMonitor] "C:\Program Files\Seagate\DiscWizard\TimounterMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Seagate\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [itype] "c:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] "RunDLL32.exe" NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [d4cb738f] "rundll32.exe" "C:\WINDOWS\system32\kojoyapi.dll",b
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1204188025250
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\huyavamu.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Seagate\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - C:\Program Files\iolo\common\lib\ioloServiceManager.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 8115 bytes
Use Remove selected button to remove MBAM founded infected items.
Scan again whit mbam but remember to remove infected files.
Merry crishmas and happy new year!
Please scan again whit Malwarebytes and remove all founded infections.
Post these log files in your next post
Malwarebytes log file
New Hijackthis log
ill have it up soon sorry been hectic this week.
I googled and its apparently the audio driver. how the hell can i fix this? i thought i already fixed this issue before. : /
Database version: 1456
Windows 5.1.2600 Service Pack 2
1/6/2009 8:08:35 AM
mbam-log-2009-01-06 (08-08-35).txt
Scan type: Full Scan (C:\|F:\|G:\|)
Objects scanned: 275809
Time elapsed: 5 hour(s), 5 minute(s), 54 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_CLASSES_ROOT\scrfile\shell\open\command\ (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: ("%1" /S) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\regfile\shell\open\command\ (Broken.OpenCommand) -> Bad: (NOTEPAD.EXE %1) Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)